Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 21:20
Behavioral task
behavioral1
Sample
JaffaCakes118_eda1fbfb5980293e042c9086976e1f9669e9a9efbdd06ff0e89ab1354120c560.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_eda1fbfb5980293e042c9086976e1f9669e9a9efbdd06ff0e89ab1354120c560.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_eda1fbfb5980293e042c9086976e1f9669e9a9efbdd06ff0e89ab1354120c560.exe
-
Size
1.3MB
-
MD5
732feb348deab0790fffe8c519942e99
-
SHA1
608f37e9e72eef830a498e159d03c383056190ec
-
SHA256
eda1fbfb5980293e042c9086976e1f9669e9a9efbdd06ff0e89ab1354120c560
-
SHA512
8c888f1f43430ec5616a3dc299aa1408f6942f32a4715d56ba3542a69656616a5d6224e9522f0fdeb55afbb56e54b1b1f23f17cca299918bc686a8a9fed13263
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1440 4484 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 628 4484 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 4484 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3116 4484 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4480 4484 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3112 4484 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4108 4484 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3408 4484 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 4484 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 4484 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4176 4484 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 700 4484 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 4484 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4524 4484 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 4484 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 4484 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4164 4484 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 4484 schtasks.exe 88 -
resource yara_rule behavioral2/files/0x000a000000023b73-10.dat dcrat behavioral2/memory/3976-13-0x00000000005B0000-0x00000000006C0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1820 powershell.exe 3916 powershell.exe 684 powershell.exe 424 powershell.exe 2832 powershell.exe 2940 powershell.exe 4352 powershell.exe -
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation JaffaCakes118_eda1fbfb5980293e042c9086976e1f9669e9a9efbdd06ff0e89ab1354120c560.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe -
Executes dropped EXE 15 IoCs
pid Process 3976 DllCommonsvc.exe 4056 RuntimeBroker.exe 1420 RuntimeBroker.exe 1516 RuntimeBroker.exe 4400 RuntimeBroker.exe 2560 RuntimeBroker.exe 2928 RuntimeBroker.exe 3416 RuntimeBroker.exe 2764 RuntimeBroker.exe 2396 RuntimeBroker.exe 5020 RuntimeBroker.exe 1996 RuntimeBroker.exe 4340 RuntimeBroker.exe 2708 RuntimeBroker.exe 4820 RuntimeBroker.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs
flow ioc 39 raw.githubusercontent.com 54 raw.githubusercontent.com 57 raw.githubusercontent.com 24 raw.githubusercontent.com 38 raw.githubusercontent.com 46 raw.githubusercontent.com 51 raw.githubusercontent.com 55 raw.githubusercontent.com 17 raw.githubusercontent.com 45 raw.githubusercontent.com 56 raw.githubusercontent.com 16 raw.githubusercontent.com 40 raw.githubusercontent.com 44 raw.githubusercontent.com 53 raw.githubusercontent.com -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\9e8d7a4ca61bd9 DllCommonsvc.exe File created C:\Program Files\ModifiableWindowsApps\RuntimeBroker.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\csrss.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\RuntimeBroker.exe DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe DllCommonsvc.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_eda1fbfb5980293e042c9086976e1f9669e9a9efbdd06ff0e89ab1354120c560.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings JaffaCakes118_eda1fbfb5980293e042c9086976e1f9669e9a9efbdd06ff0e89ab1354120c560.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings RuntimeBroker.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1440 schtasks.exe 2476 schtasks.exe 4524 schtasks.exe 2580 schtasks.exe 2440 schtasks.exe 4108 schtasks.exe 2936 schtasks.exe 700 schtasks.exe 1996 schtasks.exe 2448 schtasks.exe 2032 schtasks.exe 4480 schtasks.exe 3408 schtasks.exe 4176 schtasks.exe 628 schtasks.exe 3116 schtasks.exe 3112 schtasks.exe 4164 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 3976 DllCommonsvc.exe 3976 DllCommonsvc.exe 3976 DllCommonsvc.exe 3976 DllCommonsvc.exe 3976 DllCommonsvc.exe 3976 DllCommonsvc.exe 3976 DllCommonsvc.exe 3976 DllCommonsvc.exe 3976 DllCommonsvc.exe 3916 powershell.exe 2940 powershell.exe 4352 powershell.exe 424 powershell.exe 2832 powershell.exe 1820 powershell.exe 684 powershell.exe 3916 powershell.exe 4056 RuntimeBroker.exe 4352 powershell.exe 424 powershell.exe 2940 powershell.exe 1820 powershell.exe 2832 powershell.exe 684 powershell.exe 1420 RuntimeBroker.exe 1516 RuntimeBroker.exe 4400 RuntimeBroker.exe 2560 RuntimeBroker.exe 2928 RuntimeBroker.exe 3416 RuntimeBroker.exe 2764 RuntimeBroker.exe 2396 RuntimeBroker.exe 5020 RuntimeBroker.exe 1996 RuntimeBroker.exe 4340 RuntimeBroker.exe 2708 RuntimeBroker.exe 4820 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 3976 DllCommonsvc.exe Token: SeDebugPrivilege 3916 powershell.exe Token: SeDebugPrivilege 4352 powershell.exe Token: SeDebugPrivilege 424 powershell.exe Token: SeDebugPrivilege 2940 powershell.exe Token: SeDebugPrivilege 1820 powershell.exe Token: SeDebugPrivilege 2832 powershell.exe Token: SeDebugPrivilege 684 powershell.exe Token: SeDebugPrivilege 4056 RuntimeBroker.exe Token: SeDebugPrivilege 1420 RuntimeBroker.exe Token: SeDebugPrivilege 1516 RuntimeBroker.exe Token: SeDebugPrivilege 4400 RuntimeBroker.exe Token: SeDebugPrivilege 2560 RuntimeBroker.exe Token: SeDebugPrivilege 2928 RuntimeBroker.exe Token: SeDebugPrivilege 3416 RuntimeBroker.exe Token: SeDebugPrivilege 2764 RuntimeBroker.exe Token: SeDebugPrivilege 2396 RuntimeBroker.exe Token: SeDebugPrivilege 5020 RuntimeBroker.exe Token: SeDebugPrivilege 1996 RuntimeBroker.exe Token: SeDebugPrivilege 4340 RuntimeBroker.exe Token: SeDebugPrivilege 2708 RuntimeBroker.exe Token: SeDebugPrivilege 4820 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4068 wrote to memory of 1640 4068 JaffaCakes118_eda1fbfb5980293e042c9086976e1f9669e9a9efbdd06ff0e89ab1354120c560.exe 83 PID 4068 wrote to memory of 1640 4068 JaffaCakes118_eda1fbfb5980293e042c9086976e1f9669e9a9efbdd06ff0e89ab1354120c560.exe 83 PID 4068 wrote to memory of 1640 4068 JaffaCakes118_eda1fbfb5980293e042c9086976e1f9669e9a9efbdd06ff0e89ab1354120c560.exe 83 PID 1640 wrote to memory of 332 1640 WScript.exe 85 PID 1640 wrote to memory of 332 1640 WScript.exe 85 PID 1640 wrote to memory of 332 1640 WScript.exe 85 PID 332 wrote to memory of 3976 332 cmd.exe 87 PID 332 wrote to memory of 3976 332 cmd.exe 87 PID 3976 wrote to memory of 684 3976 DllCommonsvc.exe 108 PID 3976 wrote to memory of 684 3976 DllCommonsvc.exe 108 PID 3976 wrote to memory of 424 3976 DllCommonsvc.exe 109 PID 3976 wrote to memory of 424 3976 DllCommonsvc.exe 109 PID 3976 wrote to memory of 3916 3976 DllCommonsvc.exe 110 PID 3976 wrote to memory of 3916 3976 DllCommonsvc.exe 110 PID 3976 wrote to memory of 1820 3976 DllCommonsvc.exe 111 PID 3976 wrote to memory of 1820 3976 DllCommonsvc.exe 111 PID 3976 wrote to memory of 4352 3976 DllCommonsvc.exe 112 PID 3976 wrote to memory of 4352 3976 DllCommonsvc.exe 112 PID 3976 wrote to memory of 2940 3976 DllCommonsvc.exe 113 PID 3976 wrote to memory of 2940 3976 DllCommonsvc.exe 113 PID 3976 wrote to memory of 2832 3976 DllCommonsvc.exe 114 PID 3976 wrote to memory of 2832 3976 DllCommonsvc.exe 114 PID 3976 wrote to memory of 4056 3976 DllCommonsvc.exe 121 PID 3976 wrote to memory of 4056 3976 DllCommonsvc.exe 121 PID 4056 wrote to memory of 4536 4056 RuntimeBroker.exe 124 PID 4056 wrote to memory of 4536 4056 RuntimeBroker.exe 124 PID 4536 wrote to memory of 1440 4536 cmd.exe 126 PID 4536 wrote to memory of 1440 4536 cmd.exe 126 PID 4536 wrote to memory of 1420 4536 cmd.exe 135 PID 4536 wrote to memory of 1420 4536 cmd.exe 135 PID 1420 wrote to memory of 4288 1420 RuntimeBroker.exe 141 PID 1420 wrote to memory of 4288 1420 RuntimeBroker.exe 141 PID 4288 wrote to memory of 3448 4288 cmd.exe 143 PID 4288 wrote to memory of 3448 4288 cmd.exe 143 PID 4288 wrote to memory of 1516 4288 cmd.exe 147 PID 4288 wrote to memory of 1516 4288 cmd.exe 147 PID 1516 wrote to memory of 4352 1516 RuntimeBroker.exe 150 PID 1516 wrote to memory of 4352 1516 RuntimeBroker.exe 150 PID 4352 wrote to memory of 3956 4352 cmd.exe 152 PID 4352 wrote to memory of 3956 4352 cmd.exe 152 PID 4352 wrote to memory of 4400 4352 cmd.exe 154 PID 4352 wrote to memory of 4400 4352 cmd.exe 154 PID 4400 wrote to memory of 1916 4400 RuntimeBroker.exe 156 PID 4400 wrote to memory of 1916 4400 RuntimeBroker.exe 156 PID 1916 wrote to memory of 2380 1916 cmd.exe 158 PID 1916 wrote to memory of 2380 1916 cmd.exe 158 PID 1916 wrote to memory of 2560 1916 cmd.exe 160 PID 1916 wrote to memory of 2560 1916 cmd.exe 160 PID 2560 wrote to memory of 1996 2560 RuntimeBroker.exe 162 PID 2560 wrote to memory of 1996 2560 RuntimeBroker.exe 162 PID 1996 wrote to memory of 3404 1996 cmd.exe 164 PID 1996 wrote to memory of 3404 1996 cmd.exe 164 PID 1996 wrote to memory of 2928 1996 cmd.exe 166 PID 1996 wrote to memory of 2928 1996 cmd.exe 166 PID 2928 wrote to memory of 4308 2928 RuntimeBroker.exe 169 PID 2928 wrote to memory of 4308 2928 RuntimeBroker.exe 169 PID 4308 wrote to memory of 4232 4308 cmd.exe 171 PID 4308 wrote to memory of 4232 4308 cmd.exe 171 PID 4308 wrote to memory of 3416 4308 cmd.exe 173 PID 4308 wrote to memory of 3416 4308 cmd.exe 173 PID 3416 wrote to memory of 2636 3416 RuntimeBroker.exe 175 PID 3416 wrote to memory of 2636 3416 RuntimeBroker.exe 175 PID 2636 wrote to memory of 5000 2636 cmd.exe 177 PID 2636 wrote to memory of 5000 2636 cmd.exe 177 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eda1fbfb5980293e042c9086976e1f9669e9a9efbdd06ff0e89ab1354120c560.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eda1fbfb5980293e042c9086976e1f9669e9a9efbdd06ff0e89ab1354120c560.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:332 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\upfc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwHeC7tSxv.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1440
-
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6oaLUsZTY.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:3448
-
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:3956
-
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2380
-
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RFyBjogktz.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:3404
-
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DXR1U0Y5m3.bat"16⤵
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:4232
-
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\veDg5wW3gS.bat"18⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:5000
-
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fq9TqI16of.bat"20⤵PID:1516
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2208
-
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\veDg5wW3gS.bat"22⤵PID:1496
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1632
-
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cu7QADyCUt.bat"24⤵PID:4176
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:3296
-
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QO5FEA9wo1.bat"26⤵PID:2868
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:3984
-
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4340 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6oaLUsZTY.bat"28⤵PID:3736
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:1964
-
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0quqFCQQe7.bat"30⤵PID:5060
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:1616
-
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4820 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Usvo58uhQ.bat"32⤵PID:2660
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:233⤵PID:2344
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\providercommon\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\providercommon\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Downloads\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Downloads\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
250B
MD5bc5ca021ea72349bca7347f7d9df77f2
SHA1915648ca64a087fa7fbc0950340788dd04d005cd
SHA25621bb139bb01ba4dfbacc87ad57d2d86da3021edc8799f3f9080ec3dca3de106b
SHA512223d2b2c1d8b4b9d3080faaa5da2f82eb336d51e144d25763302d7ca479c19c287b7b8daf4a159ee307ae80f861c3f7420e66d5963ad6502c596c8570e9263ff
-
Filesize
250B
MD578ed30e68bd8de54fd992127d5327ae3
SHA140fb4ddfa6a83cfc31d89430849ebd175fb9bb02
SHA2564acb56dd526fefe3c3dd316690b0a503c2f0db597345e469a8e019df8c660cb0
SHA512163d4ec343f89741c740b253fd0ba901874802953d90ad858e6aa4fbc9fcef335c7f16271292f5557b20f3ec9f1961b9033dab9d01416f603db98c03a772ea7b
-
Filesize
250B
MD536e1e0ded778d493b7208234f8c204b4
SHA189e5f31df68dbc0a0891613ee15afc4faf3c49ba
SHA256574bf6b6b2347cb2ed61e4eb078a32b6cab4d33b81ac9b856b8d0dabd8ac1cf6
SHA512f7b32f050246a09b65b75ccc91e76141b3339026983e47280fdc85a14c4231408cf33ae1b644d74a56c5e5151ecce0f69c95ecb56c76cbc7687ecb9ff098cc8a
-
Filesize
250B
MD5f06c4d49e9cfae159d7d70893616dbec
SHA14e33faf6060df681d3fbce2c1486b8d8613bd91b
SHA25620e4a1f11472e213e2b07efad16e4de4e53e2767444366b61f571f858a71d6a2
SHA512f946bec6f2b6d81cc20d28395a0e0d216335528c9666d194213b3fd080fc3e7ccc41841213f61a36c6bec090e7d748ed25eb44f007a5235b6f4c5432662eacb2
-
Filesize
250B
MD5188ba705bf54cf511eefc87eab24a60b
SHA1ef74811595d3945f08418234b9205e447c1d8da1
SHA256ed643a6f836f65477675c0907447af54244dbb1aad264d6613c3fb38b291a1e2
SHA512e54ec9e7f7beae4c7d30c561846332c55b3857cf31ad7db6d65e375058c1062742c4793630f0f8394e9d5f1e37e33028f26c83239ab8e89a8e7558b228379c6e
-
Filesize
250B
MD5107d7b4b2b9068053266ffef892ee669
SHA1aec994c1d4da6c9f17a19d11cdb5d7d9f785938e
SHA256cd308ce60c07857f4b0e786eb511997528b4adedc56d563865e2c8121987ed24
SHA512dee037d544c79662718019cfd7965a2128687733fef4eb67e858e91a245cf12826b6669c8b2d39623a028ec137ebdbbbf81e1ce14a87d80563a6a6c8805e9a04
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
250B
MD5961ee3a6b9b8378d0cac15e327a4c190
SHA131bd7c8c4e7b587f411c8d220513ef1e4e6791c4
SHA256c140121417c1b4f8a19d3a052c827efcf528b8e66f99bdfd7557aa163a0882aa
SHA51274567125a146797a4cf69b2dd3c8f2a8f9c7bf2d57210f648c2d103ecaf32c49384f6a43e8021b7665663bcaaae354cc44434e4a514bea772d5dfa857ac9e374
-
Filesize
250B
MD5c2588a3c41921148b1d3558b90886f34
SHA10a7766b6181bf793d6eefcd986f945f88dd9f4e7
SHA25659d42e8fc9a64092c576303a7ed036498357e2b71931842a9479e02ba517f0d2
SHA5120e09a917fbd8f0145a3e412c67b6c07c183ba6ffe9cbaf62fb5b90b01852f67aa9af92b381a944091bb1847444d3e7503c4a6bd7015585db981a70af79f2367f
-
Filesize
250B
MD52f5821070946ff636e9855ed53f22f16
SHA150e2ab9e41377bdfb54430a5809c68ec6d7ed12c
SHA2568e994594a118146c783d1fc85dcc12af74c28705a6ec6896551a99885c837840
SHA512efae4a5c2adbd3d5f9b89db60b61f04c11e27e87d760c4b3c514b64ab22fa96d55bec8b51c2f8c83d5df4e3f2d9201f04f0a460b3796620f20b47376fdc954c6
-
Filesize
250B
MD5639d41d0ffa90b31e0f629f5f8ee29e9
SHA1b2d86f2f688e9b8950bce3f6c3ec3e7a7eb4a63f
SHA25610dc1dcacd3f754f7b058a0d50dea236c399b32f81453c9044ebf89adab4a861
SHA5125b6a6e7913c893eb4548b3e454df66eecfd57a8f853ee9a85de6ef881ecab4b2e3ac66bc0e25db491396ce508b96cf38760bac5bff86b93b37c749065f81136e
-
Filesize
250B
MD5cb6f6782b2df1a85fe1f898bb585dcd8
SHA12345943cc4b94b74fa0077c9cbc6d898d2558554
SHA256f0a994da57a7c0d7f29acab158d1f99f77c28d9a13ee365d81afda523223ff5e
SHA512a6f0f6c88365ea31c828cb43d92a821417b3b4135ecf378fbcf51235cba72f6a7132434db806983f3a20ea7038bbef4f90359971e49fde84776490aaf7087ce5
-
Filesize
250B
MD5b59e68de6e20e5d554e3da90ba3d48f5
SHA110881fabbc0da2c12a070a602826a9deba9e28db
SHA256f88535734f2099ff3bd49d31f7c8fe1166a63935d5e7df0ccd4c59ec96eb3274
SHA512baecfe017f8d3010d33e01d02d1b51272cefa3f06023cafd39dbeea147ee41f49d6c7afadeb11db0bbe57fe5d6071403d5d98724788265779315d27432f46035
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478