Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 01:55
Behavioral task
behavioral1
Sample
JaffaCakes118_bbc9ddc269c43c2f86c1daa880e8dd11d578c49b95557c8b3fa0a95fe963b874.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_bbc9ddc269c43c2f86c1daa880e8dd11d578c49b95557c8b3fa0a95fe963b874.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_bbc9ddc269c43c2f86c1daa880e8dd11d578c49b95557c8b3fa0a95fe963b874.exe
-
Size
1.3MB
-
MD5
bc2b67f63b3b07241fde5db665cd8022
-
SHA1
9811b6429483dd3e85992a2bc3df2f70c08c112c
-
SHA256
bbc9ddc269c43c2f86c1daa880e8dd11d578c49b95557c8b3fa0a95fe963b874
-
SHA512
08928d21f9b71341618240f68b73be07979f4d213db60051a9a40033f04d669c56981e176c6e67e0ce6ef0b42fef110c77033f879976047237f24f15869e6d24
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4044 4556 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 440 4556 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 4556 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 4556 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 4556 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1324 4556 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4824 4556 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4884 4556 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 4556 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1316 4556 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4008 4556 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4736 4556 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 4556 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4204 4556 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 4556 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4244 4556 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1408 4556 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4904 4556 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3440 4556 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 4556 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4164 4556 schtasks.exe 88 -
resource yara_rule behavioral2/files/0x0007000000023c8c-9.dat dcrat behavioral2/memory/4084-13-0x0000000000110000-0x0000000000220000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1500 powershell.exe 4412 powershell.exe 1652 powershell.exe 4656 powershell.exe 4112 powershell.exe 4408 powershell.exe 5004 powershell.exe 4972 powershell.exe -
Checks computer location settings 2 TTPs 18 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation JaffaCakes118_bbc9ddc269c43c2f86c1daa880e8dd11d578c49b95557c8b3fa0a95fe963b874.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation csrss.exe -
Executes dropped EXE 16 IoCs
pid Process 4084 DllCommonsvc.exe 4944 csrss.exe 1712 csrss.exe 3708 csrss.exe 2564 csrss.exe 904 csrss.exe 2068 csrss.exe 4820 csrss.exe 2456 csrss.exe 1100 csrss.exe 3328 csrss.exe 4584 csrss.exe 3432 csrss.exe 4132 csrss.exe 2720 csrss.exe 2444 csrss.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 17 IoCs
flow ioc 59 raw.githubusercontent.com 21 raw.githubusercontent.com 28 raw.githubusercontent.com 47 raw.githubusercontent.com 48 raw.githubusercontent.com 54 raw.githubusercontent.com 55 raw.githubusercontent.com 41 raw.githubusercontent.com 43 raw.githubusercontent.com 53 raw.githubusercontent.com 56 raw.githubusercontent.com 12 raw.githubusercontent.com 13 raw.githubusercontent.com 20 raw.githubusercontent.com 42 raw.githubusercontent.com 57 raw.githubusercontent.com 58 raw.githubusercontent.com -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\diagnostics\system\Printer\de-DE\Registry.exe DllCommonsvc.exe File created C:\Windows\PLA\Templates\wininit.exe DllCommonsvc.exe File created C:\Windows\PLA\Templates\56085415360792 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bbc9ddc269c43c2f86c1daa880e8dd11d578c49b95557c8b3fa0a95fe963b874.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 16 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings JaffaCakes118_bbc9ddc269c43c2f86c1daa880e8dd11d578c49b95557c8b3fa0a95fe963b874.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings csrss.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4164 schtasks.exe 440 schtasks.exe 2940 schtasks.exe 4824 schtasks.exe 4884 schtasks.exe 4736 schtasks.exe 1536 schtasks.exe 1848 schtasks.exe 2956 schtasks.exe 1972 schtasks.exe 4904 schtasks.exe 3440 schtasks.exe 4044 schtasks.exe 1032 schtasks.exe 1316 schtasks.exe 4244 schtasks.exe 1408 schtasks.exe 1324 schtasks.exe 4008 schtasks.exe 4204 schtasks.exe 2020 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 4084 DllCommonsvc.exe 4084 DllCommonsvc.exe 4084 DllCommonsvc.exe 5004 powershell.exe 1652 powershell.exe 4412 powershell.exe 4972 powershell.exe 4972 powershell.exe 4656 powershell.exe 4656 powershell.exe 4408 powershell.exe 4408 powershell.exe 4112 powershell.exe 4112 powershell.exe 1500 powershell.exe 1500 powershell.exe 5004 powershell.exe 5004 powershell.exe 4112 powershell.exe 4412 powershell.exe 4412 powershell.exe 1652 powershell.exe 1652 powershell.exe 4972 powershell.exe 4408 powershell.exe 4656 powershell.exe 4944 csrss.exe 4944 csrss.exe 1500 powershell.exe 1712 csrss.exe 3708 csrss.exe 2564 csrss.exe 904 csrss.exe 2068 csrss.exe 4820 csrss.exe 2456 csrss.exe 1100 csrss.exe 3328 csrss.exe 4584 csrss.exe 3432 csrss.exe 4132 csrss.exe 2720 csrss.exe 2444 csrss.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 4084 DllCommonsvc.exe Token: SeDebugPrivilege 5004 powershell.exe Token: SeDebugPrivilege 1652 powershell.exe Token: SeDebugPrivilege 4412 powershell.exe Token: SeDebugPrivilege 4972 powershell.exe Token: SeDebugPrivilege 4408 powershell.exe Token: SeDebugPrivilege 4656 powershell.exe Token: SeDebugPrivilege 4112 powershell.exe Token: SeDebugPrivilege 1500 powershell.exe Token: SeDebugPrivilege 4944 csrss.exe Token: SeDebugPrivilege 1712 csrss.exe Token: SeDebugPrivilege 3708 csrss.exe Token: SeDebugPrivilege 2564 csrss.exe Token: SeDebugPrivilege 904 csrss.exe Token: SeDebugPrivilege 2068 csrss.exe Token: SeDebugPrivilege 4820 csrss.exe Token: SeDebugPrivilege 2456 csrss.exe Token: SeDebugPrivilege 1100 csrss.exe Token: SeDebugPrivilege 3328 csrss.exe Token: SeDebugPrivilege 4584 csrss.exe Token: SeDebugPrivilege 3432 csrss.exe Token: SeDebugPrivilege 4132 csrss.exe Token: SeDebugPrivilege 2720 csrss.exe Token: SeDebugPrivilege 2444 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4280 wrote to memory of 3588 4280 JaffaCakes118_bbc9ddc269c43c2f86c1daa880e8dd11d578c49b95557c8b3fa0a95fe963b874.exe 83 PID 4280 wrote to memory of 3588 4280 JaffaCakes118_bbc9ddc269c43c2f86c1daa880e8dd11d578c49b95557c8b3fa0a95fe963b874.exe 83 PID 4280 wrote to memory of 3588 4280 JaffaCakes118_bbc9ddc269c43c2f86c1daa880e8dd11d578c49b95557c8b3fa0a95fe963b874.exe 83 PID 3588 wrote to memory of 2280 3588 WScript.exe 85 PID 3588 wrote to memory of 2280 3588 WScript.exe 85 PID 3588 wrote to memory of 2280 3588 WScript.exe 85 PID 2280 wrote to memory of 4084 2280 cmd.exe 87 PID 2280 wrote to memory of 4084 2280 cmd.exe 87 PID 4084 wrote to memory of 4408 4084 DllCommonsvc.exe 111 PID 4084 wrote to memory of 4408 4084 DllCommonsvc.exe 111 PID 4084 wrote to memory of 4112 4084 DllCommonsvc.exe 112 PID 4084 wrote to memory of 4112 4084 DllCommonsvc.exe 112 PID 4084 wrote to memory of 4412 4084 DllCommonsvc.exe 113 PID 4084 wrote to memory of 4412 4084 DllCommonsvc.exe 113 PID 4084 wrote to memory of 4972 4084 DllCommonsvc.exe 114 PID 4084 wrote to memory of 4972 4084 DllCommonsvc.exe 114 PID 4084 wrote to memory of 5004 4084 DllCommonsvc.exe 115 PID 4084 wrote to memory of 5004 4084 DllCommonsvc.exe 115 PID 4084 wrote to memory of 1500 4084 DllCommonsvc.exe 116 PID 4084 wrote to memory of 1500 4084 DllCommonsvc.exe 116 PID 4084 wrote to memory of 1652 4084 DllCommonsvc.exe 117 PID 4084 wrote to memory of 1652 4084 DllCommonsvc.exe 117 PID 4084 wrote to memory of 4656 4084 DllCommonsvc.exe 118 PID 4084 wrote to memory of 4656 4084 DllCommonsvc.exe 118 PID 4084 wrote to memory of 4944 4084 DllCommonsvc.exe 127 PID 4084 wrote to memory of 4944 4084 DllCommonsvc.exe 127 PID 4944 wrote to memory of 5080 4944 csrss.exe 130 PID 4944 wrote to memory of 5080 4944 csrss.exe 130 PID 5080 wrote to memory of 4816 5080 cmd.exe 132 PID 5080 wrote to memory of 4816 5080 cmd.exe 132 PID 5080 wrote to memory of 1712 5080 cmd.exe 134 PID 5080 wrote to memory of 1712 5080 cmd.exe 134 PID 1712 wrote to memory of 2336 1712 csrss.exe 142 PID 1712 wrote to memory of 2336 1712 csrss.exe 142 PID 2336 wrote to memory of 3432 2336 cmd.exe 145 PID 2336 wrote to memory of 3432 2336 cmd.exe 145 PID 2336 wrote to memory of 3708 2336 cmd.exe 150 PID 2336 wrote to memory of 3708 2336 cmd.exe 150 PID 3708 wrote to memory of 2200 3708 csrss.exe 152 PID 3708 wrote to memory of 2200 3708 csrss.exe 152 PID 2200 wrote to memory of 2808 2200 cmd.exe 154 PID 2200 wrote to memory of 2808 2200 cmd.exe 154 PID 2200 wrote to memory of 2564 2200 cmd.exe 158 PID 2200 wrote to memory of 2564 2200 cmd.exe 158 PID 2564 wrote to memory of 4220 2564 csrss.exe 161 PID 2564 wrote to memory of 4220 2564 csrss.exe 161 PID 4220 wrote to memory of 2688 4220 cmd.exe 163 PID 4220 wrote to memory of 2688 4220 cmd.exe 163 PID 4220 wrote to memory of 904 4220 cmd.exe 165 PID 4220 wrote to memory of 904 4220 cmd.exe 165 PID 904 wrote to memory of 1408 904 csrss.exe 167 PID 904 wrote to memory of 1408 904 csrss.exe 167 PID 1408 wrote to memory of 3032 1408 cmd.exe 169 PID 1408 wrote to memory of 3032 1408 cmd.exe 169 PID 1408 wrote to memory of 2068 1408 cmd.exe 171 PID 1408 wrote to memory of 2068 1408 cmd.exe 171 PID 2068 wrote to memory of 3320 2068 csrss.exe 173 PID 2068 wrote to memory of 3320 2068 csrss.exe 173 PID 3320 wrote to memory of 1864 3320 cmd.exe 175 PID 3320 wrote to memory of 1864 3320 cmd.exe 175 PID 3320 wrote to memory of 4820 3320 cmd.exe 177 PID 3320 wrote to memory of 4820 3320 cmd.exe 177 PID 4820 wrote to memory of 5040 4820 csrss.exe 179 PID 4820 wrote to memory of 5040 4820 csrss.exe 179 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbc9ddc269c43c2f86c1daa880e8dd11d578c49b95557c8b3fa0a95fe963b874.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbc9ddc269c43c2f86c1daa880e8dd11d578c49b95557c8b3fa0a95fe963b874.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sysmon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Templates\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sysmon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\TextInputHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4656
-
-
C:\Users\Public\Desktop\csrss.exe"C:\Users\Public\Desktop\csrss.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7kLsQlNPpi.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:4816
-
-
C:\Users\Public\Desktop\csrss.exe"C:\Users\Public\Desktop\csrss.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OS3CX563UF.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:3432
-
-
C:\Users\Public\Desktop\csrss.exe"C:\Users\Public\Desktop\csrss.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6oaLUsZTY.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2808
-
-
C:\Users\Public\Desktop\csrss.exe"C:\Users\Public\Desktop\csrss.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DXR1U0Y5m3.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2688
-
-
C:\Users\Public\Desktop\csrss.exe"C:\Users\Public\Desktop\csrss.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:3032
-
-
C:\Users\Public\Desktop\csrss.exe"C:\Users\Public\Desktop\csrss.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RFyBjogktz.bat"16⤵
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1864
-
-
C:\Users\Public\Desktop\csrss.exe"C:\Users\Public\Desktop\csrss.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat"18⤵PID:5040
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1516
-
-
C:\Users\Public\Desktop\csrss.exe"C:\Users\Public\Desktop\csrss.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Usvo58uhQ.bat"20⤵PID:1436
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:4748
-
-
C:\Users\Public\Desktop\csrss.exe"C:\Users\Public\Desktop\csrss.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\unLkZH0FaU.bat"22⤵PID:1576
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:4232
-
-
C:\Users\Public\Desktop\csrss.exe"C:\Users\Public\Desktop\csrss.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3328 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat"24⤵PID:4476
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:3056
-
-
C:\Users\Public\Desktop\csrss.exe"C:\Users\Public\Desktop\csrss.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4584 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V61H6ynXXY.bat"26⤵PID:2068
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:1732
-
-
C:\Users\Public\Desktop\csrss.exe"C:\Users\Public\Desktop\csrss.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat"28⤵PID:5072
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:4036
-
-
C:\Users\Public\Desktop\csrss.exe"C:\Users\Public\Desktop\csrss.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4132 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat"30⤵PID:568
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:2532
-
-
C:\Users\Public\Desktop\csrss.exe"C:\Users\Public\Desktop\csrss.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat"32⤵PID:3848
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:233⤵PID:2564
-
-
C:\Users\Public\Desktop\csrss.exe"C:\Users\Public\Desktop\csrss.exe"33⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o0FbW2pZd9.bat"34⤵PID:4352
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:235⤵PID:2516
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\providercommon\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\Templates\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\PLA\Templates\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\PLA\Templates\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\providercommon\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\providercommon\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\providercommon\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\providercommon\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Desktop\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4164
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
198B
MD5b71ba9f83b8c2cecdeefb017e2864f88
SHA1c6ac3a9ceb7fbcce72724da6fa045b808cee374b
SHA256c547a4605fa176452bd2e8aaa61482f0543c343426ba9f5d31e8bcbd27c0f8a2
SHA512058356c8209c8a83fac26dd707fc1ec0b7636197f1c25c61731bea1c77f0ad341397d7c349cc686253eb5896de12b1f3275775420b98d6b3fb56bcb3faad1abe
-
Filesize
198B
MD56f104467bf4a5450ff5fe5218e8a51e3
SHA11bbfbc79754638bf9b1878dca93044adc4fca065
SHA256a2118f3be4e5ec862bc0b8c1f44fce52c823257a17e5f3a3c383562a98f6a10c
SHA512bdf72cf227318104d44a8855ed58bc22c20ec11b4fe7590c037d8599a6832aaf89a88adbaed5328581ad71b4d01268fe138cc8e0caa11104de43d515b2617a29
-
Filesize
198B
MD5e6971a5868547d7f3870b3df4aae65ff
SHA1b1b521600ee1b6d7dc11ff9c5ae54dbdf8628ed1
SHA25623fa4f7f8b2c450d8dad9ee8d28352a8a5baaf939287b4441935d7d418a516bc
SHA512befef74872d91064079186287323a36d38a416f85b313d7936d8e07abb722f7a1e3e55e6d48487c7ef08f95637ea7f91ada2e1c894c776eebd0dd49ab81c5e9c
-
Filesize
198B
MD54edcc5d027a141fa368c07b006794ade
SHA1c1114e91c81c7cc83664445919fd8a38cd008c65
SHA256475794a2aa8e762f883ac55051f3845fc48a532f460bfa58ab1db507393fa54e
SHA512aeb50e2d191a7f71872491ebffd3eedc83b4fcd8af6b5b8d843041dbdfff9d6101ac3e11abe0bd82647057040101df26ecfe390674eb98ca52ac4234a4d7fb9a
-
Filesize
198B
MD59cad53ecbe0409c40cbee3744878d5d9
SHA132042b583851fbc52b390d3c49ed49b79a8a7184
SHA2566eddcbccfc6ffb66a02f02538cbb4e261307a4723b30fbe9518a6f9fe25f51f6
SHA512f2009742da31f78bdd31c013cd31d048de3dfcb42b63cfe05ddfd1be494e7fbe5dc43daf54a47affef5f6cfdc5ce20ef7923661bbda3b2a2e23402eaf40a278e
-
Filesize
198B
MD5d4e5c688db3a0c4e16b9be322b620d98
SHA1dfcde8ca80bcfb2bff25824381bc36199f245b08
SHA256e68b314889025921140bec764bff09d4a29146d815fa06aba4141be1037461ba
SHA512817c05ecd2e9a55ec38b65de983986c9330d2d3f9be5a1d38a4e0f7d924ba88a4980c297db012515baae3d013e61e15d3ece6f074e55abc549123aac94a963c4
-
Filesize
198B
MD5897fa412ef5f7f8b923e9680c1e7c4b7
SHA16fcb85a07604640db67732bb816fb364be827ac8
SHA256731607cc0098a7f2d1037d1a75d0353fc3d20d0684b2a1cd0d782e4c9904b067
SHA512a4a9023481ecb6029a324a1c270d15bb2ead3589d18affefee683487d1655606bb10469fba0a76b43cae28355b311b89af6fe2a85b4ac0673226c39745ff23b0
-
Filesize
198B
MD57c3fff3d793c148bdbe4d4112a539564
SHA16d48fef3201bc3e36b34b2a195273eb5ef434c9d
SHA256066ac6f30d06e4a48cbc66dd194c8a0f40ec2aa1e133daaa591493f38bd3ccb4
SHA51267db69d8b61520ae7bb4537a2b7e0b856cad3e6fa299ef86386bc0690840b097c114be62d0bda38eef173d5603872d35d5a67832419c0a138d8c5fd4992bf8eb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
198B
MD5eb9b49a23bd77ce25dee9767944ed6e4
SHA1e10a2446dec513afaceafe6903e4c132d2892658
SHA2564b427381137e281876eb221ea75d83d74a7a76f3acf14fb2a2a594aeefb124eb
SHA512cb2e0d3d8f836239b79798c6c47e323477a41694a1323363536c1102ed3765791a436a5b8a62327d940ed5319a458cd8a8ec32e5285892018789cadad79ab418
-
Filesize
198B
MD57d79cc2a81efc9c0a27ea75935ca2b99
SHA14dda78b6684843f8e0d9007e66077f1094a2735f
SHA2562ed36b240e25964bcccbffcb7a5c0b1799697f282675222c193f1468d3f60ecb
SHA51238d411410748013abfa26f22cefdbf8f20d77b9b8f3ac6d775b51d0273c885948f5930e5df778b43762fec7b452124e03dda0227fd5d2010252e08a682b87491
-
Filesize
198B
MD53d06636f6992f203e6922c7765527aab
SHA1bcf3eafa4230605313ba8eb2fa6ef1529843f837
SHA256152bcd9e9ed00d50158ca312425ea93a57e6b3b64084854ea245066f64102bd4
SHA512a100fa5f2d15d32bd3e418a8f65d83fff77371ec6a4066aaa9917a524635fa286ac61289f66e0a18f5982dacf40d6ca2d459b4e81ed80318bbe4a470a343eae8
-
Filesize
198B
MD5c2b9d5240aac668819efb32ecc8e27ac
SHA1a2fd63211bf7c095262c12081ff6c46d7dcb70b1
SHA256ec3e7619ee57463e68f267f90ab7509d9625de4e1b3d8fe5c35f56eb43d10bbd
SHA512c9c75ce743d906042eb972f3ca037f2b698a92afab896f6d714927b6619942c6e9a389d75faa784f15c764960386dc36da6da3f13f17aec32728008061d2dd7e
-
Filesize
198B
MD584aa67a7894059604bb11f40ab8593c4
SHA1b9696240569881d57a2ac744b5844bb1be0d415e
SHA256490e920dcf3828aba95f08735472dd4181fb9f1fa48b70b2cd32c4671e10e8bd
SHA5128345c56537bacf0eac9936df90ad0f672dcdb7420e46cad215707cb08f48e4fee89e2e1ede847edbcafee61c64a57cb950fd2fb0343291751c73888cd815f64e
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478