Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 20:47
Behavioral task
behavioral1
Sample
JaffaCakes118_67128e92034a2f427a585b15f1c8883c51b174e6c90afea51797ed91e2b8e9a3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_67128e92034a2f427a585b15f1c8883c51b174e6c90afea51797ed91e2b8e9a3.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_67128e92034a2f427a585b15f1c8883c51b174e6c90afea51797ed91e2b8e9a3.exe
-
Size
1.3MB
-
MD5
40f0e9d4a2fa4beb2b6bbfad4db622c0
-
SHA1
e8c345112ba9f492956dc1cc5d3b5888059f5095
-
SHA256
67128e92034a2f427a585b15f1c8883c51b174e6c90afea51797ed91e2b8e9a3
-
SHA512
ecbd1972978eff67eea2b28d9774bfd9af839c5fbf157d65cf0f5787a5d14feaf814c11fd7e06b85ebd63a136877945862fd29192a40d5bad46bce25beaeeca0
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1096 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 572 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 984 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1424 2668 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x000700000001920f-9.dat dcrat behavioral1/memory/3064-13-0x0000000000EB0000-0x0000000000FC0000-memory.dmp dcrat behavioral1/memory/840-87-0x0000000001300000-0x0000000001410000-memory.dmp dcrat behavioral1/memory/2248-146-0x00000000002D0000-0x00000000003E0000-memory.dmp dcrat behavioral1/memory/2164-206-0x00000000001B0000-0x00000000002C0000-memory.dmp dcrat behavioral1/memory/2692-266-0x0000000000F00000-0x0000000001010000-memory.dmp dcrat behavioral1/memory/1096-327-0x00000000001D0000-0x00000000002E0000-memory.dmp dcrat behavioral1/memory/2600-387-0x0000000001110000-0x0000000001220000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 316 powershell.exe 1316 powershell.exe 1748 powershell.exe 308 powershell.exe 848 powershell.exe 1540 powershell.exe 876 powershell.exe 2268 powershell.exe 664 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 3064 DllCommonsvc.exe 1240 DllCommonsvc.exe 840 WMIADAP.exe 2248 WMIADAP.exe 2164 WMIADAP.exe 2692 WMIADAP.exe 1096 WMIADAP.exe 2600 WMIADAP.exe 876 WMIADAP.exe 2544 WMIADAP.exe 2500 WMIADAP.exe -
Loads dropped DLL 2 IoCs
pid Process 2108 cmd.exe 2108 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 13 raw.githubusercontent.com 27 raw.githubusercontent.com 31 raw.githubusercontent.com 32 raw.githubusercontent.com 35 raw.githubusercontent.com 9 raw.githubusercontent.com 16 raw.githubusercontent.com 20 raw.githubusercontent.com 24 raw.githubusercontent.com -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files\VideoLAN\csrss.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\conhost.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Windows Defender\conhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\088424020bedd6 DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\SoftwareDistribution\AuthCabs\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Windows\SoftwareDistribution\AuthCabs\OSPPSVC.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_67128e92034a2f427a585b15f1c8883c51b174e6c90afea51797ed91e2b8e9a3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2624 schtasks.exe 1096 schtasks.exe 2876 schtasks.exe 572 schtasks.exe 984 schtasks.exe 2680 schtasks.exe 2488 schtasks.exe 1424 schtasks.exe 2936 schtasks.exe 2792 schtasks.exe 2636 schtasks.exe 2648 schtasks.exe 2988 schtasks.exe 2420 schtasks.exe 1928 schtasks.exe 1956 schtasks.exe 2832 schtasks.exe 2524 schtasks.exe 2564 schtasks.exe 2308 schtasks.exe 2948 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 3064 DllCommonsvc.exe 3064 DllCommonsvc.exe 3064 DllCommonsvc.exe 664 powershell.exe 308 powershell.exe 1316 powershell.exe 1540 powershell.exe 316 powershell.exe 848 powershell.exe 1240 DllCommonsvc.exe 876 powershell.exe 1748 powershell.exe 2268 powershell.exe 840 WMIADAP.exe 2248 WMIADAP.exe 2164 WMIADAP.exe 2692 WMIADAP.exe 1096 WMIADAP.exe 2600 WMIADAP.exe 876 WMIADAP.exe 2544 WMIADAP.exe 2500 WMIADAP.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 3064 DllCommonsvc.exe Token: SeDebugPrivilege 664 powershell.exe Token: SeDebugPrivilege 308 powershell.exe Token: SeDebugPrivilege 1316 powershell.exe Token: SeDebugPrivilege 1540 powershell.exe Token: SeDebugPrivilege 316 powershell.exe Token: SeDebugPrivilege 848 powershell.exe Token: SeDebugPrivilege 1240 DllCommonsvc.exe Token: SeDebugPrivilege 876 powershell.exe Token: SeDebugPrivilege 1748 powershell.exe Token: SeDebugPrivilege 2268 powershell.exe Token: SeDebugPrivilege 840 WMIADAP.exe Token: SeDebugPrivilege 2248 WMIADAP.exe Token: SeDebugPrivilege 2164 WMIADAP.exe Token: SeDebugPrivilege 2692 WMIADAP.exe Token: SeDebugPrivilege 1096 WMIADAP.exe Token: SeDebugPrivilege 2600 WMIADAP.exe Token: SeDebugPrivilege 876 WMIADAP.exe Token: SeDebugPrivilege 2544 WMIADAP.exe Token: SeDebugPrivilege 2500 WMIADAP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2088 2156 JaffaCakes118_67128e92034a2f427a585b15f1c8883c51b174e6c90afea51797ed91e2b8e9a3.exe 30 PID 2156 wrote to memory of 2088 2156 JaffaCakes118_67128e92034a2f427a585b15f1c8883c51b174e6c90afea51797ed91e2b8e9a3.exe 30 PID 2156 wrote to memory of 2088 2156 JaffaCakes118_67128e92034a2f427a585b15f1c8883c51b174e6c90afea51797ed91e2b8e9a3.exe 30 PID 2156 wrote to memory of 2088 2156 JaffaCakes118_67128e92034a2f427a585b15f1c8883c51b174e6c90afea51797ed91e2b8e9a3.exe 30 PID 2088 wrote to memory of 2108 2088 WScript.exe 31 PID 2088 wrote to memory of 2108 2088 WScript.exe 31 PID 2088 wrote to memory of 2108 2088 WScript.exe 31 PID 2088 wrote to memory of 2108 2088 WScript.exe 31 PID 2108 wrote to memory of 3064 2108 cmd.exe 33 PID 2108 wrote to memory of 3064 2108 cmd.exe 33 PID 2108 wrote to memory of 3064 2108 cmd.exe 33 PID 2108 wrote to memory of 3064 2108 cmd.exe 33 PID 3064 wrote to memory of 308 3064 DllCommonsvc.exe 50 PID 3064 wrote to memory of 308 3064 DllCommonsvc.exe 50 PID 3064 wrote to memory of 308 3064 DllCommonsvc.exe 50 PID 3064 wrote to memory of 664 3064 DllCommonsvc.exe 51 PID 3064 wrote to memory of 664 3064 DllCommonsvc.exe 51 PID 3064 wrote to memory of 664 3064 DllCommonsvc.exe 51 PID 3064 wrote to memory of 1540 3064 DllCommonsvc.exe 53 PID 3064 wrote to memory of 1540 3064 DllCommonsvc.exe 53 PID 3064 wrote to memory of 1540 3064 DllCommonsvc.exe 53 PID 3064 wrote to memory of 1316 3064 DllCommonsvc.exe 54 PID 3064 wrote to memory of 1316 3064 DllCommonsvc.exe 54 PID 3064 wrote to memory of 1316 3064 DllCommonsvc.exe 54 PID 3064 wrote to memory of 316 3064 DllCommonsvc.exe 55 PID 3064 wrote to memory of 316 3064 DllCommonsvc.exe 55 PID 3064 wrote to memory of 316 3064 DllCommonsvc.exe 55 PID 3064 wrote to memory of 848 3064 DllCommonsvc.exe 56 PID 3064 wrote to memory of 848 3064 DllCommonsvc.exe 56 PID 3064 wrote to memory of 848 3064 DllCommonsvc.exe 56 PID 3064 wrote to memory of 1708 3064 DllCommonsvc.exe 62 PID 3064 wrote to memory of 1708 3064 DllCommonsvc.exe 62 PID 3064 wrote to memory of 1708 3064 DllCommonsvc.exe 62 PID 1708 wrote to memory of 916 1708 cmd.exe 64 PID 1708 wrote to memory of 916 1708 cmd.exe 64 PID 1708 wrote to memory of 916 1708 cmd.exe 64 PID 1708 wrote to memory of 1240 1708 cmd.exe 66 PID 1708 wrote to memory of 1240 1708 cmd.exe 66 PID 1708 wrote to memory of 1240 1708 cmd.exe 66 PID 1240 wrote to memory of 1748 1240 DllCommonsvc.exe 73 PID 1240 wrote to memory of 1748 1240 DllCommonsvc.exe 73 PID 1240 wrote to memory of 1748 1240 DllCommonsvc.exe 73 PID 1240 wrote to memory of 876 1240 DllCommonsvc.exe 74 PID 1240 wrote to memory of 876 1240 DllCommonsvc.exe 74 PID 1240 wrote to memory of 876 1240 DllCommonsvc.exe 74 PID 1240 wrote to memory of 2268 1240 DllCommonsvc.exe 75 PID 1240 wrote to memory of 2268 1240 DllCommonsvc.exe 75 PID 1240 wrote to memory of 2268 1240 DllCommonsvc.exe 75 PID 1240 wrote to memory of 2804 1240 DllCommonsvc.exe 79 PID 1240 wrote to memory of 2804 1240 DllCommonsvc.exe 79 PID 1240 wrote to memory of 2804 1240 DllCommonsvc.exe 79 PID 2804 wrote to memory of 2536 2804 cmd.exe 81 PID 2804 wrote to memory of 2536 2804 cmd.exe 81 PID 2804 wrote to memory of 2536 2804 cmd.exe 81 PID 2804 wrote to memory of 840 2804 cmd.exe 82 PID 2804 wrote to memory of 840 2804 cmd.exe 82 PID 2804 wrote to memory of 840 2804 cmd.exe 82 PID 840 wrote to memory of 1136 840 WMIADAP.exe 83 PID 840 wrote to memory of 1136 840 WMIADAP.exe 83 PID 840 wrote to memory of 1136 840 WMIADAP.exe 83 PID 1136 wrote to memory of 1652 1136 cmd.exe 85 PID 1136 wrote to memory of 1652 1136 cmd.exe 85 PID 1136 wrote to memory of 1652 1136 cmd.exe 85 PID 1136 wrote to memory of 2248 1136 cmd.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_67128e92034a2f427a585b15f1c8883c51b174e6c90afea51797ed91e2b8e9a3.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_67128e92034a2f427a585b15f1c8883c51b174e6c90afea51797ed91e2b8e9a3.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\AuthCabs\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:848
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wGw2lvD9xQ.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:916
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cJ0G5QAkfh.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2536
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1652
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YQG5KQjShu.bat"11⤵PID:2208
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1476
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat"13⤵PID:2156
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2716
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RBOUzXbIOW.bat"15⤵PID:2608
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1996
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1096 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iOYCRAfa0D.bat"17⤵PID:912
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1316
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\esvfELjyVS.bat"19⤵PID:880
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2876
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:876 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9j3rBUpSkc.bat"21⤵PID:2700
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1572
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat"23⤵PID:1724
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1036
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nb2ryfxXmZ.bat"25⤵PID:764
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:3052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\SoftwareDistribution\AuthCabs\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\AuthCabs\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\SoftwareDistribution\AuthCabs\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52b506c8157a808cab58f7913e061d182
SHA1fd92ccffc0cc05523208591743a12d890c42d736
SHA2568177fdae98deda849eae912e181f0895062ddea67570a23fa562a39568654878
SHA512aede1ca046dfa052405a7cdacb0c47c442785df0643b787902ae5f11119b0db6b003d301566fe1336081a53ee8503aa21fccbaa8e5649b876dd5c693573957dc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59621dbd6cbe48dc81972bfa0d260a3c6
SHA144b96b6bd22a8026d45f1ac3ae1b42efa6915875
SHA2569f85476a48672f9ee433d4a2c046bb1288800a60df94d8c6f10d04cef49e30de
SHA5124d88d1078064de49e23a0537cc29185929f1fce080c35ee40e44658f6d806bbc79fd14b77cd014918cb39161402d86f0887f6825a93b31f1c5a4f42fafd869da
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58204810454970d6717139cdbcef46a52
SHA1c646db3300138bd3df465ab0fa39c02ff04fbe7b
SHA2561f0421326e98283217132b0a36936b60b7e3c1d8ce57bde636538d61c34c9fe5
SHA5126a9d149edba8ad048d942fa7c614208ce1c816a6038e94cea8b9f023775ceca4b796b63bbcb7b84cb9a50600a41d3128835a4dea1ef37b943efa0cf9d593483d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD567200887fa06f5b464dcac524ad1475b
SHA132dc400792b590909962f971609c9a0bd6b78c73
SHA256b2521ff0cf3e799743eeae0c2867455b43355691df370b01551c48595cde8bf7
SHA5129c0ac0146cedc7e47520b9c5c28a5d994437e487c0e83d6cd2e9c54b175d848763c1f2e987f109f53816e921101f244363a5bc354524b1ff58e508e0d1e7fad2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5759a6ab927e8943d13e800a0ea45f537
SHA1a7a3cb732da409d951bdca0b329ede1b5290ad12
SHA2561d758a9e0b3855c2b2082d4fe13ae0efc1006966e883a23c927752711692352e
SHA512e7391893d348940da8ad9c4ca117baebddff9b6a1914fcb868285892bb29cdb836418c4a3215d22bd0c9a81fa0b0635afd4534a73cf63e766b34e573d9fe804b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54a752cb810b61aad6661c0e67cbcd607
SHA1cbe70aa09b327cc09c07d26a0e16c7fd984e8178
SHA256a3cfe16e1e5f775157b45cc2920909eb6575733f9de3d4338323ed42446ab9f0
SHA51220111f5bd196b043e605d12577884962b6a9a4a692fe9a31d1eeccfe1f4ef7ce86b5e60a3624518b00940d6812d2146b49920d27f342b4a35244a9a5258d4af0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dd7a5a8229f4c3a682ac35d95a1df8ba
SHA1fe2a54ae1b0cdbe3099a9de696301e633f2f1a53
SHA2568b2b07ca6fd8550b64bcfecaea19b6253bbc146ad9de31c7622a197c7eeea8e5
SHA512532c3ef5316a524170854f7d5be509b21c146751cac21e0d72487eae00d6e8054e5d393ff42ddcbc856f308c7be8000fd35715d2ff65f5384fd9a2506f43f110
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55d5827cfec42e2faf03b5c5dd3daa4d6
SHA1554c3f21403346edbff1f15c2fa18d15d2eabb3c
SHA2565c4dd975be10bd741db8bfd07a2c7f193a3530a60b502cea91d4901a8fbe304e
SHA512d5c6e7387c69fd815c981fc4706977461a381431c70d5a2fe4e2f6e55af2db5c85bcecdf9003afa1824e27a39632d048f1795db9086daf26f81e9703efea636e
-
Filesize
239B
MD5dd85afcf238a2227745e665ef1c99fe7
SHA111caec3dd1b1d2d8060486daa93355712e838fbc
SHA2564aae00c97fccd856bf26e59555269e38e87d7309c62a2f46d29bc4cda4e847a2
SHA512016b92dccbeeb0ba36f6d3d70ec3296039adff63f9d38f24d7bd7b3643416620da66ea34d62f48b85ecbf48fd3398575eae792dcba2ef577ffd46be7f18c7be8
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
239B
MD5b60ab2e49302363ae654944ae9ca7f41
SHA19b38a494fc3edc580b80924e0f2cf6b36a994f46
SHA256605864139585764f4556d2e496620bd024be30918710291ccc42437e34398d5e
SHA512247122ad5d0461dc11d50fb37d7a50622b6f40e6e363cea78dc6ce9c6f573a79246ffe750cc2cc852d1870056df8ee50fb1dfb3cdc5b36aec723620b3f0d4b55
-
Filesize
239B
MD5aac635249f88c7fae453cf7fa93d4aaa
SHA127bdabc729a17ace887ac729e28e798d390a7f04
SHA256a1eced4f4968c057814934fbbc7a727891e941114326224bc8e8a17adfceb2f3
SHA512a40a1b44cb40c28f299267c0327369282087b4577db2a38e5b61075ff89547c84fd906a86528ce1644bed5e0059ab5e1f3aaecc8820536813d20313941f2ceab
-
Filesize
239B
MD59cf4dc790aac380ff7b9567acd91290f
SHA141a84fa9d659811bec00ee99f2f8381ee5366c78
SHA256f66ebad38f9cb1dc42e677f35bd85f6316daa64f77ffcdf457f2b14bce648950
SHA5122a2cea5b2e91dfbd947cbf615da994e35ae80ee84360f1d210acd6a74564b71d72caea785d57f61f5a96c03c20b0468efc24b23c43b24f2dd829e2c5cb19a2aa
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
239B
MD53c8f561e8dec7f8e73e217b17420d7fc
SHA1bc9467190d4b910dca534879ffc13e77caf9387c
SHA25628d28615c6775cb7216b3a2f60fc033d5c05d5b8738e0965623dfeea068b491e
SHA5126e80f1c73637ba120e106438390822f32244216da8d7d851aa58851c98788f310463803dcb2ac5ac10a45f45b4838f2b04fc6d23b2d1b22bbb97d0239506ef06
-
Filesize
239B
MD53725c4b0e4e6d99f799e7cd4850df3d6
SHA1031b8114f7d8f1aac9663c377d1729b3e13c89e1
SHA2568c24f0d8c626e0282b9ad8dc741a2a1af9d173ddfc61f228a5e2d7ee69c37911
SHA512a99d270f3e3edfef0be6cf97cc7d044b13025cabd00c5ac3677102503f34eff2ce8cffe83d6bfd19d9117472df66fe1aa25e16d1f5dbe9a6623dfaa828a9f3b3
-
Filesize
239B
MD50280d1bde313fe1627ac3af861490f5e
SHA1469a2731069cc58f155d01c77dde7f6a3416ef7c
SHA256ca682b3682b6f2db54cf58a3802232f99877b629bb65ad008f28b179f0bb1cf2
SHA5125930e3347508ef6c8d6021b299f53b1ae1b09d55d403f9553f7c43d66ba5e95adb3a7e3de5548af8a416a47388fa915d3de4329f139cc6b4559b0789418ebb4b
-
Filesize
239B
MD58dc27d0c4cfe58baac9e0ded4613d179
SHA19894028de2002dcce65c2104c2a0633f2fc3fe8e
SHA256e76d37c5219f56c3afd61923863b13c344a60c9d7cd0ebb6359b48d1d4fab084
SHA5126308c1e6a60544e31fc819460478970ecd42a96bf3b1c79a0d1a9ffac1f51739f4f81617821926c6da5249383c84561461b1003858781ba74ca005e22f1c2075
-
Filesize
239B
MD5cd4a26e74dcc2e3e39312db3d4650e79
SHA1d297e9889f36b3d79d935986ac2c9feeac0cfb71
SHA256df1f69f4edfae6c8b0dde9fe458b235a0f67135ccc6065641b6cb40dbbb63056
SHA512b7d3afb4f1f2a6a35d6b441b878a50b18fea6a8af7c99badddc3f77b50344b8dcbd8cfe6d8754b1dd9f9b0c236fe6baf97c1cca31c33af70e1efd99faa063f5a
-
Filesize
239B
MD525102b5e9d92900753f2c96013c4f14b
SHA113e932fe824df2fe5a8e5b8a4cc5a4b9a66b939d
SHA256911eec09faf03769588e36999f8ff61441684ffd30d4e1ff9bec7067e35bdcbd
SHA512c61685f69ee045da772e2a2f2ce02135f60bd56f04018c81c0d2dabb65c315cbe1ddf8bd0ce0e29e5e2402bf01b7d2eaa0ca05ef6185fb082ebba49bc7bf540d
-
Filesize
199B
MD56a011852e0d3be244a1f0bcea3301037
SHA189e8c4df124970ae5bce7ae3656aefcb707f53c4
SHA25619fc4b3a5625bd026323076d8fac86b2146574e08bd83da5cd59316e67987cc9
SHA512252ee234ef65292c8fb497fea5a4f56ee27e1a1296cb0ed693711e60e37efe48a6fd0978eef1555189ccae5963c6b8d02f5ea9ac06ec0e80d7d01a303b0f2ded
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5TAN64W7KDMULM5RBHHI.temp
Filesize7KB
MD5d48ccf31cb450988749f6ab40cdfa397
SHA10a30fd05634edee2026023d3cf3bb4b43fcc30a8
SHA25640e7af65f4b2dcda3fa788fe75a1e73cc25964bf1e9750d02bb9df69771d5381
SHA512dcb22c84a5116624c3f6915f64c223ab8f4804d8387329a5c204efe0ac4c3733c53823246542347c562c7995ecd4017111d91221219cbd8c8e9e231c1567fc34
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394