Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 21:00
Behavioral task
behavioral1
Sample
JaffaCakes118_6afe87e10202ebcb0832444fd37af764a888e1080311107587df22bdc31abbb3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_6afe87e10202ebcb0832444fd37af764a888e1080311107587df22bdc31abbb3.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_6afe87e10202ebcb0832444fd37af764a888e1080311107587df22bdc31abbb3.exe
-
Size
1.3MB
-
MD5
10c386e880209d4025bdf3b29ce4a48d
-
SHA1
02d8babcffff08f5cf6da5b771045384bdc8036d
-
SHA256
6afe87e10202ebcb0832444fd37af764a888e1080311107587df22bdc31abbb3
-
SHA512
03c63901e6f13f6e446a017de6d0faa9d4cfd77146c48f2d1c22affd50ab6a2765199cf9e02e532c24dfc827e6816d6ba91442c7e88f5b909273a911c822a3da
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4472 3960 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 3960 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1328 3960 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 3960 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3268 3960 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1392 3960 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2464 3960 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 3960 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4424 3960 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3608 3960 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3680 3960 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3100 3960 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4312 3960 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 3960 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 384 3960 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4968 3960 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 584 3960 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4900 3960 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 3960 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 3960 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4252 3960 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 3960 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2300 3960 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4572 3960 schtasks.exe 90 -
resource yara_rule behavioral2/files/0x0007000000023cc0-10.dat dcrat behavioral2/memory/548-13-0x0000000000940000-0x0000000000A50000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 900 powershell.exe 1028 powershell.exe 4380 powershell.exe 4324 powershell.exe 1516 powershell.exe 4528 powershell.exe 4620 powershell.exe 2164 powershell.exe 728 powershell.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation JaffaCakes118_6afe87e10202ebcb0832444fd37af764a888e1080311107587df22bdc31abbb3.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation lsass.exe -
Executes dropped EXE 14 IoCs
pid Process 548 DllCommonsvc.exe 872 lsass.exe 4740 lsass.exe 1136 lsass.exe 2444 lsass.exe 872 lsass.exe 3680 lsass.exe 3452 lsass.exe 1892 lsass.exe 4660 lsass.exe 4696 lsass.exe 4140 lsass.exe 940 lsass.exe 4556 lsass.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
flow ioc 21 raw.githubusercontent.com 51 raw.githubusercontent.com 55 raw.githubusercontent.com 16 raw.githubusercontent.com 45 raw.githubusercontent.com 44 raw.githubusercontent.com 15 raw.githubusercontent.com 29 raw.githubusercontent.com 52 raw.githubusercontent.com 53 raw.githubusercontent.com 54 raw.githubusercontent.com 57 raw.githubusercontent.com 39 raw.githubusercontent.com 42 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Mozilla Firefox\csrss.exe DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Multimedia Platform\886983d96e3d3e DllCommonsvc.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\OCR\fr-fr\taskhostw.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6afe87e10202ebcb0832444fd37af764a888e1080311107587df22bdc31abbb3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings JaffaCakes118_6afe87e10202ebcb0832444fd37af764a888e1080311107587df22bdc31abbb3.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings lsass.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2992 schtasks.exe 2772 schtasks.exe 3680 schtasks.exe 3100 schtasks.exe 4968 schtasks.exe 584 schtasks.exe 2728 schtasks.exe 1328 schtasks.exe 3268 schtasks.exe 1668 schtasks.exe 4900 schtasks.exe 1952 schtasks.exe 4572 schtasks.exe 4472 schtasks.exe 2464 schtasks.exe 3608 schtasks.exe 4312 schtasks.exe 384 schtasks.exe 1748 schtasks.exe 1392 schtasks.exe 4424 schtasks.exe 4252 schtasks.exe 2300 schtasks.exe 2240 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 49 IoCs
pid Process 548 DllCommonsvc.exe 548 DllCommonsvc.exe 548 DllCommonsvc.exe 548 DllCommonsvc.exe 548 DllCommonsvc.exe 548 DllCommonsvc.exe 548 DllCommonsvc.exe 548 DllCommonsvc.exe 4324 powershell.exe 728 powershell.exe 1516 powershell.exe 1516 powershell.exe 1028 powershell.exe 1028 powershell.exe 900 powershell.exe 900 powershell.exe 4620 powershell.exe 4620 powershell.exe 4380 powershell.exe 4380 powershell.exe 4528 powershell.exe 4528 powershell.exe 2164 powershell.exe 2164 powershell.exe 2164 powershell.exe 4324 powershell.exe 4324 powershell.exe 728 powershell.exe 728 powershell.exe 872 lsass.exe 872 lsass.exe 1028 powershell.exe 1516 powershell.exe 900 powershell.exe 4528 powershell.exe 4380 powershell.exe 4620 powershell.exe 4740 lsass.exe 1136 lsass.exe 2444 lsass.exe 872 lsass.exe 3680 lsass.exe 3452 lsass.exe 1892 lsass.exe 4660 lsass.exe 4696 lsass.exe 4140 lsass.exe 940 lsass.exe 4556 lsass.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 548 DllCommonsvc.exe Token: SeDebugPrivilege 4324 powershell.exe Token: SeDebugPrivilege 728 powershell.exe Token: SeDebugPrivilege 1516 powershell.exe Token: SeDebugPrivilege 1028 powershell.exe Token: SeDebugPrivilege 900 powershell.exe Token: SeDebugPrivilege 4620 powershell.exe Token: SeDebugPrivilege 4380 powershell.exe Token: SeDebugPrivilege 4528 powershell.exe Token: SeDebugPrivilege 872 lsass.exe Token: SeDebugPrivilege 2164 powershell.exe Token: SeDebugPrivilege 4740 lsass.exe Token: SeDebugPrivilege 1136 lsass.exe Token: SeDebugPrivilege 2444 lsass.exe Token: SeDebugPrivilege 872 lsass.exe Token: SeDebugPrivilege 3680 lsass.exe Token: SeDebugPrivilege 3452 lsass.exe Token: SeDebugPrivilege 1892 lsass.exe Token: SeDebugPrivilege 4660 lsass.exe Token: SeDebugPrivilege 4696 lsass.exe Token: SeDebugPrivilege 4140 lsass.exe Token: SeDebugPrivilege 940 lsass.exe Token: SeDebugPrivilege 4556 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2616 wrote to memory of 3112 2616 JaffaCakes118_6afe87e10202ebcb0832444fd37af764a888e1080311107587df22bdc31abbb3.exe 85 PID 2616 wrote to memory of 3112 2616 JaffaCakes118_6afe87e10202ebcb0832444fd37af764a888e1080311107587df22bdc31abbb3.exe 85 PID 2616 wrote to memory of 3112 2616 JaffaCakes118_6afe87e10202ebcb0832444fd37af764a888e1080311107587df22bdc31abbb3.exe 85 PID 3112 wrote to memory of 668 3112 WScript.exe 87 PID 3112 wrote to memory of 668 3112 WScript.exe 87 PID 3112 wrote to memory of 668 3112 WScript.exe 87 PID 668 wrote to memory of 548 668 cmd.exe 89 PID 668 wrote to memory of 548 668 cmd.exe 89 PID 548 wrote to memory of 2164 548 DllCommonsvc.exe 116 PID 548 wrote to memory of 2164 548 DllCommonsvc.exe 116 PID 548 wrote to memory of 728 548 DllCommonsvc.exe 117 PID 548 wrote to memory of 728 548 DllCommonsvc.exe 117 PID 548 wrote to memory of 4324 548 DllCommonsvc.exe 118 PID 548 wrote to memory of 4324 548 DllCommonsvc.exe 118 PID 548 wrote to memory of 4528 548 DllCommonsvc.exe 119 PID 548 wrote to memory of 4528 548 DllCommonsvc.exe 119 PID 548 wrote to memory of 1516 548 DllCommonsvc.exe 120 PID 548 wrote to memory of 1516 548 DllCommonsvc.exe 120 PID 548 wrote to memory of 900 548 DllCommonsvc.exe 121 PID 548 wrote to memory of 900 548 DllCommonsvc.exe 121 PID 548 wrote to memory of 4620 548 DllCommonsvc.exe 122 PID 548 wrote to memory of 4620 548 DllCommonsvc.exe 122 PID 548 wrote to memory of 1028 548 DllCommonsvc.exe 123 PID 548 wrote to memory of 1028 548 DllCommonsvc.exe 123 PID 548 wrote to memory of 4380 548 DllCommonsvc.exe 124 PID 548 wrote to memory of 4380 548 DllCommonsvc.exe 124 PID 548 wrote to memory of 872 548 DllCommonsvc.exe 133 PID 548 wrote to memory of 872 548 DllCommonsvc.exe 133 PID 872 wrote to memory of 4572 872 lsass.exe 138 PID 872 wrote to memory of 4572 872 lsass.exe 138 PID 4572 wrote to memory of 944 4572 cmd.exe 140 PID 4572 wrote to memory of 944 4572 cmd.exe 140 PID 4572 wrote to memory of 4740 4572 cmd.exe 147 PID 4572 wrote to memory of 4740 4572 cmd.exe 147 PID 4740 wrote to memory of 2036 4740 lsass.exe 153 PID 4740 wrote to memory of 2036 4740 lsass.exe 153 PID 2036 wrote to memory of 3344 2036 cmd.exe 155 PID 2036 wrote to memory of 3344 2036 cmd.exe 155 PID 2036 wrote to memory of 1136 2036 cmd.exe 157 PID 2036 wrote to memory of 1136 2036 cmd.exe 157 PID 1136 wrote to memory of 4800 1136 lsass.exe 161 PID 1136 wrote to memory of 4800 1136 lsass.exe 161 PID 4800 wrote to memory of 2772 4800 cmd.exe 163 PID 4800 wrote to memory of 2772 4800 cmd.exe 163 PID 4800 wrote to memory of 2444 4800 cmd.exe 166 PID 4800 wrote to memory of 2444 4800 cmd.exe 166 PID 2444 wrote to memory of 372 2444 lsass.exe 168 PID 2444 wrote to memory of 372 2444 lsass.exe 168 PID 372 wrote to memory of 4028 372 cmd.exe 170 PID 372 wrote to memory of 4028 372 cmd.exe 170 PID 372 wrote to memory of 872 372 cmd.exe 172 PID 372 wrote to memory of 872 372 cmd.exe 172 PID 872 wrote to memory of 1968 872 lsass.exe 174 PID 872 wrote to memory of 1968 872 lsass.exe 174 PID 1968 wrote to memory of 3516 1968 cmd.exe 176 PID 1968 wrote to memory of 3516 1968 cmd.exe 176 PID 1968 wrote to memory of 3680 1968 cmd.exe 178 PID 1968 wrote to memory of 3680 1968 cmd.exe 178 PID 3680 wrote to memory of 4472 3680 lsass.exe 180 PID 3680 wrote to memory of 4472 3680 lsass.exe 180 PID 4472 wrote to memory of 3528 4472 cmd.exe 182 PID 4472 wrote to memory of 3528 4472 cmd.exe 182 PID 4472 wrote to memory of 3452 4472 cmd.exe 184 PID 4472 wrote to memory of 3452 4472 cmd.exe 184 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6afe87e10202ebcb0832444fd37af764a888e1080311107587df22bdc31abbb3.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6afe87e10202ebcb0832444fd37af764a888e1080311107587df22bdc31abbb3.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:668 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4380
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:944
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:3344
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gWC6ojzqIZ.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2772
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rHhDMS4c5i.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:4028
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:3516
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat"16⤵
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:3528
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3452 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat"18⤵PID:1180
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:3392
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat"20⤵PID:2840
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:3028
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4660 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat"22⤵PID:4536
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:5052
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4696 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat"24⤵PID:3048
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:3148
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4140 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat"26⤵PID:2672
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:3672
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat"28⤵PID:2360
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:4460
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4556
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\providercommon\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\providercommon\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
192B
MD545abc89d2042037250f411dd3e0af20c
SHA1a6e026d987ce0a7fc1419e0bc359880ae8ce120f
SHA25658e144aa01731d662e527888ec3e69eb7972f6d36442de816ae0b617871b1164
SHA51216bcb569928e1d4417780fadff20ea180ce7b0999d856898a1055de2d188b04c9f3030e6b2f8dbe232a41748f3952ab9486527ccef62909e6afae4e1956eff57
-
Filesize
192B
MD551a256cc1c08245ce47ce0973ad3adf1
SHA115067d3a0696272bd6f21cbfbf71978d4bc864e2
SHA256d6e15c84fea337fcceb17e024635badc211717069f3d19485cd02c241c16e919
SHA5121ab55ab07a1ad83e63a890b68ae071a2d8629e21c019a269b6f33665a3d7ecedf2f865d93a2f0b45007342ebff3fdd4fa365fb3ec3c45a456a0c96fa0a5422f9
-
Filesize
192B
MD549d4dc762057640dfcb0e04ba1e29a64
SHA1d28c377473aa276bc8f24c58132855352557f488
SHA2564b4d1fcd02207bcd490678c6864ced9fbe75911bac0051cad0d852fe5bb8d85b
SHA51226323cbc6b2eb3f4cafadf99fd2a1a18273b6e38f3f07762219488acf370828bd169d584b199bda88e0134795cc1f9fb0fe09fe7bc62a14471d1e854297657b5
-
Filesize
192B
MD5f5f2302b3b9a4939933ac18af6dc01f2
SHA171fa235603048fc66ec06c8545bee7afac7d5376
SHA256b1f676ab43b822853aaf9150a15268ada95eead88a8b463ea787cae6aef448b3
SHA512daf0ce2c1e5ffb1449d1cb640f1bf5de1b82c3247dd9cfea5df7e7035702bf25597cdac99c78aeebb8fba1987911a9f821ddaf60606439d688a8cddb42df3206
-
Filesize
192B
MD522f286c6f761dd0b6a57f871c2d90ed3
SHA16a5e513e0190402cd4c018dbeb0b14c914774656
SHA256f477d040544a721208c514a1693b993b876d437ac3d047664f73ecea04212458
SHA512d7e97d5baff087a03aff2d85faa0bbf0099aa431e4ae3451f2f397e8f5cbbf6d7ace874377643f9fb8a20d7ed6578495d59dbd042106c5a1b939ad9dd8178a1a
-
Filesize
192B
MD592f97ae8d732194d84e08fc0f3d0e16a
SHA1dbed965b6a5e23d71bc1e12f22cc3a39c636f5f0
SHA2567f245728e4fc399f193e1998fef0bcfa1c84901e8db0f117999e4d4d697fbef2
SHA512447c9cc22a360aaa29f9a872b362b2ceba136390218650eea4306529e0023ac2b759102923647dfe32845fd8ea247502d3b313e982d7be8f813beae9a1817c1a
-
Filesize
192B
MD5b3e91db14ab3eacd70ceb33482073b6e
SHA19fdff0a45716ed6835fefde104ca3295a05eea4a
SHA256ca388a6491f9d151608194a1531f06e2d58eeb371ad2b31651bdfeae6b993eb4
SHA512d5fd2cce3cda552f032c5fe511ce449e170acc8fec00958f9dd835388d04a42a9e2e23e4f9f1f79fd9bf3d997bb65588b92a0c48661ba9e94829bdd7e9b83b76
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
192B
MD5e482ec13dbca9b92187af53256eba9a4
SHA147c1314c45c07afb3b4a10370410c5e12e655e11
SHA2569182171ffeb7abb36b93709c4e168171b1093181158ceb72ce1abaa2cfeab929
SHA512f1411b2c88776307ab08cb7535425446ccd2603771a0a2a03600efd4f907609042438571c73adc3b40a997d9f616480d005fac3aac3e722edeea23ac53112e4f
-
Filesize
192B
MD52f4a2a554e5f442963575842b8ff14d3
SHA121c04a496cd8d32fc3a25c63170da77939561f9c
SHA256ebcd74062fb4a9aebda7027663df3d1d0e733438b81a73607a5592dec18e8e32
SHA512c9d99979ec81b5644c0b7eab9380d1b7297b1447b451a57a9901abfc2c9433c78192bbd1aaddb568edeab345fe731e267e7b73b51f3d081b394e7e18e2e56e07
-
Filesize
192B
MD52b49a1fb0c9e9f197668c856a89a06da
SHA17ce7e1ee80be9920902301158aa94391fca11c4d
SHA256b17c1bc15ffb495af88389a33051ff77624730edf4f76ebe28a75e685b84d915
SHA51230d9e5a02ca24528e41f37f9ea44daa9a10dda9bf0d256f1f654d4ec54383dd5707b93dc2e37df4d1d7858daa8e00ec57adad36c1082473c545af2e9c047199b
-
Filesize
192B
MD545d0d97df7543cac9d042a069b893964
SHA1e9b8e3ad42ad8767df63876f7501a81d2fdfbc71
SHA25661faedaca1cf224d5d80f3c6d65dee8c9ac0019d3f3534b7cae67164fc5426e0
SHA51243bdf556bc2d484b0706d48cec8a7f9b1d27f1db77036af9540a1b7678248a5344fcae3f0c75c7c1965edd8f89309bc3c7ca40c60adf05233efe9c7a76948944
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478