Analysis
-
max time kernel
143s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 02:06
Behavioral task
behavioral1
Sample
JaffaCakes118_3ba70aa58be376d93abfb1a5812fdb5616e63bf635db2d5edc58b0aa4b1d5f71.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_3ba70aa58be376d93abfb1a5812fdb5616e63bf635db2d5edc58b0aa4b1d5f71.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_3ba70aa58be376d93abfb1a5812fdb5616e63bf635db2d5edc58b0aa4b1d5f71.exe
-
Size
1.3MB
-
MD5
3afbb9ac7578d423d44c72e66807b4c3
-
SHA1
f4c4fe2861e2d8f9266e49867c15568e0ec0b936
-
SHA256
3ba70aa58be376d93abfb1a5812fdb5616e63bf635db2d5edc58b0aa4b1d5f71
-
SHA512
50373cdb531773d266b7046aa60b1c57f5e7e54a7ab69da21ef499c0602cfaf42a1ab8c2a531717c2f22ec156b0f733080b8601eb79bbee73c22f04cbdcd35f2
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 784 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4284 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1196 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1076 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5108 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4252 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3608 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3940 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3548 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3444 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3508 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1208 1072 schtasks.exe 86 -
resource yara_rule behavioral2/files/0x000a000000023b6e-10.dat dcrat behavioral2/memory/1372-13-0x0000000000E00000-0x0000000000F10000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2040 powershell.exe 4056 powershell.exe 1916 powershell.exe 624 powershell.exe 5008 powershell.exe 1480 powershell.exe 2520 powershell.exe 4416 powershell.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation JaffaCakes118_3ba70aa58be376d93abfb1a5812fdb5616e63bf635db2d5edc58b0aa4b1d5f71.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe -
Executes dropped EXE 15 IoCs
pid Process 1372 DllCommonsvc.exe 4856 RuntimeBroker.exe 4012 RuntimeBroker.exe 3264 RuntimeBroker.exe 4388 RuntimeBroker.exe 4416 RuntimeBroker.exe 2264 RuntimeBroker.exe 2136 RuntimeBroker.exe 1976 RuntimeBroker.exe 3600 RuntimeBroker.exe 5076 RuntimeBroker.exe 3692 RuntimeBroker.exe 1468 RuntimeBroker.exe 796 RuntimeBroker.exe 3480 RuntimeBroker.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
flow ioc 39 raw.githubusercontent.com 54 raw.githubusercontent.com 14 raw.githubusercontent.com 19 raw.githubusercontent.com 44 raw.githubusercontent.com 53 raw.githubusercontent.com 52 raw.githubusercontent.com 55 raw.githubusercontent.com 38 raw.githubusercontent.com 40 raw.githubusercontent.com 43 raw.githubusercontent.com 45 raw.githubusercontent.com 15 raw.githubusercontent.com 56 raw.githubusercontent.com -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\Panther\actionqueue\RuntimeBroker.exe DllCommonsvc.exe File created C:\Windows\Panther\actionqueue\9e8d7a4ca61bd9 DllCommonsvc.exe File created C:\Windows\diagnostics\system\Printer\it-IT\RuntimeBroker.exe DllCommonsvc.exe File created C:\Windows\InputMethod\RuntimeBroker.exe DllCommonsvc.exe File created C:\Windows\InputMethod\9e8d7a4ca61bd9 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_3ba70aa58be376d93abfb1a5812fdb5616e63bf635db2d5edc58b0aa4b1d5f71.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings JaffaCakes118_3ba70aa58be376d93abfb1a5812fdb5616e63bf635db2d5edc58b0aa4b1d5f71.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 784 schtasks.exe 1196 schtasks.exe 5108 schtasks.exe 1144 schtasks.exe 2180 schtasks.exe 1076 schtasks.exe 1648 schtasks.exe 2056 schtasks.exe 1912 schtasks.exe 1500 schtasks.exe 2752 schtasks.exe 4284 schtasks.exe 3548 schtasks.exe 3444 schtasks.exe 1208 schtasks.exe 3940 schtasks.exe 3508 schtasks.exe 2136 schtasks.exe 2052 schtasks.exe 4252 schtasks.exe 3608 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 1372 DllCommonsvc.exe 1372 DllCommonsvc.exe 1372 DllCommonsvc.exe 1372 DllCommonsvc.exe 1372 DllCommonsvc.exe 2040 powershell.exe 2040 powershell.exe 1916 powershell.exe 1916 powershell.exe 624 powershell.exe 624 powershell.exe 4056 powershell.exe 4056 powershell.exe 1480 powershell.exe 1480 powershell.exe 4416 powershell.exe 4416 powershell.exe 2520 powershell.exe 2520 powershell.exe 5008 powershell.exe 5008 powershell.exe 4856 RuntimeBroker.exe 4856 RuntimeBroker.exe 624 powershell.exe 2040 powershell.exe 1916 powershell.exe 4056 powershell.exe 1480 powershell.exe 2520 powershell.exe 4416 powershell.exe 5008 powershell.exe 4012 RuntimeBroker.exe 3264 RuntimeBroker.exe 4388 RuntimeBroker.exe 4416 RuntimeBroker.exe 2264 RuntimeBroker.exe 2136 RuntimeBroker.exe 1976 RuntimeBroker.exe 3600 RuntimeBroker.exe 5076 RuntimeBroker.exe 3692 RuntimeBroker.exe 1468 RuntimeBroker.exe 796 RuntimeBroker.exe 3480 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 1372 DllCommonsvc.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeDebugPrivilege 1916 powershell.exe Token: SeDebugPrivilege 624 powershell.exe Token: SeDebugPrivilege 2520 powershell.exe Token: SeDebugPrivilege 4056 powershell.exe Token: SeDebugPrivilege 1480 powershell.exe Token: SeDebugPrivilege 4416 powershell.exe Token: SeDebugPrivilege 4856 RuntimeBroker.exe Token: SeDebugPrivilege 5008 powershell.exe Token: SeDebugPrivilege 4012 RuntimeBroker.exe Token: SeDebugPrivilege 3264 RuntimeBroker.exe Token: SeDebugPrivilege 4388 RuntimeBroker.exe Token: SeDebugPrivilege 4416 RuntimeBroker.exe Token: SeDebugPrivilege 2264 RuntimeBroker.exe Token: SeDebugPrivilege 2136 RuntimeBroker.exe Token: SeDebugPrivilege 1976 RuntimeBroker.exe Token: SeDebugPrivilege 3600 RuntimeBroker.exe Token: SeDebugPrivilege 5076 RuntimeBroker.exe Token: SeDebugPrivilege 3692 RuntimeBroker.exe Token: SeDebugPrivilege 1468 RuntimeBroker.exe Token: SeDebugPrivilege 796 RuntimeBroker.exe Token: SeDebugPrivilege 3480 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2332 wrote to memory of 4780 2332 JaffaCakes118_3ba70aa58be376d93abfb1a5812fdb5616e63bf635db2d5edc58b0aa4b1d5f71.exe 82 PID 2332 wrote to memory of 4780 2332 JaffaCakes118_3ba70aa58be376d93abfb1a5812fdb5616e63bf635db2d5edc58b0aa4b1d5f71.exe 82 PID 2332 wrote to memory of 4780 2332 JaffaCakes118_3ba70aa58be376d93abfb1a5812fdb5616e63bf635db2d5edc58b0aa4b1d5f71.exe 82 PID 4780 wrote to memory of 4820 4780 WScript.exe 83 PID 4780 wrote to memory of 4820 4780 WScript.exe 83 PID 4780 wrote to memory of 4820 4780 WScript.exe 83 PID 4820 wrote to memory of 1372 4820 cmd.exe 85 PID 4820 wrote to memory of 1372 4820 cmd.exe 85 PID 1372 wrote to memory of 624 1372 DllCommonsvc.exe 108 PID 1372 wrote to memory of 624 1372 DllCommonsvc.exe 108 PID 1372 wrote to memory of 5008 1372 DllCommonsvc.exe 109 PID 1372 wrote to memory of 5008 1372 DllCommonsvc.exe 109 PID 1372 wrote to memory of 1480 1372 DllCommonsvc.exe 110 PID 1372 wrote to memory of 1480 1372 DllCommonsvc.exe 110 PID 1372 wrote to memory of 2520 1372 DllCommonsvc.exe 111 PID 1372 wrote to memory of 2520 1372 DllCommonsvc.exe 111 PID 1372 wrote to memory of 4416 1372 DllCommonsvc.exe 112 PID 1372 wrote to memory of 4416 1372 DllCommonsvc.exe 112 PID 1372 wrote to memory of 2040 1372 DllCommonsvc.exe 113 PID 1372 wrote to memory of 2040 1372 DllCommonsvc.exe 113 PID 1372 wrote to memory of 4056 1372 DllCommonsvc.exe 114 PID 1372 wrote to memory of 4056 1372 DllCommonsvc.exe 114 PID 1372 wrote to memory of 1916 1372 DllCommonsvc.exe 115 PID 1372 wrote to memory of 1916 1372 DllCommonsvc.exe 115 PID 1372 wrote to memory of 4856 1372 DllCommonsvc.exe 123 PID 1372 wrote to memory of 4856 1372 DllCommonsvc.exe 123 PID 4856 wrote to memory of 3044 4856 RuntimeBroker.exe 125 PID 4856 wrote to memory of 3044 4856 RuntimeBroker.exe 125 PID 3044 wrote to memory of 5024 3044 cmd.exe 127 PID 3044 wrote to memory of 5024 3044 cmd.exe 127 PID 3044 wrote to memory of 4012 3044 cmd.exe 128 PID 3044 wrote to memory of 4012 3044 cmd.exe 128 PID 4012 wrote to memory of 4724 4012 RuntimeBroker.exe 133 PID 4012 wrote to memory of 4724 4012 RuntimeBroker.exe 133 PID 4724 wrote to memory of 3920 4724 cmd.exe 135 PID 4724 wrote to memory of 3920 4724 cmd.exe 135 PID 4724 wrote to memory of 3264 4724 cmd.exe 138 PID 4724 wrote to memory of 3264 4724 cmd.exe 138 PID 3264 wrote to memory of 2160 3264 RuntimeBroker.exe 141 PID 3264 wrote to memory of 2160 3264 RuntimeBroker.exe 141 PID 2160 wrote to memory of 2860 2160 cmd.exe 143 PID 2160 wrote to memory of 2860 2160 cmd.exe 143 PID 2160 wrote to memory of 4388 2160 cmd.exe 144 PID 2160 wrote to memory of 4388 2160 cmd.exe 144 PID 4388 wrote to memory of 3660 4388 RuntimeBroker.exe 145 PID 4388 wrote to memory of 3660 4388 RuntimeBroker.exe 145 PID 3660 wrote to memory of 1628 3660 cmd.exe 147 PID 3660 wrote to memory of 1628 3660 cmd.exe 147 PID 3660 wrote to memory of 4416 3660 cmd.exe 148 PID 3660 wrote to memory of 4416 3660 cmd.exe 148 PID 4416 wrote to memory of 4428 4416 RuntimeBroker.exe 149 PID 4416 wrote to memory of 4428 4416 RuntimeBroker.exe 149 PID 4428 wrote to memory of 3292 4428 cmd.exe 151 PID 4428 wrote to memory of 3292 4428 cmd.exe 151 PID 4428 wrote to memory of 2264 4428 cmd.exe 152 PID 4428 wrote to memory of 2264 4428 cmd.exe 152 PID 2264 wrote to memory of 1984 2264 RuntimeBroker.exe 153 PID 2264 wrote to memory of 1984 2264 RuntimeBroker.exe 153 PID 1984 wrote to memory of 1128 1984 cmd.exe 155 PID 1984 wrote to memory of 1128 1984 cmd.exe 155 PID 1984 wrote to memory of 2136 1984 cmd.exe 156 PID 1984 wrote to memory of 2136 1984 cmd.exe 156 PID 2136 wrote to memory of 5056 2136 RuntimeBroker.exe 157 PID 2136 wrote to memory of 5056 2136 RuntimeBroker.exe 157 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3ba70aa58be376d93abfb1a5812fdb5616e63bf635db2d5edc58b0aa4b1d5f71.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3ba70aa58be376d93abfb1a5812fdb5616e63bf635db2d5edc58b0aa4b1d5f71.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\actionqueue\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\InputMethod\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sihost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
-
C:\Windows\InputMethod\RuntimeBroker.exe"C:\Windows\InputMethod\RuntimeBroker.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\syea0WjfTx.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:5024
-
-
C:\Windows\InputMethod\RuntimeBroker.exe"C:\Windows\InputMethod\RuntimeBroker.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HKL0gj8mBn.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:3920
-
-
C:\Windows\InputMethod\RuntimeBroker.exe"C:\Windows\InputMethod\RuntimeBroker.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2860
-
-
C:\Windows\InputMethod\RuntimeBroker.exe"C:\Windows\InputMethod\RuntimeBroker.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RFyBjogktz.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1628
-
-
C:\Windows\InputMethod\RuntimeBroker.exe"C:\Windows\InputMethod\RuntimeBroker.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:3292
-
-
C:\Windows\InputMethod\RuntimeBroker.exe"C:\Windows\InputMethod\RuntimeBroker.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x1DfgQ9qXa.bat"16⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1128
-
-
C:\Windows\InputMethod\RuntimeBroker.exe"C:\Windows\InputMethod\RuntimeBroker.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat"18⤵PID:5056
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:444
-
-
C:\Windows\InputMethod\RuntimeBroker.exe"C:\Windows\InputMethod\RuntimeBroker.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat"20⤵PID:3136
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:4836
-
-
C:\Windows\InputMethod\RuntimeBroker.exe"C:\Windows\InputMethod\RuntimeBroker.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\syea0WjfTx.bat"22⤵PID:1148
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:4112
-
-
C:\Windows\InputMethod\RuntimeBroker.exe"C:\Windows\InputMethod\RuntimeBroker.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5076 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2sHl3bGdB9.bat"24⤵PID:2336
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1392
-
-
C:\Windows\InputMethod\RuntimeBroker.exe"C:\Windows\InputMethod\RuntimeBroker.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3692 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\THL7XCWxQ1.bat"26⤵PID:852
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:3544
-
-
C:\Windows\InputMethod\RuntimeBroker.exe"C:\Windows\InputMethod\RuntimeBroker.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat"28⤵PID:3896
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:452
-
-
C:\Windows\InputMethod\RuntimeBroker.exe"C:\Windows\InputMethod\RuntimeBroker.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:796 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BcPyovVCSH.bat"30⤵PID:4060
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:5044
-
-
C:\Windows\InputMethod\RuntimeBroker.exe"C:\Windows\InputMethod\RuntimeBroker.exe"31⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3480
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\actionqueue\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\actionqueue\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\InputMethod\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\InputMethod\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\InputMethod\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\providercommon\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
205B
MD58a9212673ebd11f7e9a74d3acd28586d
SHA13d0dfa1152a7de92a3bd4251c24c6d5cd0a5f507
SHA25687ac096187c2ca4bfd1dce302c398377aec20657d3be0a65e267b350b532f97e
SHA5123183cf89ae95874062f3d684bedb0ac7af45c1cafa8e6fc3ce30479cf8fe3935ff4c523cb8faadd55a073d2e20e3f4704b539ca9ac5d5cde2383835dba7b0774
-
Filesize
205B
MD5bf683c655e875c5953206abd27fcc2ae
SHA12123f4602d9c7f45edd7b71322b054edcd99a8ea
SHA25601d1bd5c203f5cdcc3acda14b6d1b64038b0695327aa17b41836f41424dcb405
SHA51287a37f805a062f6f7dcc0364e0c5153b64c4cc94bd96b417760b0038ae439e0197f2e71ff603e5a68ac7479fbcccc764164ff187bf14de42ddb4613cd72271ad
-
Filesize
205B
MD5ba65f6e62dba1bed99ebe8be4474546f
SHA18a52cdb8657ca766352f5ebd040f229522bcde80
SHA2563afcf6cb2768d4996cd8615b5f38df8692de2a6626e927cead6f1ad47a2c859a
SHA512a5660adf183da92f3bd19c77dd361ef5bc5b721efe1594490c5efb19240d7011f6746d246dd6fffb410d762fbdf411976bdbae379fde495abc3db58ed7403500
-
Filesize
205B
MD5e13e7911980041d1a5ec2868869c2a90
SHA1fe2c24eac2c70f75b0c373c3b93f8498d2d38f3e
SHA256c2e6f06413663727108242c80fe16e2204cf5404baa3b45e45961d101ecd97b9
SHA51226d3acd1138cbf03e1bd7b3f861c85b05f90cf079fd0a61f1b2f93116ca631992cf01df78db9a6d362c735022478bbe5442b8cfcc4d446bc1020545264868c99
-
Filesize
205B
MD54cd862903994696b433e922e220913b2
SHA1b3654cb6c0ce88a874874aa092abbe055fddd174
SHA25625d2bc89bcd17f5c33bd0ebc65813d36ab97df570fe3f94b516a86f3084ba38b
SHA512c32cd56ac1b74ecf1aebe60d376eb851a5a1c83bf8f6c6ac22baafe5fa7f8eb68c7dd7bdd0744702db822a8b3074b5657f06141abab525640b05819ee9a874c9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
205B
MD575ab3c25f378e5f97de2f7eee2201e43
SHA18d4a7e326cf3efc81288f6d412319531e090eae0
SHA256b1724845265c175a03eef336127b833942f3f106c658e234cb862c6c84e2506e
SHA5125444d26066a41e765097d5a8cd600e514b6177e172e5c0d627c0866df8615bfa5883e97b5c1c0c6f4dbd60be2598e11c2d687438a492327240cc2233240e1a8e
-
Filesize
205B
MD52c8a53b9cd5816ec45038f05246144a7
SHA1c63cdb7551c3a1399d05c7546d424a11e3db413f
SHA256249743a30f48a26a8446b462cf67888b9bcf482de50f7d9fac394d9d87ddfaae
SHA512bf44d72003ab1081ace825196e0f8124c143f79579371596bf9889ac487ea6fe94943ce85bc44e12b0efaf2f604898bf7aa8431314572ea6b52ad9388a4f0cf3
-
Filesize
205B
MD5452c1aa57d4e3c456c53d80fd75f4b08
SHA1aa25f99ccb9a3dcc1ffa0d940c0bc145bdd8ad75
SHA256544819aecac19564487329d030cf982f79402fc63c8b7cd10207d81cc33df0ba
SHA512961b256f3091fc17754cfa2e0449244bc2790a3f49de0ef0005204b900abb666758fa92cc1deb2083ab17c20c79ee3ae7e88ddb4551cc1a77d09317020749dcf
-
Filesize
205B
MD5785eb6bf213f59ea67913d413df42afd
SHA1106c2a385123069041a75524006277acd6614179
SHA25600abdbccd3fd5680b86c829cea6090d1eaa1363ab3bd276f5c0b72304afe8ea9
SHA51235fa61f0aa77272e25c436f877f7e5b37c03ef96232fa9c266a8d8044ad05808197aa9aaee7a9615059453864f37786d9d1242c5b75e7ad5e74fc0b08915a76d
-
Filesize
205B
MD5b92f6bc8b31c0b87e03814e267ad027f
SHA196e36709f5d00d04af136082f243a915063c06a1
SHA2568752dc3386bd20eee5370e9252a6030f477193e38eff9c211543988724c5e467
SHA51236f34d135ca07f28c3a9f959514f763edc7ea4bc80d697473960453cb4b10004ee966238543598000ce2d35f9accfc5e7183186f12e40e3fe4f3b1a487cae595
-
Filesize
205B
MD5ecfd738689fbb34d99cd4a4d533faa80
SHA151dfea38c656c9489e0af7c9b972096f6691335c
SHA2565f7251432653c9116053c5facc3cc7961f8efe9a35d5d9406897be1766cda0c5
SHA5120c677e22d091968bf56522c9d21f8e8ceb66d64de3e3e46d53feaa2a67b47fb078359c73e73f257daed722c5571bba44954a42b674008eeb86a0e041d216ca1f
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478