Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 02:42
Behavioral task
behavioral1
Sample
JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe
-
Size
1.3MB
-
MD5
5bfc410c52b9a8e9586447e35a2e0571
-
SHA1
36439d929ecb0cc75393a0137bfc9bd9bcac10ce
-
SHA256
6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7
-
SHA512
32beff4980735ad8cff05f804f4242df20e14adaa13f3a897114ec87f819b5ab7d54d28a5683e14558d4c0569b1d0d7a89ba8b465a5bac9852cf205e4a3ecc21
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 116 736 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4624 736 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 312 736 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1344 736 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3252 736 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5048 736 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4232 736 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 736 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4388 736 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4976 736 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3120 736 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 736 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4580 736 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4760 736 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 736 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 736 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 736 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4156 736 schtasks.exe 89 -
resource yara_rule behavioral2/files/0x0009000000023bd1-10.dat dcrat behavioral2/memory/2544-13-0x0000000000A40000-0x0000000000B50000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4956 powershell.exe 960 powershell.exe 1612 powershell.exe 2392 powershell.exe 3708 powershell.exe 1980 powershell.exe 4880 powershell.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe -
Executes dropped EXE 14 IoCs
pid Process 2544 DllCommonsvc.exe 3348 RuntimeBroker.exe 4588 RuntimeBroker.exe 4384 RuntimeBroker.exe 4108 RuntimeBroker.exe 1060 RuntimeBroker.exe 3284 RuntimeBroker.exe 872 RuntimeBroker.exe 2576 RuntimeBroker.exe 372 RuntimeBroker.exe 1596 RuntimeBroker.exe 4868 RuntimeBroker.exe 1060 RuntimeBroker.exe 4160 RuntimeBroker.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
flow ioc 36 raw.githubusercontent.com 40 raw.githubusercontent.com 44 raw.githubusercontent.com 52 raw.githubusercontent.com 16 raw.githubusercontent.com 17 raw.githubusercontent.com 22 raw.githubusercontent.com 50 raw.githubusercontent.com 53 raw.githubusercontent.com 54 raw.githubusercontent.com 51 raw.githubusercontent.com 37 raw.githubusercontent.com 42 raw.githubusercontent.com 43 raw.githubusercontent.com -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Portable Devices\ee2ad38f3d4382 DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\TextInputHost.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\22eafd247d37c3 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\9e8d7a4ca61bd9 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\Registry.exe DllCommonsvc.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\debug\sysmon.exe DllCommonsvc.exe File opened for modification C:\Windows\debug\sysmon.exe DllCommonsvc.exe File created C:\Windows\debug\121e5b5079f7c0 DllCommonsvc.exe File created C:\Windows\fr-FR\sppsvc.exe DllCommonsvc.exe File created C:\Windows\fr-FR\0a1fd5f707cd16 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings RuntimeBroker.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4232 schtasks.exe 4760 schtasks.exe 1712 schtasks.exe 2692 schtasks.exe 4624 schtasks.exe 1344 schtasks.exe 5048 schtasks.exe 3120 schtasks.exe 3044 schtasks.exe 312 schtasks.exe 3252 schtasks.exe 1492 schtasks.exe 4388 schtasks.exe 116 schtasks.exe 4976 schtasks.exe 2680 schtasks.exe 4580 schtasks.exe 4156 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 2544 DllCommonsvc.exe 2544 DllCommonsvc.exe 2544 DllCommonsvc.exe 2544 DllCommonsvc.exe 2544 DllCommonsvc.exe 2544 DllCommonsvc.exe 4956 powershell.exe 3708 powershell.exe 1980 powershell.exe 960 powershell.exe 960 powershell.exe 1612 powershell.exe 1612 powershell.exe 4880 powershell.exe 4880 powershell.exe 2392 powershell.exe 2392 powershell.exe 1980 powershell.exe 1980 powershell.exe 4956 powershell.exe 4956 powershell.exe 960 powershell.exe 3708 powershell.exe 3708 powershell.exe 1612 powershell.exe 2392 powershell.exe 4880 powershell.exe 3348 RuntimeBroker.exe 4588 RuntimeBroker.exe 4384 RuntimeBroker.exe 4108 RuntimeBroker.exe 3284 RuntimeBroker.exe 872 RuntimeBroker.exe 2576 RuntimeBroker.exe 372 RuntimeBroker.exe 1596 RuntimeBroker.exe 4868 RuntimeBroker.exe 4160 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 2544 DllCommonsvc.exe Token: SeDebugPrivilege 4956 powershell.exe Token: SeDebugPrivilege 1980 powershell.exe Token: SeDebugPrivilege 3708 powershell.exe Token: SeDebugPrivilege 1612 powershell.exe Token: SeDebugPrivilege 960 powershell.exe Token: SeDebugPrivilege 4880 powershell.exe Token: SeDebugPrivilege 2392 powershell.exe Token: SeDebugPrivilege 3348 RuntimeBroker.exe Token: SeDebugPrivilege 4588 RuntimeBroker.exe Token: SeDebugPrivilege 4384 RuntimeBroker.exe Token: SeDebugPrivilege 4108 RuntimeBroker.exe Token: SeDebugPrivilege 3284 RuntimeBroker.exe Token: SeDebugPrivilege 872 RuntimeBroker.exe Token: SeDebugPrivilege 2576 RuntimeBroker.exe Token: SeDebugPrivilege 372 RuntimeBroker.exe Token: SeDebugPrivilege 1596 RuntimeBroker.exe Token: SeDebugPrivilege 4868 RuntimeBroker.exe Token: SeDebugPrivilege 4160 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2308 wrote to memory of 4680 2308 JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe 82 PID 2308 wrote to memory of 4680 2308 JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe 82 PID 2308 wrote to memory of 4680 2308 JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe 82 PID 4680 wrote to memory of 548 4680 WScript.exe 85 PID 4680 wrote to memory of 548 4680 WScript.exe 85 PID 4680 wrote to memory of 548 4680 WScript.exe 85 PID 548 wrote to memory of 2544 548 cmd.exe 87 PID 548 wrote to memory of 2544 548 cmd.exe 87 PID 2544 wrote to memory of 2392 2544 DllCommonsvc.exe 108 PID 2544 wrote to memory of 2392 2544 DllCommonsvc.exe 108 PID 2544 wrote to memory of 3708 2544 DllCommonsvc.exe 109 PID 2544 wrote to memory of 3708 2544 DllCommonsvc.exe 109 PID 2544 wrote to memory of 1980 2544 DllCommonsvc.exe 110 PID 2544 wrote to memory of 1980 2544 DllCommonsvc.exe 110 PID 2544 wrote to memory of 4880 2544 DllCommonsvc.exe 111 PID 2544 wrote to memory of 4880 2544 DllCommonsvc.exe 111 PID 2544 wrote to memory of 4956 2544 DllCommonsvc.exe 112 PID 2544 wrote to memory of 4956 2544 DllCommonsvc.exe 112 PID 2544 wrote to memory of 960 2544 DllCommonsvc.exe 113 PID 2544 wrote to memory of 960 2544 DllCommonsvc.exe 113 PID 2544 wrote to memory of 1612 2544 DllCommonsvc.exe 114 PID 2544 wrote to memory of 1612 2544 DllCommonsvc.exe 114 PID 2544 wrote to memory of 2600 2544 DllCommonsvc.exe 122 PID 2544 wrote to memory of 2600 2544 DllCommonsvc.exe 122 PID 2600 wrote to memory of 1412 2600 cmd.exe 124 PID 2600 wrote to memory of 1412 2600 cmd.exe 124 PID 2600 wrote to memory of 3348 2600 cmd.exe 128 PID 2600 wrote to memory of 3348 2600 cmd.exe 128 PID 3348 wrote to memory of 1160 3348 RuntimeBroker.exe 129 PID 3348 wrote to memory of 1160 3348 RuntimeBroker.exe 129 PID 1160 wrote to memory of 1932 1160 cmd.exe 131 PID 1160 wrote to memory of 1932 1160 cmd.exe 131 PID 1160 wrote to memory of 4588 1160 cmd.exe 132 PID 1160 wrote to memory of 4588 1160 cmd.exe 132 PID 4588 wrote to memory of 3052 4588 RuntimeBroker.exe 133 PID 4588 wrote to memory of 3052 4588 RuntimeBroker.exe 133 PID 3052 wrote to memory of 628 3052 cmd.exe 135 PID 3052 wrote to memory of 628 3052 cmd.exe 135 PID 3052 wrote to memory of 4384 3052 cmd.exe 137 PID 3052 wrote to memory of 4384 3052 cmd.exe 137 PID 4384 wrote to memory of 1292 4384 RuntimeBroker.exe 139 PID 4384 wrote to memory of 1292 4384 RuntimeBroker.exe 139 PID 1292 wrote to memory of 4664 1292 cmd.exe 141 PID 1292 wrote to memory of 4664 1292 cmd.exe 141 PID 1292 wrote to memory of 4108 1292 cmd.exe 142 PID 1292 wrote to memory of 4108 1292 cmd.exe 142 PID 4108 wrote to memory of 4736 4108 RuntimeBroker.exe 143 PID 4108 wrote to memory of 4736 4108 RuntimeBroker.exe 143 PID 4736 wrote to memory of 3676 4736 cmd.exe 145 PID 4736 wrote to memory of 3676 4736 cmd.exe 145 PID 4736 wrote to memory of 1060 4736 cmd.exe 146 PID 4736 wrote to memory of 1060 4736 cmd.exe 146 PID 3280 wrote to memory of 1092 3280 cmd.exe 149 PID 3280 wrote to memory of 1092 3280 cmd.exe 149 PID 3280 wrote to memory of 3284 3280 cmd.exe 150 PID 3280 wrote to memory of 3284 3280 cmd.exe 150 PID 3284 wrote to memory of 4876 3284 RuntimeBroker.exe 151 PID 3284 wrote to memory of 4876 3284 RuntimeBroker.exe 151 PID 4876 wrote to memory of 1216 4876 cmd.exe 153 PID 4876 wrote to memory of 1216 4876 cmd.exe 153 PID 4876 wrote to memory of 872 4876 cmd.exe 154 PID 4876 wrote to memory of 872 4876 cmd.exe 154 PID 872 wrote to memory of 1492 872 RuntimeBroker.exe 155 PID 872 wrote to memory of 1492 872 RuntimeBroker.exe 155 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:548 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\sysmon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\TextInputHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9hYFnRH7ET.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1412
-
-
C:\providercommon\RuntimeBroker.exe"C:\providercommon\RuntimeBroker.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1932
-
-
C:\providercommon\RuntimeBroker.exe"C:\providercommon\RuntimeBroker.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5AjNu1Vgdj.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:628
-
-
C:\providercommon\RuntimeBroker.exe"C:\providercommon\RuntimeBroker.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUc4JDtx8N.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:4664
-
-
C:\providercommon\RuntimeBroker.exe"C:\providercommon\RuntimeBroker.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NjKeWzk8OD.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:3676
-
-
C:\providercommon\RuntimeBroker.exe"C:\providercommon\RuntimeBroker.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1060 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat"15⤵
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1092
-
-
C:\providercommon\RuntimeBroker.exe"C:\providercommon\RuntimeBroker.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat"17⤵
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1216
-
-
C:\providercommon\RuntimeBroker.exe"C:\providercommon\RuntimeBroker.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat"19⤵PID:1492
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:4380
-
-
C:\providercommon\RuntimeBroker.exe"C:\providercommon\RuntimeBroker.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AsgPmp9HNF.bat"21⤵PID:1416
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1456
-
-
C:\providercommon\RuntimeBroker.exe"C:\providercommon\RuntimeBroker.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:372 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat"23⤵PID:2356
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2968
-
-
C:\providercommon\RuntimeBroker.exe"C:\providercommon\RuntimeBroker.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hYa1c8p3ob.bat"25⤵PID:1284
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2540
-
-
C:\providercommon\RuntimeBroker.exe"C:\providercommon\RuntimeBroker.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4868 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat"27⤵PID:3240
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:1496
-
-
C:\providercommon\RuntimeBroker.exe"C:\providercommon\RuntimeBroker.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1060 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat"29⤵PID:4372
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:230⤵PID:864
-
-
C:\providercommon\RuntimeBroker.exe"C:\providercommon\RuntimeBroker.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4160 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat"31⤵PID:1564
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:232⤵PID:3916
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\debug\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\fr-FR\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\fr-FR\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\fr-FR\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\providercommon\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4156
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
200B
MD5f00b33f15947c360501e1fed79cf5492
SHA1024513660b53a36ad0709d3f5f83a651364ce33d
SHA256ab39a13831e324874b5b634a47c989a97e3b582a2fef26ab2bb1d3d1ec5168dc
SHA51256d28d39a4e64cb156ce98499ec0d087c3e0a8bb9f5a05c83f1c1ec3f48b5b1e44f5a3f8a75712cb664ceb1fa99a6ae20e12019580598035d4d6124470aaf93b
-
Filesize
200B
MD54abcc3207ece2e444a4f9dca90244e4a
SHA1c3cc327223bd107a48175c09f1b7c7f1e30de241
SHA25690acb3e0a02ecdce0c4e89fe286a82c692b0717b4242bc417dbeb8b61ad74654
SHA51272c8b6606c191303276ac789c6a2f77e0d9cea60f5411f8e74f94d539a9b72efc3d9f940d3816f01b27f4dacf799b6aa0f35b45feeb1d0832d0f629ecfa9f707
-
Filesize
200B
MD5c9168bbade509fd6a19710fc148f14ba
SHA18e55947a9f713409d938a32560f1b1b35577c47f
SHA256b36f0eb615be2665e2c6d4c8f8b5efdfe1ad15a4746d93836e4c22cafe42f81c
SHA51250316b47e5c25ee069b99ca2e4a766af661c66e59c52f5dec19492c597264a5032462e85101972a25bff405da3411753d42eec7cad890fc4356199a3df815769
-
Filesize
200B
MD56de785efd6526da38d37f14fb9fe8fc3
SHA1633478ac62af0aa79186eab697dfb2e1ebf8a056
SHA256a8d873051c2fb2e1213b0260253ccaf9aec98188b3d919245f45f91368424a2f
SHA5123e7209e800865012aeca9cbd891cbbafd9a31b3e6657392fff4e22321c6970d9bfa3d9aaafc5b11244f80ca3e8e5499c61643ad8fcd3e8e38ade355d9538fc72
-
Filesize
200B
MD51851078bfa9dba17e007c17616f38f1f
SHA110d3b22308a260c5d4efbf00a34bd8cfd0d936f5
SHA256fc42beab32b713b775149f10ff9af3bab6cb785baca92262e627e8140f22b9aa
SHA51229ccbd4ec01fcc5ddc278cfa4aee3887beff21ab1507b1bc712495653631820f8c0a86fe21a0f10cb1b7245cbf6656cc22da9b94fb5c9417df808fba238d3587
-
Filesize
200B
MD5d62a8047dba663760da05c75f2ed9aaa
SHA13cf3a95d4d1a5341d45a6f9fc66a8e6d6d586e3e
SHA256da3d1634e149238512f59cf963b2c6dc0bf426a68166ce32c98ac6f37f70a970
SHA512fd34ed87e77d66d3d993fd7e30c22e7471f3b6f5cf072aef32db60d58df0dcf5a9bff3ac3f6133c81fc796bd2e6e24e9184d596fe4ab7e8dbfcb1bd2e7515d60
-
Filesize
200B
MD564cb1144350fff78f51748d057c5fccc
SHA1cdf2ed3f4896d7f4359116a6ee6279b5a915ade5
SHA256bcd0dd9f6e45ac907fc4eea9f3ba8906f18171cbc842ff5ab6e56d3466411061
SHA512d7157e6d6706eaa5f265a0c60028a9909376d621f8e53e34851f5e7485db3c6d9514f866ddab0ce475d36a8558183b81ea434f8b625626acb9a1930de6dc57db
-
Filesize
200B
MD51722b4980e5e881c52bbfffa0675acfe
SHA1115e181ac96590a6c8f589c347b76a3ed1bf7942
SHA256bf31f4a3a8a73e2d58a90b0ad2250b41757e161e8d78d023910870c4c6d967ce
SHA512f0c97a7bbd4d2fef5223b4152f5b6cc0f8345e6151c5c4a1e6f892655cbd30e72cfb0c964dbb005684661b3737cc584b0898fb3994c3cc5d32de9e2e55dc24e9
-
Filesize
200B
MD5d86760c2f21e55c8abd49e62281284ad
SHA1af3806e007cc600e8619bf531dbb0186820b6b8b
SHA2562560627667e5d47e9a371246045758fcb161d0e3644d7f46e0f33546d17747d0
SHA5127e33c030608ccbba24f011c2e1352a43a379bb72756b9fb2e93514bd22aff76906c8d4ae426c0df3c48bc61bb4946270abc88a850315adc4cb332ff22ede500c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
200B
MD508852af7340772f11e8a5965fe428854
SHA1fd7bfe34f13b68757c58bba735b512a4f3f9e3f8
SHA2567eb4d12e359e924bac718f69d14b4f9bea1cd1eb59038b14b450e0b53bcdc237
SHA5126cd7145ee519196074a663c072770ea82346d0e6422defac3974b19e3166f69c4863f000be36c242161313ff3a117eb08ccbbbf756d64e86624c2101d2a9e0e8
-
Filesize
200B
MD5dfcffd74446ba4c141145e64c2ad2540
SHA1a90214ceb5266c00ce616d6d821c17773015db7c
SHA256f14dcbb52d161200456ce21e649a55f362ed1727fbbe046b4c96283fde5acc86
SHA512df838dce46033ed78c6efaaca324d734851b948631d92609828a3d138f2493c3306b313a99f8a21ca0caa8a7f5cff6b3482aa4b53f455f25650f6c195d14327f
-
Filesize
200B
MD5aef01560c9a461ace84754307ef0804f
SHA1079a514af6a279328cde26b06876fc977449cbfd
SHA2568178cf23d189580f07f73a42ca0d98120c58f2f0598c6f705fa8c6124a09d17e
SHA5129c6e569332311bf024f665debd3b589fefeb65e45ed109bf162cfaa4dfda60d77cde57cc0b14e4658c92ea1bb0c43d440c59e947b342435cdc35d37db0ec6080
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478