Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 00:34
Behavioral task
behavioral1
Sample
JaffaCakes118_7b54ea7b211a63b6324c6dea9aa084190db42712f910ed58d901b01265e496e0.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_7b54ea7b211a63b6324c6dea9aa084190db42712f910ed58d901b01265e496e0.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_7b54ea7b211a63b6324c6dea9aa084190db42712f910ed58d901b01265e496e0.exe
-
Size
1.3MB
-
MD5
635078e24668df4f43ab1768f0edde94
-
SHA1
cd2d7a837f11d9aa9f987d65e303a023954a71d8
-
SHA256
7b54ea7b211a63b6324c6dea9aa084190db42712f910ed58d901b01265e496e0
-
SHA512
2a0247895bb0d9cce1cb5c15c61e5625b8ab870fad067f2e44664ffe1979b85b64c7080cf3e4e91eed191c086f193343ce84b7c641e2fc17043670a3ab039aff
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1088 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1436 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1112 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 880 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1184 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 628 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1084 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 564 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2692 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000015d2f-9.dat dcrat behavioral1/memory/2680-13-0x0000000000E10000-0x0000000000F20000-memory.dmp dcrat behavioral1/memory/2540-84-0x0000000000E60000-0x0000000000F70000-memory.dmp dcrat behavioral1/memory/2732-321-0x00000000010D0000-0x00000000011E0000-memory.dmp dcrat behavioral1/memory/2456-502-0x00000000011D0000-0x00000000012E0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2224 powershell.exe 2948 powershell.exe 2024 powershell.exe 1012 powershell.exe 2424 powershell.exe 2180 powershell.exe 444 powershell.exe 2420 powershell.exe 1976 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2680 DllCommonsvc.exe 2540 Idle.exe 1876 Idle.exe 2372 Idle.exe 2480 Idle.exe 2732 Idle.exe 640 Idle.exe 2920 Idle.exe 2456 Idle.exe 1728 Idle.exe 860 Idle.exe -
Loads dropped DLL 2 IoCs
pid Process 608 cmd.exe 608 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 28 raw.githubusercontent.com 34 raw.githubusercontent.com 9 raw.githubusercontent.com 15 raw.githubusercontent.com 18 raw.githubusercontent.com 21 raw.githubusercontent.com 25 raw.githubusercontent.com 31 raw.githubusercontent.com -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\system\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Windows\system\cmd.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7b54ea7b211a63b6324c6dea9aa084190db42712f910ed58d901b01265e496e0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2584 schtasks.exe 2652 schtasks.exe 1952 schtasks.exe 2708 schtasks.exe 628 schtasks.exe 2184 schtasks.exe 1088 schtasks.exe 1436 schtasks.exe 880 schtasks.exe 1852 schtasks.exe 564 schtasks.exe 2884 schtasks.exe 2548 schtasks.exe 3048 schtasks.exe 3016 schtasks.exe 2864 schtasks.exe 2364 schtasks.exe 2160 schtasks.exe 2984 schtasks.exe 1112 schtasks.exe 1184 schtasks.exe 448 schtasks.exe 1084 schtasks.exe 1668 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2680 DllCommonsvc.exe 2180 powershell.exe 2420 powershell.exe 2224 powershell.exe 444 powershell.exe 2424 powershell.exe 1976 powershell.exe 2024 powershell.exe 1012 powershell.exe 2948 powershell.exe 2540 Idle.exe 1876 Idle.exe 2372 Idle.exe 2480 Idle.exe 2732 Idle.exe 640 Idle.exe 2920 Idle.exe 2456 Idle.exe 1728 Idle.exe 860 Idle.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 2680 DllCommonsvc.exe Token: SeDebugPrivilege 2180 powershell.exe Token: SeDebugPrivilege 2420 powershell.exe Token: SeDebugPrivilege 2224 powershell.exe Token: SeDebugPrivilege 444 powershell.exe Token: SeDebugPrivilege 2424 powershell.exe Token: SeDebugPrivilege 1976 powershell.exe Token: SeDebugPrivilege 2024 powershell.exe Token: SeDebugPrivilege 1012 powershell.exe Token: SeDebugPrivilege 2948 powershell.exe Token: SeDebugPrivilege 2540 Idle.exe Token: SeDebugPrivilege 1876 Idle.exe Token: SeDebugPrivilege 2372 Idle.exe Token: SeDebugPrivilege 2480 Idle.exe Token: SeDebugPrivilege 2732 Idle.exe Token: SeDebugPrivilege 640 Idle.exe Token: SeDebugPrivilege 2920 Idle.exe Token: SeDebugPrivilege 2456 Idle.exe Token: SeDebugPrivilege 1728 Idle.exe Token: SeDebugPrivilege 860 Idle.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2124 2096 JaffaCakes118_7b54ea7b211a63b6324c6dea9aa084190db42712f910ed58d901b01265e496e0.exe 31 PID 2096 wrote to memory of 2124 2096 JaffaCakes118_7b54ea7b211a63b6324c6dea9aa084190db42712f910ed58d901b01265e496e0.exe 31 PID 2096 wrote to memory of 2124 2096 JaffaCakes118_7b54ea7b211a63b6324c6dea9aa084190db42712f910ed58d901b01265e496e0.exe 31 PID 2096 wrote to memory of 2124 2096 JaffaCakes118_7b54ea7b211a63b6324c6dea9aa084190db42712f910ed58d901b01265e496e0.exe 31 PID 2124 wrote to memory of 608 2124 WScript.exe 32 PID 2124 wrote to memory of 608 2124 WScript.exe 32 PID 2124 wrote to memory of 608 2124 WScript.exe 32 PID 2124 wrote to memory of 608 2124 WScript.exe 32 PID 608 wrote to memory of 2680 608 cmd.exe 34 PID 608 wrote to memory of 2680 608 cmd.exe 34 PID 608 wrote to memory of 2680 608 cmd.exe 34 PID 608 wrote to memory of 2680 608 cmd.exe 34 PID 2680 wrote to memory of 2180 2680 DllCommonsvc.exe 60 PID 2680 wrote to memory of 2180 2680 DllCommonsvc.exe 60 PID 2680 wrote to memory of 2180 2680 DllCommonsvc.exe 60 PID 2680 wrote to memory of 2224 2680 DllCommonsvc.exe 61 PID 2680 wrote to memory of 2224 2680 DllCommonsvc.exe 61 PID 2680 wrote to memory of 2224 2680 DllCommonsvc.exe 61 PID 2680 wrote to memory of 2948 2680 DllCommonsvc.exe 62 PID 2680 wrote to memory of 2948 2680 DllCommonsvc.exe 62 PID 2680 wrote to memory of 2948 2680 DllCommonsvc.exe 62 PID 2680 wrote to memory of 1976 2680 DllCommonsvc.exe 65 PID 2680 wrote to memory of 1976 2680 DllCommonsvc.exe 65 PID 2680 wrote to memory of 1976 2680 DllCommonsvc.exe 65 PID 2680 wrote to memory of 2424 2680 DllCommonsvc.exe 66 PID 2680 wrote to memory of 2424 2680 DllCommonsvc.exe 66 PID 2680 wrote to memory of 2424 2680 DllCommonsvc.exe 66 PID 2680 wrote to memory of 2420 2680 DllCommonsvc.exe 67 PID 2680 wrote to memory of 2420 2680 DllCommonsvc.exe 67 PID 2680 wrote to memory of 2420 2680 DllCommonsvc.exe 67 PID 2680 wrote to memory of 1012 2680 DllCommonsvc.exe 68 PID 2680 wrote to memory of 1012 2680 DllCommonsvc.exe 68 PID 2680 wrote to memory of 1012 2680 DllCommonsvc.exe 68 PID 2680 wrote to memory of 2024 2680 DllCommonsvc.exe 69 PID 2680 wrote to memory of 2024 2680 DllCommonsvc.exe 69 PID 2680 wrote to memory of 2024 2680 DllCommonsvc.exe 69 PID 2680 wrote to memory of 444 2680 DllCommonsvc.exe 70 PID 2680 wrote to memory of 444 2680 DllCommonsvc.exe 70 PID 2680 wrote to memory of 444 2680 DllCommonsvc.exe 70 PID 2680 wrote to memory of 2132 2680 DllCommonsvc.exe 78 PID 2680 wrote to memory of 2132 2680 DllCommonsvc.exe 78 PID 2680 wrote to memory of 2132 2680 DllCommonsvc.exe 78 PID 2132 wrote to memory of 1412 2132 cmd.exe 80 PID 2132 wrote to memory of 1412 2132 cmd.exe 80 PID 2132 wrote to memory of 1412 2132 cmd.exe 80 PID 2132 wrote to memory of 2540 2132 cmd.exe 81 PID 2132 wrote to memory of 2540 2132 cmd.exe 81 PID 2132 wrote to memory of 2540 2132 cmd.exe 81 PID 2540 wrote to memory of 1896 2540 Idle.exe 82 PID 2540 wrote to memory of 1896 2540 Idle.exe 82 PID 2540 wrote to memory of 1896 2540 Idle.exe 82 PID 1896 wrote to memory of 1584 1896 cmd.exe 84 PID 1896 wrote to memory of 1584 1896 cmd.exe 84 PID 1896 wrote to memory of 1584 1896 cmd.exe 84 PID 1896 wrote to memory of 1876 1896 cmd.exe 85 PID 1896 wrote to memory of 1876 1896 cmd.exe 85 PID 1896 wrote to memory of 1876 1896 cmd.exe 85 PID 1876 wrote to memory of 900 1876 Idle.exe 86 PID 1876 wrote to memory of 900 1876 Idle.exe 86 PID 1876 wrote to memory of 900 1876 Idle.exe 86 PID 900 wrote to memory of 1160 900 cmd.exe 88 PID 900 wrote to memory of 1160 900 cmd.exe 88 PID 900 wrote to memory of 1160 900 cmd.exe 88 PID 900 wrote to memory of 2372 900 cmd.exe 89 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b54ea7b211a63b6324c6dea9aa084190db42712f910ed58d901b01265e496e0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b54ea7b211a63b6324c6dea9aa084190db42712f910ed58d901b01265e496e0.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:608 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:444
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JAOarNqrtp.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1412
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PJw82jcrZC.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1584
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gozseo6rLH.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1160
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yaFjl1awzE.bat"11⤵PID:2752
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1976
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2480 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UJpHfzfs2i.bat"13⤵PID:1148
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1892
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aPx44ABVco.bat"15⤵PID:1980
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1932
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rn5V8mQYRH.bat"17⤵PID:988
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1956
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\23CLvB8Ots.bat"19⤵PID:2900
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1184
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat"21⤵PID:2736
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1568
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lBSBdtFHPx.bat"23⤵PID:2176
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2396
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat"25⤵PID:2704
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2588
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Favorites\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Favorites\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\system\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\system\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\system\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52d719ce48a311b31a6a2d5025617baad
SHA1f29396a3dce1a801d3cde6ec50667a4b2080ed5f
SHA256d8658a972390346f251d052e50d5ed8bad7a57153b2f09f089f5b61b10a5156b
SHA5121ab0c854bd6ada9aeab7185bc4dc5dd0313d65bd1d2fd9eb04013b91419be01695fcc0eee35473ae826f478293a9e246af8366fcb5ae57aa6c4bdbcc5dde7315
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5da64e69e74cbd2df5de620a183ae894d
SHA1b9325f1619ec1ffe38744b32692a173be86ded51
SHA2562e8d1d5e96eb864aa78b935be9f9f0f6fbab632dc9cfc295bb000508653deffa
SHA5128265059d7f93990b4a19b4df6bc39f4a289e9cc707dfdc8009f77223c1533d427cc6b061aa4ed10ef4378c65409579c7b4e2265f053a9e4dd11437d4bf465a46
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54d1af3a64da084c7d97250d7fa01d3c6
SHA1ce98336a153b7da257f4756c2577c55bdc534262
SHA256a5f4e523bbe2d349aa25701f99f9a1555ae9a28518b2edceca7c85b5912b8599
SHA512ff4001a95878b0fa49b8ca5a696ca0a8b21146ab8cdd498ac8860dc9f9b724d41404cdf7d73c7dcfe487309d9e64530275e1322500b3788f03ae67ab30ee0504
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50376b3afc107c376239ff87c87be5743
SHA1b9019150e6ebc5098eb398f83cfab3830e7e9b7a
SHA2568e5db0f2321e6f6ea1085dcbe33cfd749c5085739514176aeb9eea066ff38b6c
SHA512208d030f11b3631d0c23ccf1f53b7b9f38f145a6c50a1c24db12ef927e5ab1cfb6f680edb245048f5761d95b9ddf83ffc4b27e3b8d4d755ca131200c92fd312e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD526ebf4cafb36ff79ecd21f1dd58c76e3
SHA10cc4348419e6921546f8ea7be76a44f3f916ced7
SHA256645ef817e282b752a1bda849ccab13e775d2b23d60aa39b4483c94e073d7ed96
SHA51239970f685c82a202680036058281009f6af542d6fe8f3895e616c5532ff592640e6c42edb7e7488fb4bf43a734b50d977583e6576bfb55a2cdfe5b08b85eaec8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53b1196ab2a1377a530b2c72384085d70
SHA1777ea260c370a76cd8d44ebb4ae659fa353ca318
SHA2562d30f4ae04b279f0548e101b956dddf2822b3654fe8d4d8efd3212d040c985d3
SHA512deea0da97955f605d7bbba49cd18c674bef57f76a9435d9c8f68036c301bfa59f9b9cb9b49b1c669d8a26042d90ab6267c289da1445a6a38c96afbec873a1eb4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59bbc90acebe5df180ac3e81485bb2b18
SHA1585f24542e6c57b15296823113e53644b4a9aee0
SHA25653ce59eb5c49928997284a72102db6738d2b75b738a28c799937670c9f3a6763
SHA5120a20ab0586956c00ddaac8a538140f27c0ec7b2593e07a3fc78034f9e9bb1c1fe720fdba31deb5d5fa053c0a26d59837b10db9f0ddf9bd444c2eecf5fc1420b2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD521f14b771d2aeefcf0bd8e25d681ad7c
SHA1a95d37d737802c690df0f13e6bb0db45965f3fcf
SHA256c26300cf6d377c67ae58f0aea09a7e821d672769b2141610879e855f8a201fdb
SHA51242c8f9706a0cee10b6b1a0767ab593ca5fc60a8bd5f41ebcddf56260fe0deefc3790bb88399fa48fdd7728ad6f80ca336dd26f512f9d4987ac65e6b94144510a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a7a18da7716cbcba0150adbc979b753d
SHA1681b206749402224a99eeee3d5eb4b855496630b
SHA256edfb0f5fea8890b5f341ec3e1455ef62c67c5d6d0ef3401b38b0b71dcef2c222
SHA512bd0b57787c141a45149ab7b69864bfa65afdef67793e7ddf97e28683bc2469fb7709b609f382c4480b9e413676ef5b543399f651da2e67e281ad83f5349caceb
-
Filesize
236B
MD5ff2f2ed339082fb17ee0d0b81cf114ea
SHA17362729eb65f7580b5db2f00e640de25834881f7
SHA2565b0f6344fd438f5205c820a941098be4cc84fb1e2026f734fc83ac700be18b0b
SHA512ad62de7a9cffbf6bbc7c1ec2bd9d7f7e28edbd57e1f9c41262c5c119a6d6763535142fe347b4a347dfc4862c7e2106bdef87cc6cc61c1a0c12b8c1f168d7afdf
-
Filesize
236B
MD547a4247f3aeb4ab15f0ad233e10e7653
SHA138fce9265e5c4c873db45e7ac14686ee97e7fd02
SHA256612efad6543412ec096975a7f4c032c0719a3298cd8e6d1032b13a6797c3d8a6
SHA512896e3627549f0e2c2b0add9f16ed34102829fac16f98ce249174df876cffb9a1d95992d7ccf2d47c748dcb01b270bc40f7eb6a22c61a6ddf0b0e7eafdc2324a3
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
236B
MD56a0460aa857974a6351c0c92d3410234
SHA1b9b60e00f2c08e31f22360439f0e7405fea8a17d
SHA256cbe23fc14aeb2a8bd7b95b55ff3ba5ffea3dc417d2dec9d381e39cf3a809216d
SHA512252c3ea763a81050822e37de08fca0ac3bd55d6d8127d3bec1625a0cb47471a0c5dc3365cf8c2a258064591c52f59049c49996db429089bbe83353507bee0d36
-
Filesize
236B
MD50b024639381cb6b46bef7dce8f3b8903
SHA1439d32acb24bff7ab95f40a2482c588aedbe7679
SHA256c79b3d62ceda966f39219d5c50af98c62b56253ffc98678df9e2495e49f248fe
SHA512b9dee649a69189ce2938a8fceb0ce26e3661c00e185a3d6db690f8fdf1ce2b4c9efdcfbb12a622f541066301c0b9219cd22543e3177334c489b4f6f626d7b005
-
Filesize
236B
MD5dceb1edcd9ba173d27474d35dee7681e
SHA1e5945d5602087b3d26ad07b5b3793762e790865a
SHA25625f7a12add35ff87d8d537888eea62380eb4e8268ee8b07d7e6f0c6cab9bc9cb
SHA512694e55e9af538b2b8b0c5933cc9055dbb240914da871f021cb435371e04fd134a35bfb6ddf95e6746480f9deeb8e8fb3b81e34adc4d300fff03eaaccaa69d988
-
Filesize
236B
MD5a5367e0b6dc4db34d0ac95c5ef9d4189
SHA1bf3cf674a9f8c11733fb7445f172f6b9f6470f49
SHA256978ccfce8a61ecf4d5f473bcec3cbc81698af1337ee9c1231de1ff88d8f8f00b
SHA51265ffef62aad5224ebf76b671c29170e761222b1afa48b6eebe3c38f50b00f034cdd30876ba473e8633a5e1d74dc96baf02ad4305f9daf6c0bd6fb497b969ece9
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
236B
MD524ffda64e74ecee1d5f0c3988ec889be
SHA1a3992a244799af334a1ce8cbbdc0630b9e5625bf
SHA256f0ca853eadc64a206c9800673266a80cf72cfb4f3307aa4e1b850aff1ff0601c
SHA512b3d3bc2c5215f66dda64c60791ab352d6da4cd9f8c4e2e268c94a9aec4dc7525ec3440bd1ca1f1bb23644388dc455b62fa1637b3fc85db2faed2496e583a85c4
-
Filesize
236B
MD5f00fb6662fc73fd1e384032c4a51a0b3
SHA1abb6c861f784e478f69ad6b3943e1e92041e274a
SHA25688b8d353ac3ae026955357735a744a4a84930c4ade2bc4495fe2e298f5b28306
SHA5120fda490733efae8018662d93c5383edc8515be72bef77f894861203d39c9ac83eaa7f956272d880966b470bb8c973e1d1c416f01e0025f9af809b1e3bb713249
-
Filesize
236B
MD5bd0f47eb744102cada506b478e1f7a39
SHA1f97ac201f2304b01d9cf640e47045034992d10d9
SHA256444d3d6f875fd160f69d6135b56f33b27be765bc5a2d3587523009556cae8d04
SHA512f795b3aafaf807620feafe532e9c020f335a6d823f10efc4710db2d92d39a9ea49d4116b8d44684b73bcc1f193da8790cf6690902f5467473e8db6e0339e72c1
-
Filesize
236B
MD55f6ff59c2aa6c97d94b67f142eb42de7
SHA1004dac1846043d8cdc9bd700fb3dc9bde1d990d8
SHA256c8dcaeb439aead0a6507d53cc200d4832b4c4ea03194c69df2f8e3cc06644d4c
SHA512eee3154b0f0b6b14d4b3bd808fb2cfb09da6c82439a36b84ae172ba4b8d37d7caeb99e77c74dfec6262f061ab89926df1663b6f25ae7139474d2797262faaf24
-
Filesize
236B
MD5df41433e0dfc8488ad78629108960d21
SHA1ee6a81bb3a167920896508fc0335ed078470912d
SHA2561542c9ea13f9899d4fdc518eb052d04e6338932d5cb8b304793d254076fd87dc
SHA512e551c2ae919aeef4660e19572c6e041a49e7942d2c5ad947dc92f1d23bc05c7985c9eca871580241bf4f6e7daa84ff4288e52eca409004a3e753988a311dde9a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XFFOAXOWFG32I321J1IJ.temp
Filesize7KB
MD54f4f0a939664dc4c09507d85a4af9a0e
SHA12f64f6d7f82515d9c8431a0904c5972a34a848d9
SHA25666a7b03cdd77ed106ec2220b28fbde816b5c5b4c443809028217b6f7943bd2ae
SHA512819e7ba7cdc05b3649ea8c24bcf27a6a0d17067a8de494d1f0eda62b2a96e0a666d8c249c6e13c4523bec40d40bd53efb8c84087373245fa158228029678bbb8
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394