Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 19:36
Behavioral task
behavioral1
Sample
JaffaCakes118_d9c2d4c08278975d20d22388d3fa0d1b3661125d015b5e692cf59c3397005a9e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_d9c2d4c08278975d20d22388d3fa0d1b3661125d015b5e692cf59c3397005a9e.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_d9c2d4c08278975d20d22388d3fa0d1b3661125d015b5e692cf59c3397005a9e.exe
-
Size
1.3MB
-
MD5
9c7cd2988c0ad5d8c15ecae6edfc6bd7
-
SHA1
74eda384809243c73178bb1d7c507e8e82f3ac59
-
SHA256
d9c2d4c08278975d20d22388d3fa0d1b3661125d015b5e692cf59c3397005a9e
-
SHA512
4e47f8405f7a459e4d6609890bbdb1957f16c35553dcc87bc97dc4c8d238dce0aa30f9da23ec4a7bcc9fb77b564c791927c05a453ff63e2722dd242612aadb96
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 668 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1472 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 624 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1120 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 808 2892 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x00080000000162b2-9.dat dcrat behavioral1/memory/2168-13-0x0000000000A10000-0x0000000000B20000-memory.dmp dcrat behavioral1/memory/1288-87-0x0000000000D60000-0x0000000000E70000-memory.dmp dcrat behavioral1/memory/1524-205-0x0000000001120000-0x0000000001230000-memory.dmp dcrat behavioral1/memory/2604-266-0x0000000001210000-0x0000000001320000-memory.dmp dcrat behavioral1/memory/1776-385-0x00000000001A0000-0x00000000002B0000-memory.dmp dcrat behavioral1/memory/580-445-0x0000000000F70000-0x0000000001080000-memory.dmp dcrat behavioral1/memory/1712-505-0x0000000001320000-0x0000000001430000-memory.dmp dcrat behavioral1/memory/2104-565-0x00000000013A0000-0x00000000014B0000-memory.dmp dcrat behavioral1/memory/1784-625-0x0000000000170000-0x0000000000280000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 320 powershell.exe 1484 powershell.exe 2528 powershell.exe 2376 powershell.exe 1828 powershell.exe 948 powershell.exe 632 powershell.exe 572 powershell.exe 2052 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2168 DllCommonsvc.exe 1288 Idle.exe 1704 Idle.exe 1524 Idle.exe 2604 Idle.exe 2976 Idle.exe 1776 Idle.exe 580 Idle.exe 1712 Idle.exe 2104 Idle.exe 1784 Idle.exe -
Loads dropped DLL 2 IoCs
pid Process 2692 cmd.exe 2692 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 9 raw.githubusercontent.com 27 raw.githubusercontent.com 31 raw.githubusercontent.com 34 raw.githubusercontent.com 5 raw.githubusercontent.com 13 raw.githubusercontent.com 16 raw.githubusercontent.com 20 raw.githubusercontent.com 24 raw.githubusercontent.com 4 raw.githubusercontent.com -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\it-IT\dllhost.exe DllCommonsvc.exe File created C:\Windows\it-IT\5940a34987c991 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_d9c2d4c08278975d20d22388d3fa0d1b3661125d015b5e692cf59c3397005a9e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2596 schtasks.exe 2840 schtasks.exe 2836 schtasks.exe 1120 schtasks.exe 808 schtasks.exe 2792 schtasks.exe 1508 schtasks.exe 2736 schtasks.exe 2720 schtasks.exe 2032 schtasks.exe 668 schtasks.exe 1744 schtasks.exe 2128 schtasks.exe 624 schtasks.exe 2624 schtasks.exe 2616 schtasks.exe 2648 schtasks.exe 2356 schtasks.exe 2584 schtasks.exe 2632 schtasks.exe 2432 schtasks.exe 1844 schtasks.exe 1472 schtasks.exe 2344 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2168 DllCommonsvc.exe 2168 DllCommonsvc.exe 2168 DllCommonsvc.exe 2168 DllCommonsvc.exe 2168 DllCommonsvc.exe 1828 powershell.exe 632 powershell.exe 2052 powershell.exe 2376 powershell.exe 1484 powershell.exe 320 powershell.exe 948 powershell.exe 572 powershell.exe 2528 powershell.exe 1288 Idle.exe 1704 Idle.exe 1524 Idle.exe 2604 Idle.exe 2976 Idle.exe 1776 Idle.exe 580 Idle.exe 1712 Idle.exe 2104 Idle.exe 1784 Idle.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 2168 DllCommonsvc.exe Token: SeDebugPrivilege 1828 powershell.exe Token: SeDebugPrivilege 632 powershell.exe Token: SeDebugPrivilege 2052 powershell.exe Token: SeDebugPrivilege 2376 powershell.exe Token: SeDebugPrivilege 1484 powershell.exe Token: SeDebugPrivilege 320 powershell.exe Token: SeDebugPrivilege 948 powershell.exe Token: SeDebugPrivilege 572 powershell.exe Token: SeDebugPrivilege 2528 powershell.exe Token: SeDebugPrivilege 1288 Idle.exe Token: SeDebugPrivilege 1704 Idle.exe Token: SeDebugPrivilege 1524 Idle.exe Token: SeDebugPrivilege 2604 Idle.exe Token: SeDebugPrivilege 2976 Idle.exe Token: SeDebugPrivilege 1776 Idle.exe Token: SeDebugPrivilege 580 Idle.exe Token: SeDebugPrivilege 1712 Idle.exe Token: SeDebugPrivilege 2104 Idle.exe Token: SeDebugPrivilege 1784 Idle.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2508 wrote to memory of 2408 2508 JaffaCakes118_d9c2d4c08278975d20d22388d3fa0d1b3661125d015b5e692cf59c3397005a9e.exe 30 PID 2508 wrote to memory of 2408 2508 JaffaCakes118_d9c2d4c08278975d20d22388d3fa0d1b3661125d015b5e692cf59c3397005a9e.exe 30 PID 2508 wrote to memory of 2408 2508 JaffaCakes118_d9c2d4c08278975d20d22388d3fa0d1b3661125d015b5e692cf59c3397005a9e.exe 30 PID 2508 wrote to memory of 2408 2508 JaffaCakes118_d9c2d4c08278975d20d22388d3fa0d1b3661125d015b5e692cf59c3397005a9e.exe 30 PID 2408 wrote to memory of 2692 2408 WScript.exe 31 PID 2408 wrote to memory of 2692 2408 WScript.exe 31 PID 2408 wrote to memory of 2692 2408 WScript.exe 31 PID 2408 wrote to memory of 2692 2408 WScript.exe 31 PID 2692 wrote to memory of 2168 2692 cmd.exe 33 PID 2692 wrote to memory of 2168 2692 cmd.exe 33 PID 2692 wrote to memory of 2168 2692 cmd.exe 33 PID 2692 wrote to memory of 2168 2692 cmd.exe 33 PID 2168 wrote to memory of 320 2168 DllCommonsvc.exe 59 PID 2168 wrote to memory of 320 2168 DllCommonsvc.exe 59 PID 2168 wrote to memory of 320 2168 DllCommonsvc.exe 59 PID 2168 wrote to memory of 1828 2168 DllCommonsvc.exe 60 PID 2168 wrote to memory of 1828 2168 DllCommonsvc.exe 60 PID 2168 wrote to memory of 1828 2168 DllCommonsvc.exe 60 PID 2168 wrote to memory of 948 2168 DllCommonsvc.exe 61 PID 2168 wrote to memory of 948 2168 DllCommonsvc.exe 61 PID 2168 wrote to memory of 948 2168 DllCommonsvc.exe 61 PID 2168 wrote to memory of 632 2168 DllCommonsvc.exe 62 PID 2168 wrote to memory of 632 2168 DllCommonsvc.exe 62 PID 2168 wrote to memory of 632 2168 DllCommonsvc.exe 62 PID 2168 wrote to memory of 1484 2168 DllCommonsvc.exe 63 PID 2168 wrote to memory of 1484 2168 DllCommonsvc.exe 63 PID 2168 wrote to memory of 1484 2168 DllCommonsvc.exe 63 PID 2168 wrote to memory of 572 2168 DllCommonsvc.exe 64 PID 2168 wrote to memory of 572 2168 DllCommonsvc.exe 64 PID 2168 wrote to memory of 572 2168 DllCommonsvc.exe 64 PID 2168 wrote to memory of 2528 2168 DllCommonsvc.exe 65 PID 2168 wrote to memory of 2528 2168 DllCommonsvc.exe 65 PID 2168 wrote to memory of 2528 2168 DllCommonsvc.exe 65 PID 2168 wrote to memory of 2376 2168 DllCommonsvc.exe 66 PID 2168 wrote to memory of 2376 2168 DllCommonsvc.exe 66 PID 2168 wrote to memory of 2376 2168 DllCommonsvc.exe 66 PID 2168 wrote to memory of 2052 2168 DllCommonsvc.exe 67 PID 2168 wrote to memory of 2052 2168 DllCommonsvc.exe 67 PID 2168 wrote to memory of 2052 2168 DllCommonsvc.exe 67 PID 2168 wrote to memory of 3044 2168 DllCommonsvc.exe 77 PID 2168 wrote to memory of 3044 2168 DllCommonsvc.exe 77 PID 2168 wrote to memory of 3044 2168 DllCommonsvc.exe 77 PID 3044 wrote to memory of 2180 3044 cmd.exe 79 PID 3044 wrote to memory of 2180 3044 cmd.exe 79 PID 3044 wrote to memory of 2180 3044 cmd.exe 79 PID 3044 wrote to memory of 1288 3044 cmd.exe 80 PID 3044 wrote to memory of 1288 3044 cmd.exe 80 PID 3044 wrote to memory of 1288 3044 cmd.exe 80 PID 1288 wrote to memory of 876 1288 Idle.exe 82 PID 1288 wrote to memory of 876 1288 Idle.exe 82 PID 1288 wrote to memory of 876 1288 Idle.exe 82 PID 876 wrote to memory of 1124 876 cmd.exe 84 PID 876 wrote to memory of 1124 876 cmd.exe 84 PID 876 wrote to memory of 1124 876 cmd.exe 84 PID 876 wrote to memory of 1704 876 cmd.exe 85 PID 876 wrote to memory of 1704 876 cmd.exe 85 PID 876 wrote to memory of 1704 876 cmd.exe 85 PID 1704 wrote to memory of 1140 1704 Idle.exe 86 PID 1704 wrote to memory of 1140 1704 Idle.exe 86 PID 1704 wrote to memory of 1140 1704 Idle.exe 86 PID 1140 wrote to memory of 2964 1140 cmd.exe 88 PID 1140 wrote to memory of 2964 1140 cmd.exe 88 PID 1140 wrote to memory of 2964 1140 cmd.exe 88 PID 1140 wrote to memory of 1524 1140 cmd.exe 89 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d9c2d4c08278975d20d22388d3fa0d1b3661125d015b5e692cf59c3397005a9e.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d9c2d4c08278975d20d22388d3fa0d1b3661125d015b5e692cf59c3397005a9e.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SJE3qadHNn.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2180
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vIn8vbLsXf.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1124
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2964
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"11⤵PID:2100
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2168
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat"13⤵PID:1744
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2712
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rHhDMS4c5i.bat"15⤵PID:1496
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2276
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1rZrAbBst.bat"17⤵PID:2036
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:3048
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:580 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zi4n06VBpB.bat"19⤵PID:2180
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2296
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat"21⤵PID:2692
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2456
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat"23⤵PID:2752
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1028
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\it-IT\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\it-IT\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a69bc7821f8beac4f65586941fe315a0
SHA17262f7d076aff59c3783e9840f28c27100e35b10
SHA256cf84a2cf9497b214a437829948ae237fb84092c0232b432ed637e4377d932a2a
SHA512b8b9148749e93477d057c430356fce3100951f4757c38cfb06ca353702299e8a6bac8572bead5c42c37212777f9f33c33085114f0fe09e87e0806371e4f4a9ad
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD579a190ca3c763407d6f0daec29a7432f
SHA1986cea41abaaa49cec270c4db7ff7c1513188de5
SHA256e43ccee65250fe375f5d9a8c8c275e95c7e622f13739c430d14028fc2787fb47
SHA51255ac301c38ecfdfe2332df2655c8bcb30c19ef26be3deee5739856ff4ceecd12d9f53ba9809ea49630a72bd098913d11a75b8ae7a1249a4a90b607867612d520
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a535990e43451791f3ab32d0297b3e7e
SHA18762a2dd10580a746fe7ce27a2d9d878bc6cdc26
SHA256174c1408d912a25cfa76ad160abe1d1a4dcb2984b7e0cb0123a448e4db2c557a
SHA5126333e4d0322210ceb43a14d9b7cb6fa6c2cd9fa0e992c799ad85bacf34169fa569da5010f6ca9048311e16e70aa283ceb5bc24bf8cd7881c349b4f78b1379059
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58580a08785b115bc67adb657f3a6a938
SHA16255ce98795126d638b87138637d08e46a6e17bb
SHA256d3142d91c282d2b5a505847d3c0c58ede0600ae4b60c67ab7c4342b91ac69190
SHA512e04703e85fc170f7e7f12b5dfccd2993c2a9fde0cb478843b16c2c1331cfdf4c2e1e7207755ae3685a20c51d929b55404c9058bbfe4c75e9dd033e215874e810
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5283fa4098b5884ce1cd225a02a278aad
SHA191a748d946eab4abb80d0e52fdc2b3dbb6089182
SHA256754fce2da014d7145554fbb7b8b761a627049d41777de19185ba038cec8015cf
SHA512d777e91f1421216145b07418fd7e1134a28f2655eb57be8871212bb17209c6b9ef41affe8f734e8b79ba474d2cdb763870250c81280bcbcc841b4948cb7e2e5e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD522470fa65eacccb5ba8f5e28dac0b02f
SHA1f0cd0a040a97b518c913f907bdb04add6523173a
SHA2565c553cff916850df1e4bbe36453dd45fecd8e93e13ed85e186070c2f73a69bc2
SHA5124b6dc19566f3e4277fc671ea06d4f5136304f0d968a0741cd4a3e489a1df156afb4f11f6cbc50384fdac40500efb6988c3a7ce9e501f2deb08c55b7679756aae
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50cc50f1baa84ff39a0d0acfefa4ba183
SHA1a98303774f09e7f3983d37b0f84d2e6538e3318c
SHA2561e73e7ec152591d003a04906e1505242667b328f753667266c5853ccd8f5ff54
SHA512da50d4d227ca2d376b39f84ced6b74014025ec0822fc0b6b1407c93a407d97b341e51b8f3079d0f3bb33832350147877f0637bd1f54e69cfdfb6d69443598a1f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59e4ae6c637b814c2c4432e405a67c376
SHA13fb84870776234e3cc1761176076201ebb017450
SHA2562bc3bc5be6a3ad4c28ea00debf20202e5639dd06704125b9c64bdb92628a7dfe
SHA512248fe3d2bd8990c98d1b9a89ba2706f2b4b2d23c5c37e836fccfb6e584d1721acca31f667c42b6c19ce30997eb57c4b454edf6fcf003370495c3f4d316c822d5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5728777da4a5b8072e14fb87ed07fdc3a
SHA13a331a097ef40cad5b036ded1c68fe9d82f43f78
SHA256219ad0c3a745e6cb020751453cd434c2ecad7f1ec282b9434b77ff42c78a3e81
SHA512e55dfbceb41deb67adc4438772d4e9b562ee07b26b65fac8c8645752ab515d3f21b2680c69c2ca755fa0c3ffd7c457848754aab286ec49bf5129b5760175a58e
-
Filesize
222B
MD59d0660d43e8ca5b8b3986200e50ed1c1
SHA113cc67333e96d0efd0a0d311426b9f479fe83ff7
SHA25649254c4891530e52222b03e60052174f2c50adf894f6b45a38fdb1c60108229f
SHA512c4d56e20689fde864f7936497932499230d665e80980f9dbda4d38f3d603a56beb0c399bbce567a5f83244fffe219647fc120816bf45bbcc92a3b11afccc50f1
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
222B
MD501d9e2460e31acd092f2cefa5cd1d84e
SHA19a19bf0c49e98d77f2eb49d560ff20d6233c0549
SHA256f25dbc280d26fca2b2f7c5ec109396f0f35226f9be94eca70a380d6ad762ff9b
SHA512aef940be260a5b150c104a3ae8fd90b57eef75749c0225517d5f1e3820f3280b79d1ccf1eff2e436e34c4fe56edbe147c4696513512f420714b7c4d70bb71b3f
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
222B
MD500f2f36608a61e9c969ff2abfba618c8
SHA10de84f0ad78057081730e96e839044fe980020c2
SHA256180d6cbb6502ffcff8f9c2824928c0a9422d753eb376dc4bf009c81f1915bc69
SHA5127068df8ae04140277f443803f15118d2830dbb1547ad3243e55b2ab26e72ab8074950dca458bf36db0aa7898d0a6babff83688158510009f2005f1796add143c
-
Filesize
222B
MD5b5aa3aa1db6c905e334fc0e90c2d2579
SHA156faff11b489bfe9e4bee98304ac77120b7367ca
SHA256050be5dc21e27c05aaf80711b8214f4ab3a67615004100be7acea83fd7884d45
SHA5126ca633f88363d0c26a91b88a76ef2eaad1768aa90b7f785aa937e69723c66e5df3a7e63fc9b6dacbbc229bc72ba2cefbfde6da2f73e3abfe1ddd92691b5391fc
-
Filesize
222B
MD5d71e2fac94ada769a42b960c7cf5d3b0
SHA1148186aaf4a436e913e10370478fa99ae684ce46
SHA256acc641ae9da50a62a8b5d494b1bd5c510a6d2e79104903ff56c2a562e66731cc
SHA5124f1ca0dfdbf2ba6bcb2cedf629f7ed4c831443c381f1e8b9b795d23755fbced3e584a82a568313122d72df893a10e068051477499d4031732e5be52a0e63e2ad
-
Filesize
222B
MD553cf4015a8eb1b2468b64c1402c76b39
SHA1fb266fc05ba892b9a2d0cfd3c311d51ff6ecab86
SHA25642b867c6c3b78feb17794461bc86460526297991009a21a9a7c130f84b9fc475
SHA512fb9a1be5a9601f682df95c72373ae657f09a7edf804f22dc5ff2208350b4bd7d4850278c14e72e56f187668fb3a444f64ce468b8808944002adfb2277219a41e
-
Filesize
222B
MD59742054397462c50bc13c7e8a2d116be
SHA1f374452aff0d75fd1d0d3e253cf68701a9c9c8a7
SHA256390ed8cfc63106413b4ef0654556c93b9df3db6f011cf6ca1b7c9f3cfe77051a
SHA512c6fc15c1217ff9f687b8fcf42ebed6cf47967d5029766fdeaa392422bbc42afae224f1e9838c2a759095a895dc3340d084f3cef49bbb195b50f9b5d54dfe3828
-
Filesize
222B
MD5afe9706b8cdf5c7195295ef36ab15c89
SHA14ebb2117ca91312a35fa2f3158d20ed1d9cbd844
SHA25627178e86f81472674cce43de9a6ebbc123359e5419504637a8b799e12ec0c1f7
SHA512dabf48e368f0e5d8c428521cf83c3b063c62ece40c84d4ecf035a0357ce4b80700bfcb41a2bcaec79ae881a25f3ed54f4c0545ea4fb1116edb310c20eda03a2b
-
Filesize
222B
MD59d4e6c5c382508958c9411c2a0c7884a
SHA111e98c34e44e113edcc5d57dc3fd7a076d0c3aae
SHA2560dc2c620731f778da27c2423d881fd4d1909793f69d4e532c78ac2bcf3b533c1
SHA512f4308a6392d0735c37fa31db89965234b6e03b43e1a1a8dd69b86b80fcf79a28ff6e194689ab735b371b664c8771e84c304f9bf250091c1db69c244cd8da97fd
-
Filesize
222B
MD59c969f9d34b1f4d3952e8e5f4c48d8ac
SHA1e05103a3e731ba051db7d4a8b1c8badc4adf333b
SHA2562e10a1865465f537e5c44c3f75c3345325f7cff6330e553bb88bd3f60d0bf8a9
SHA51213983d2f7690acf79fc02ba2610eeaa52734458de3f85f57c9236115983a7b77aceeb6da3b0bb90866ca2a931e490568798f0069660180c937a6518d9fe77181
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b23849bcfa4b7084adaf19cfede7a777
SHA196ea6db778a47c8ba2058b6946c9f52f88e9c9a5
SHA25601e7ab7deaaaa55711dc6c999fa0dd887ef9f785b6120d78b4d02807e01bf585
SHA512865f30f38be8cc9c375fb2c04b1855757b21ea25b014a127a34297e6e3a5e85219674d453bd6b96a8e4a1d41d4eecdd8caee91155828d6c9dc187f13722b669b
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394