Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 05:26
Behavioral task
behavioral1
Sample
JaffaCakes118_d35c608b629646ef5143e7d09350957771e444dfb922f1f008fe027c20353f2a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_d35c608b629646ef5143e7d09350957771e444dfb922f1f008fe027c20353f2a.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_d35c608b629646ef5143e7d09350957771e444dfb922f1f008fe027c20353f2a.exe
-
Size
1.3MB
-
MD5
e4dda23dd5768f4962c4538afbaf69a0
-
SHA1
9dc3192471df94de1dc45fe5914f781711b5d0f8
-
SHA256
d35c608b629646ef5143e7d09350957771e444dfb922f1f008fe027c20353f2a
-
SHA512
8b53332e40808f9ea913490805afd829b984717d3d6b9da97c8080645c745be0c0f51f38fa18fa6c2a9a57c4c63d925cba6864b5c90c6605efbd024d83ab5713
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3996 2664 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3216 2664 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1208 2664 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 2664 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 2664 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 2664 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4588 2664 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4684 2664 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 2664 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 2664 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 2664 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4132 2664 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1020 2664 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3684 2664 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2664 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 2664 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3924 2664 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2664 schtasks.exe 88 -
resource yara_rule behavioral2/files/0x0007000000023c94-10.dat dcrat behavioral2/memory/1888-13-0x0000000000D10000-0x0000000000E20000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1736 powershell.exe 3988 powershell.exe 4560 powershell.exe 4228 powershell.exe 4248 powershell.exe 1100 powershell.exe 844 powershell.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation JaffaCakes118_d35c608b629646ef5143e7d09350957771e444dfb922f1f008fe027c20353f2a.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation fontdrvhost.exe -
Executes dropped EXE 15 IoCs
pid Process 1888 DllCommonsvc.exe 1496 fontdrvhost.exe 3056 fontdrvhost.exe 4112 fontdrvhost.exe 2516 fontdrvhost.exe 3392 fontdrvhost.exe 4444 fontdrvhost.exe 3004 fontdrvhost.exe 1464 fontdrvhost.exe 3604 fontdrvhost.exe 2944 fontdrvhost.exe 4572 fontdrvhost.exe 3964 fontdrvhost.exe 1316 fontdrvhost.exe 3872 fontdrvhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
flow ioc 39 raw.githubusercontent.com 53 raw.githubusercontent.com 34 raw.githubusercontent.com 38 raw.githubusercontent.com 44 raw.githubusercontent.com 55 raw.githubusercontent.com 13 raw.githubusercontent.com 14 raw.githubusercontent.com 52 raw.githubusercontent.com 54 raw.githubusercontent.com 22 raw.githubusercontent.com 45 raw.githubusercontent.com 43 raw.githubusercontent.com 51 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\5940a34987c991 DllCommonsvc.exe File created C:\Program Files\Windows NT\TableTextService\en-US\taskhostw.exe DllCommonsvc.exe File created C:\Program Files\Windows NT\TableTextService\en-US\ea9f0e6c9e2dcd DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\fr-FR\fontdrvhost.exe DllCommonsvc.exe File created C:\Windows\fr-FR\5b884080fd4f94 DllCommonsvc.exe File created C:\Windows\Microsoft.NET\unsecapp.exe DllCommonsvc.exe File created C:\Windows\Microsoft.NET\29c1c3cc0f7685 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_d35c608b629646ef5143e7d09350957771e444dfb922f1f008fe027c20353f2a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings JaffaCakes118_d35c608b629646ef5143e7d09350957771e444dfb922f1f008fe027c20353f2a.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings fontdrvhost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3996 schtasks.exe 3216 schtasks.exe 4588 schtasks.exe 4684 schtasks.exe 3044 schtasks.exe 1020 schtasks.exe 2312 schtasks.exe 3056 schtasks.exe 4132 schtasks.exe 3684 schtasks.exe 1208 schtasks.exe 2704 schtasks.exe 2320 schtasks.exe 2408 schtasks.exe 1820 schtasks.exe 1524 schtasks.exe 3924 schtasks.exe 1848 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 1888 DllCommonsvc.exe 1888 DllCommonsvc.exe 1888 DllCommonsvc.exe 1888 DllCommonsvc.exe 1888 DllCommonsvc.exe 1888 DllCommonsvc.exe 1888 DllCommonsvc.exe 1888 DllCommonsvc.exe 1888 DllCommonsvc.exe 1888 DllCommonsvc.exe 1888 DllCommonsvc.exe 1736 powershell.exe 4228 powershell.exe 844 powershell.exe 4248 powershell.exe 1100 powershell.exe 3988 powershell.exe 844 powershell.exe 844 powershell.exe 4560 powershell.exe 4560 powershell.exe 1496 fontdrvhost.exe 1496 fontdrvhost.exe 1736 powershell.exe 4228 powershell.exe 4248 powershell.exe 3988 powershell.exe 1100 powershell.exe 4560 powershell.exe 3056 fontdrvhost.exe 4112 fontdrvhost.exe 2516 fontdrvhost.exe 3392 fontdrvhost.exe 4444 fontdrvhost.exe 3004 fontdrvhost.exe 1464 fontdrvhost.exe 3604 fontdrvhost.exe 2944 fontdrvhost.exe 4572 fontdrvhost.exe 3964 fontdrvhost.exe 1316 fontdrvhost.exe 3872 fontdrvhost.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 1888 DllCommonsvc.exe Token: SeDebugPrivilege 1736 powershell.exe Token: SeDebugPrivilege 4228 powershell.exe Token: SeDebugPrivilege 3988 powershell.exe Token: SeDebugPrivilege 844 powershell.exe Token: SeDebugPrivilege 4248 powershell.exe Token: SeDebugPrivilege 1100 powershell.exe Token: SeDebugPrivilege 1496 fontdrvhost.exe Token: SeDebugPrivilege 4560 powershell.exe Token: SeDebugPrivilege 3056 fontdrvhost.exe Token: SeDebugPrivilege 4112 fontdrvhost.exe Token: SeDebugPrivilege 2516 fontdrvhost.exe Token: SeDebugPrivilege 3392 fontdrvhost.exe Token: SeDebugPrivilege 4444 fontdrvhost.exe Token: SeDebugPrivilege 3004 fontdrvhost.exe Token: SeDebugPrivilege 1464 fontdrvhost.exe Token: SeDebugPrivilege 3604 fontdrvhost.exe Token: SeDebugPrivilege 2944 fontdrvhost.exe Token: SeDebugPrivilege 4572 fontdrvhost.exe Token: SeDebugPrivilege 3964 fontdrvhost.exe Token: SeDebugPrivilege 1316 fontdrvhost.exe Token: SeDebugPrivilege 3872 fontdrvhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3896 wrote to memory of 3920 3896 JaffaCakes118_d35c608b629646ef5143e7d09350957771e444dfb922f1f008fe027c20353f2a.exe 83 PID 3896 wrote to memory of 3920 3896 JaffaCakes118_d35c608b629646ef5143e7d09350957771e444dfb922f1f008fe027c20353f2a.exe 83 PID 3896 wrote to memory of 3920 3896 JaffaCakes118_d35c608b629646ef5143e7d09350957771e444dfb922f1f008fe027c20353f2a.exe 83 PID 3920 wrote to memory of 2920 3920 WScript.exe 85 PID 3920 wrote to memory of 2920 3920 WScript.exe 85 PID 3920 wrote to memory of 2920 3920 WScript.exe 85 PID 2920 wrote to memory of 1888 2920 cmd.exe 87 PID 2920 wrote to memory of 1888 2920 cmd.exe 87 PID 1888 wrote to memory of 1736 1888 DllCommonsvc.exe 108 PID 1888 wrote to memory of 1736 1888 DllCommonsvc.exe 108 PID 1888 wrote to memory of 844 1888 DllCommonsvc.exe 109 PID 1888 wrote to memory of 844 1888 DllCommonsvc.exe 109 PID 1888 wrote to memory of 3988 1888 DllCommonsvc.exe 110 PID 1888 wrote to memory of 3988 1888 DllCommonsvc.exe 110 PID 1888 wrote to memory of 4560 1888 DllCommonsvc.exe 111 PID 1888 wrote to memory of 4560 1888 DllCommonsvc.exe 111 PID 1888 wrote to memory of 4228 1888 DllCommonsvc.exe 112 PID 1888 wrote to memory of 4228 1888 DllCommonsvc.exe 112 PID 1888 wrote to memory of 4248 1888 DllCommonsvc.exe 113 PID 1888 wrote to memory of 4248 1888 DllCommonsvc.exe 113 PID 1888 wrote to memory of 1100 1888 DllCommonsvc.exe 114 PID 1888 wrote to memory of 1100 1888 DllCommonsvc.exe 114 PID 1888 wrote to memory of 1496 1888 DllCommonsvc.exe 121 PID 1888 wrote to memory of 1496 1888 DllCommonsvc.exe 121 PID 1496 wrote to memory of 1288 1496 fontdrvhost.exe 124 PID 1496 wrote to memory of 1288 1496 fontdrvhost.exe 124 PID 1288 wrote to memory of 3556 1288 cmd.exe 126 PID 1288 wrote to memory of 3556 1288 cmd.exe 126 PID 1288 wrote to memory of 3056 1288 cmd.exe 128 PID 1288 wrote to memory of 3056 1288 cmd.exe 128 PID 3056 wrote to memory of 1620 3056 fontdrvhost.exe 141 PID 3056 wrote to memory of 1620 3056 fontdrvhost.exe 141 PID 1620 wrote to memory of 3360 1620 cmd.exe 143 PID 1620 wrote to memory of 3360 1620 cmd.exe 143 PID 1620 wrote to memory of 4112 1620 cmd.exe 145 PID 1620 wrote to memory of 4112 1620 cmd.exe 145 PID 4112 wrote to memory of 4632 4112 fontdrvhost.exe 149 PID 4112 wrote to memory of 4632 4112 fontdrvhost.exe 149 PID 4632 wrote to memory of 4580 4632 cmd.exe 151 PID 4632 wrote to memory of 4580 4632 cmd.exe 151 PID 4632 wrote to memory of 2516 4632 cmd.exe 154 PID 4632 wrote to memory of 2516 4632 cmd.exe 154 PID 2516 wrote to memory of 4892 2516 fontdrvhost.exe 156 PID 2516 wrote to memory of 4892 2516 fontdrvhost.exe 156 PID 4892 wrote to memory of 4272 4892 cmd.exe 158 PID 4892 wrote to memory of 4272 4892 cmd.exe 158 PID 4892 wrote to memory of 3392 4892 cmd.exe 160 PID 4892 wrote to memory of 3392 4892 cmd.exe 160 PID 3392 wrote to memory of 3888 3392 fontdrvhost.exe 162 PID 3392 wrote to memory of 3888 3392 fontdrvhost.exe 162 PID 3888 wrote to memory of 1672 3888 cmd.exe 164 PID 3888 wrote to memory of 1672 3888 cmd.exe 164 PID 3888 wrote to memory of 4444 3888 cmd.exe 166 PID 3888 wrote to memory of 4444 3888 cmd.exe 166 PID 4444 wrote to memory of 1772 4444 fontdrvhost.exe 168 PID 4444 wrote to memory of 1772 4444 fontdrvhost.exe 168 PID 1772 wrote to memory of 5072 1772 cmd.exe 170 PID 1772 wrote to memory of 5072 1772 cmd.exe 170 PID 1772 wrote to memory of 3004 1772 cmd.exe 172 PID 1772 wrote to memory of 3004 1772 cmd.exe 172 PID 3004 wrote to memory of 4228 3004 fontdrvhost.exe 174 PID 3004 wrote to memory of 4228 3004 fontdrvhost.exe 174 PID 4228 wrote to memory of 1500 4228 cmd.exe 176 PID 4228 wrote to memory of 1500 4228 cmd.exe 176 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d35c608b629646ef5143e7d09350957771e444dfb922f1f008fe027c20353f2a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d35c608b629646ef5143e7d09350957771e444dfb922f1f008fe027c20353f2a.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\USOShared\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4228
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\unsecapp.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\en-US\taskhostw.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100
-
-
C:\Windows\fr-FR\fontdrvhost.exe"C:\Windows\fr-FR\fontdrvhost.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TK13bru719.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:3556
-
-
C:\Windows\fr-FR\fontdrvhost.exe"C:\Windows\fr-FR\fontdrvhost.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dFeEewS5jL.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:3360
-
-
C:\Windows\fr-FR\fontdrvhost.exe"C:\Windows\fr-FR\fontdrvhost.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9j3rBUpSkc.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:4580
-
-
C:\Windows\fr-FR\fontdrvhost.exe"C:\Windows\fr-FR\fontdrvhost.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:4272
-
-
C:\Windows\fr-FR\fontdrvhost.exe"C:\Windows\fr-FR\fontdrvhost.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1672
-
-
C:\Windows\fr-FR\fontdrvhost.exe"C:\Windows\fr-FR\fontdrvhost.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat"16⤵
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:5072
-
-
C:\Windows\fr-FR\fontdrvhost.exe"C:\Windows\fr-FR\fontdrvhost.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6hK16ZrMt.bat"18⤵
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1500
-
-
C:\Windows\fr-FR\fontdrvhost.exe"C:\Windows\fr-FR\fontdrvhost.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uxMZkGAiOs.bat"20⤵PID:4460
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:984
-
-
C:\Windows\fr-FR\fontdrvhost.exe"C:\Windows\fr-FR\fontdrvhost.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3604 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat"22⤵PID:3424
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:3852
-
-
C:\Windows\fr-FR\fontdrvhost.exe"C:\Windows\fr-FR\fontdrvhost.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat"24⤵PID:1148
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:748
-
-
C:\Windows\fr-FR\fontdrvhost.exe"C:\Windows\fr-FR\fontdrvhost.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4572 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat"26⤵PID:4800
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:1924
-
-
C:\Windows\fr-FR\fontdrvhost.exe"C:\Windows\fr-FR\fontdrvhost.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3964 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat"28⤵PID:764
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:2144
-
-
C:\Windows\fr-FR\fontdrvhost.exe"C:\Windows\fr-FR\fontdrvhost.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat"30⤵PID:1336
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:4152
-
-
C:\Windows\fr-FR\fontdrvhost.exe"C:\Windows\fr-FR\fontdrvhost.exe"31⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3872
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\providercommon\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\USOShared\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\USOShared\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\fr-FR\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Windows\Microsoft.NET\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
197B
MD52b10494f09adf827afae857608d0997d
SHA15913963ba4e7bbfbde174105a9c584b2643dcb27
SHA256e029a139d57e9d5b825c78e9b494baa13231669e331a6c4bd70ba0918abf96c1
SHA5125d3607f5a2f27b09a946fa6a1bdf8f5055426e2badd50781cfc15458a83af73ded8d322bb0e797160e1f6627f0a83f3bac1a1a23dc5c477b0d53a6229d7d6219
-
Filesize
197B
MD54a9c63ece9777fd3cdd0daaab95bff22
SHA16c2b249c4e56d71c0dabcc7ff605afc532035dec
SHA256cb7dae9fa73de2533b5951824f6ecc5cb6be2f9bf29af96f6ce17ad26ff94ccf
SHA51208461e572131aae398f54b826b6c565ac35868b9ad851f00fed3898bcc430acdbd6eabb5c76d545a26f2935ef70edbf1db7566d2aef6728e39d8a3b3afd68123
-
Filesize
197B
MD5187c9c3e9df52671d7855354645ea61e
SHA1bb509fe8e98df7eb0bd026d792b00ccd27763d10
SHA25654af4c9c6db65fe0d16c83be49f9be7ac0018421f644bdd5eb33778ddb1eb352
SHA5126ae0f12018add6d7345ad68a6d71bcbf752a8d0a9573c6fe9a7512017bf0271510ad86a7de3a7fe7b2a668318b6084a2d4ddf2db8ff33c511b819b52159af738
-
Filesize
197B
MD5f09906dde90083c72a55bce93b030c22
SHA1edf0f849d4a7154298bdb9f23492c2dd8426d22a
SHA2565b206429a08ebbf1a48c9a7da7df81e7a8c0354a2f7eb17a06c05d3435e60c7f
SHA512d9f05b0c5cdbe71c85d15ca380676e115fb13579f8edd8cb2b21ba7e36d05082108266063e0c78ff03eed7d1bf264b6d24f615aa5d5adaa74e86a0451eb3ca81
-
Filesize
197B
MD53360d3aeb546e6ab72ede6f49ef9e2d1
SHA174e573f9fcc5184a918e5ed16d6413843bdaefae
SHA256754891139f759be9e29925be1f0f9995faf3dfe400028ae613ce8c8870c36a2d
SHA5125da16330025db8f0f287775eb9758b89786509440a6d8a75946d94195154ec3b1f68ab45a4f3b90aa2f28644a1ddec2aadce083736187c547b12cf6f4c947767
-
Filesize
197B
MD512a0758ee878ef703cc538eceb2c4a33
SHA1f7c6e734903571576bb0199c32ffc5dd0279b3b4
SHA256791922e26d292a7c01b0caea02f53f20fb13aa21ebc15103d1441260185c3a94
SHA51285dc95b1fe65417e67eaf2124275a574778cf577e1a18b944646d916fd98a6412f064fb17603a99d940f4e6695ee81d43c5f996bebb3c9b1394d46a361d5730e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
197B
MD551166fa424f18e8665ccbf55cab50da9
SHA1809fbc081b055e36388af36f182b5f654c078063
SHA2568551b97f71087485fbe19a1062d91a7b34041d67775a1a70a12b4a8051f84a5b
SHA512c8a3040a936275341a7bb250d8e7eeee374a2b3efa81330060d8da8abd74ebf7a60ca2b2ef2890fffb5bee39a38b94ca43a18faf080ee61814c2951f9b837746
-
Filesize
197B
MD5720f11cdcc6d485023a41c967c849074
SHA1d2bfe45f6e30d25d14cfddbbbce155d3773bfb2d
SHA2561f8c931b594f3fa33fa139c8c379cffaad29bb38ad01a39d9a2310a6457b40fc
SHA512936ec28e81f6df7a09b9c9830efe9ff064f13e947363affc0093d4ada2d06126cbe8b9a124d77f597ef201bc34adb0b406f9c4cbfa460b530feaa8e7b9e78132
-
Filesize
197B
MD5d9d8bb73d6f5dbc76721715f7fe81659
SHA1e5cf54deae27e7ed8ac22539bb60130d362b6ab0
SHA25662d1cdd69d5e141f058b16841dbac0607faf9e43dd442d31e4cada7e642260a6
SHA5127586e3e36206e5f7dbfe2a54d1b6df9cfb6dbc3c8e431c4c4226bf562961c637047130cc56646627bad58f54176e27b827f13d8dd73a7f1a3ed209513442f1e1
-
Filesize
197B
MD5e6828e38f2518fc31160801062eda3f8
SHA1ed36a47a2e66000ce407d2983d7ec391dd7c7955
SHA256c3227ee2f5dace0078c86657ac6fde980d4b385d9e216a578efa0ae8e931d7b4
SHA5121c5d393797f93fdbac7af82b1ea4fe9eb194f61a6491b5e8fd2ba4c557987c4e06b45d8bac14f19880cd9218483d351640ed64a91bc1c19ac6cc3e1aabfa087b
-
Filesize
197B
MD5d40ed4166a7481baecfa34f2445938cf
SHA1aff973fb08a8713421b2969bf0e270fb0d180ed1
SHA256f6d353e3aeaca1e3a386095996cee02dab4a2666954a7e4e289ea7ba12d635b0
SHA51269a104aac9221eb086112f94b2e703661354e160eb4b3856ebd56df5f51f8a61fe9336f7e5b273f7bf27a1257b262e33270a0a2d7ae08c8c672b276be09d731d
-
Filesize
197B
MD5f7de649216e0cc0b593fc9c80b0ad768
SHA1771b4646327ae9c2bfe17241b5f76027e6b3613a
SHA256a8f9c9a8e7dff0d475e3e80f083991efbb82874674feba3d563abbce719a9ad1
SHA5122d15642fb15a2c836a3ed8dba601cec2a971c07c71c32d6db1ab68a8d06ed41a669d3f57424df5cc66e49889c77d430c98503d6d80d56dfea49585558b8cd520
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478