Analysis
-
max time kernel
145s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:00
Behavioral task
behavioral1
Sample
JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5.exe
-
Size
1.3MB
-
MD5
3366a3f733a92c923f7fad40563905e7
-
SHA1
3b40dde236c645b1a254f23381bbe739a7b318e0
-
SHA256
032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5
-
SHA512
b1f6f783b4f859c64aefa486660a516e933878f306b6e1c8dd86b7a330932fdafa683db0ea6f04591916dabad529df1f5527f2091980e63fd65fb11520b83299
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 3000 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 3000 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 3000 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 3000 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 3000 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1256 3000 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 476 3000 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 896 3000 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 576 3000 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 3000 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 3000 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 3000 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 3000 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 3000 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 852 3000 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2400 3000 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 3000 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 548 3000 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1572 3000 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 3000 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 3000 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1192 3000 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1204 3000 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 3000 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 3000 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 3000 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 3000 schtasks.exe 32 -
resource yara_rule behavioral1/files/0x0008000000014b28-11.dat dcrat behavioral1/memory/2904-13-0x0000000000CD0000-0x0000000000DE0000-memory.dmp dcrat behavioral1/memory/2392-93-0x0000000000AC0000-0x0000000000BD0000-memory.dmp dcrat behavioral1/memory/548-152-0x0000000000AE0000-0x0000000000BF0000-memory.dmp dcrat behavioral1/memory/2652-212-0x00000000001E0000-0x00000000002F0000-memory.dmp dcrat behavioral1/memory/860-272-0x0000000000E20000-0x0000000000F30000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2480 powershell.exe 1796 powershell.exe 2148 powershell.exe 2216 powershell.exe 2184 powershell.exe 1208 powershell.exe 2920 powershell.exe 3052 powershell.exe 1948 powershell.exe 2428 powershell.exe -
Executes dropped EXE 10 IoCs
pid Process 2904 DllCommonsvc.exe 2392 lsm.exe 548 lsm.exe 2652 lsm.exe 860 lsm.exe 1936 lsm.exe 1576 lsm.exe 2732 lsm.exe 292 lsm.exe 1572 lsm.exe -
Loads dropped DLL 2 IoCs
pid Process 2760 cmd.exe 2760 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 5 raw.githubusercontent.com 9 raw.githubusercontent.com 16 raw.githubusercontent.com 35 raw.githubusercontent.com 4 raw.githubusercontent.com 20 raw.githubusercontent.com 23 raw.githubusercontent.com 27 raw.githubusercontent.com 31 raw.githubusercontent.com 12 raw.githubusercontent.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\WCN\en-US\cmd.exe DllCommonsvc.exe File created C:\Windows\System32\WCN\en-US\ebf1f9fa8afd6d DllCommonsvc.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\locale\cs\wininit.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\locale\cs\56085415360792 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\smss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\69ddcba757bf72 DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\sppsvc.exe DllCommonsvc.exe File created C:\Windows\Tasks\0a1fd5f707cd16 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1808 schtasks.exe 1484 schtasks.exe 2976 schtasks.exe 2360 schtasks.exe 1256 schtasks.exe 2804 schtasks.exe 548 schtasks.exe 1204 schtasks.exe 852 schtasks.exe 1192 schtasks.exe 476 schtasks.exe 576 schtasks.exe 2768 schtasks.exe 2688 schtasks.exe 1572 schtasks.exe 1536 schtasks.exe 2556 schtasks.exe 2552 schtasks.exe 896 schtasks.exe 2988 schtasks.exe 1560 schtasks.exe 1960 schtasks.exe 2864 schtasks.exe 2968 schtasks.exe 2400 schtasks.exe 2872 schtasks.exe 2504 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2904 DllCommonsvc.exe 2920 powershell.exe 3052 powershell.exe 2184 powershell.exe 1208 powershell.exe 2216 powershell.exe 2428 powershell.exe 2148 powershell.exe 2480 powershell.exe 1796 powershell.exe 1948 powershell.exe 2392 lsm.exe 548 lsm.exe 2652 lsm.exe 860 lsm.exe 1936 lsm.exe 1576 lsm.exe 2732 lsm.exe 292 lsm.exe 1572 lsm.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 2904 DllCommonsvc.exe Token: SeDebugPrivilege 2920 powershell.exe Token: SeDebugPrivilege 3052 powershell.exe Token: SeDebugPrivilege 2184 powershell.exe Token: SeDebugPrivilege 1208 powershell.exe Token: SeDebugPrivilege 2216 powershell.exe Token: SeDebugPrivilege 2428 powershell.exe Token: SeDebugPrivilege 2148 powershell.exe Token: SeDebugPrivilege 2480 powershell.exe Token: SeDebugPrivilege 1796 powershell.exe Token: SeDebugPrivilege 1948 powershell.exe Token: SeDebugPrivilege 2392 lsm.exe Token: SeDebugPrivilege 548 lsm.exe Token: SeDebugPrivilege 2652 lsm.exe Token: SeDebugPrivilege 860 lsm.exe Token: SeDebugPrivilege 1936 lsm.exe Token: SeDebugPrivilege 1576 lsm.exe Token: SeDebugPrivilege 2732 lsm.exe Token: SeDebugPrivilege 292 lsm.exe Token: SeDebugPrivilege 1572 lsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1884 wrote to memory of 2388 1884 JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5.exe 28 PID 1884 wrote to memory of 2388 1884 JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5.exe 28 PID 1884 wrote to memory of 2388 1884 JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5.exe 28 PID 1884 wrote to memory of 2388 1884 JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5.exe 28 PID 2388 wrote to memory of 2760 2388 WScript.exe 29 PID 2388 wrote to memory of 2760 2388 WScript.exe 29 PID 2388 wrote to memory of 2760 2388 WScript.exe 29 PID 2388 wrote to memory of 2760 2388 WScript.exe 29 PID 2760 wrote to memory of 2904 2760 cmd.exe 31 PID 2760 wrote to memory of 2904 2760 cmd.exe 31 PID 2760 wrote to memory of 2904 2760 cmd.exe 31 PID 2760 wrote to memory of 2904 2760 cmd.exe 31 PID 2904 wrote to memory of 2216 2904 DllCommonsvc.exe 60 PID 2904 wrote to memory of 2216 2904 DllCommonsvc.exe 60 PID 2904 wrote to memory of 2216 2904 DllCommonsvc.exe 60 PID 2904 wrote to memory of 2184 2904 DllCommonsvc.exe 61 PID 2904 wrote to memory of 2184 2904 DllCommonsvc.exe 61 PID 2904 wrote to memory of 2184 2904 DllCommonsvc.exe 61 PID 2904 wrote to memory of 2148 2904 DllCommonsvc.exe 62 PID 2904 wrote to memory of 2148 2904 DllCommonsvc.exe 62 PID 2904 wrote to memory of 2148 2904 DllCommonsvc.exe 62 PID 2904 wrote to memory of 1796 2904 DllCommonsvc.exe 63 PID 2904 wrote to memory of 1796 2904 DllCommonsvc.exe 63 PID 2904 wrote to memory of 1796 2904 DllCommonsvc.exe 63 PID 2904 wrote to memory of 3052 2904 DllCommonsvc.exe 65 PID 2904 wrote to memory of 3052 2904 DllCommonsvc.exe 65 PID 2904 wrote to memory of 3052 2904 DllCommonsvc.exe 65 PID 2904 wrote to memory of 2920 2904 DllCommonsvc.exe 67 PID 2904 wrote to memory of 2920 2904 DllCommonsvc.exe 67 PID 2904 wrote to memory of 2920 2904 DllCommonsvc.exe 67 PID 2904 wrote to memory of 2480 2904 DllCommonsvc.exe 68 PID 2904 wrote to memory of 2480 2904 DllCommonsvc.exe 68 PID 2904 wrote to memory of 2480 2904 DllCommonsvc.exe 68 PID 2904 wrote to memory of 1208 2904 DllCommonsvc.exe 69 PID 2904 wrote to memory of 1208 2904 DllCommonsvc.exe 69 PID 2904 wrote to memory of 1208 2904 DllCommonsvc.exe 69 PID 2904 wrote to memory of 2428 2904 DllCommonsvc.exe 70 PID 2904 wrote to memory of 2428 2904 DllCommonsvc.exe 70 PID 2904 wrote to memory of 2428 2904 DllCommonsvc.exe 70 PID 2904 wrote to memory of 1948 2904 DllCommonsvc.exe 71 PID 2904 wrote to memory of 1948 2904 DllCommonsvc.exe 71 PID 2904 wrote to memory of 1948 2904 DllCommonsvc.exe 71 PID 2904 wrote to memory of 2392 2904 DllCommonsvc.exe 80 PID 2904 wrote to memory of 2392 2904 DllCommonsvc.exe 80 PID 2904 wrote to memory of 2392 2904 DllCommonsvc.exe 80 PID 2392 wrote to memory of 808 2392 lsm.exe 81 PID 2392 wrote to memory of 808 2392 lsm.exe 81 PID 2392 wrote to memory of 808 2392 lsm.exe 81 PID 808 wrote to memory of 2976 808 cmd.exe 83 PID 808 wrote to memory of 2976 808 cmd.exe 83 PID 808 wrote to memory of 2976 808 cmd.exe 83 PID 808 wrote to memory of 548 808 cmd.exe 84 PID 808 wrote to memory of 548 808 cmd.exe 84 PID 808 wrote to memory of 548 808 cmd.exe 84 PID 548 wrote to memory of 2704 548 lsm.exe 87 PID 548 wrote to memory of 2704 548 lsm.exe 87 PID 548 wrote to memory of 2704 548 lsm.exe 87 PID 2704 wrote to memory of 2712 2704 cmd.exe 89 PID 2704 wrote to memory of 2712 2704 cmd.exe 89 PID 2704 wrote to memory of 2712 2704 cmd.exe 89 PID 2704 wrote to memory of 2652 2704 cmd.exe 90 PID 2704 wrote to memory of 2652 2704 cmd.exe 90 PID 2704 wrote to memory of 2652 2704 cmd.exe 90 PID 2652 wrote to memory of 2144 2652 lsm.exe 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\WCN\en-US\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\locale\cs\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2976
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cqXkQwtlzQ.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2712
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jlvf1Vq2YP.bat"10⤵PID:2144
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:280
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat"12⤵PID:2752
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1704
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DJG58brWjr.bat"14⤵PID:1632
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2968
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat"16⤵PID:2080
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:600
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat"18⤵PID:1540
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2804
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:292 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat"20⤵PID:2928
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2852
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1572 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n6bUdMbtqP.bat"22⤵PID:568
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2288
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Pictures\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Pictures\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Pictures\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Tasks\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\WCN\en-US\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\System32\WCN\en-US\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\WCN\en-US\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\locale\cs\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\cs\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\locale\cs\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56d900b012142cb997cad05f813dfd191
SHA1b680868b09b2d2b36710945e8e31b425f187d22b
SHA256df920698c4eb2ec2ff20c1888d6e73f4aadb208ed0e82eff4f99161ddcde2a4c
SHA5127f2aa670d967da8662547ba7589a72dc872622517544f2310634ac6da89ebdb8bf2aec16f187ad42bb908a5094edc0251c8d73fbdf3bf947c0e6e2664bc69382
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b930d32b133a64f5258b33987072845b
SHA16db64f6075a844c7d32c855196c4a4752fc39ab1
SHA2569b57f2a1bf8fed7da3c452f298fa16969f28645509ba15e1f2bc71697e60c0f7
SHA5124f6eb78c97580dca735fa2f874e5550ae0eb20bdd8a545ae12dd8e945da03220715ba33d3b0abad0d6f21fbbbeb3fed8f555f59790064e6f02e202492d924e41
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD583f8fd6fe316457a9fb0188c6d56aec8
SHA1c409909576757c4d187d22cf656240b962c8769c
SHA256623a2d9721aa4bf96b21a3e0d4b1aa3e94b67d1b003b0664ee3d1f46f3e85139
SHA5120495a70155652dfe7def413f6a175bd1b9e3375bbcbb3a98cf387af62ace77ea7eed99a795cd9d226f27b4ffd31c88ce3179391de669f48e7fd1205891de272f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f27dc301ee426a39a0942d7cf0561260
SHA1e284f060fa4ad4357a6ea46ad7652e37d2098920
SHA256aa74b3b42f2cb4e9f6f18e4bf5d4fe3c407d0c1cb0ad129c4f23d2fb326ce6e8
SHA512f63041cb3e04e309ff48b54b1ce3a5e7d3e0b2b49c5caafd6e1fce6a49e1d3005549f01db3821df5cc14a19f9db7e16445816c2b9b825ac3b16516b5be6d550a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f5022d0224f4c880a995022d28e2c44b
SHA1f249ccc977d43356d1d2c87bdbda3dff90943299
SHA256257b8dad98f3746b3b39804d59323e21679a3cd1b16bb31ea14aba3b48c94f2a
SHA5129d8cbd4e9f676914fc202e9f0aa7dbad276214ed7503bb11be8add31b88e6665bee364f15198751c083a9220aed103c730fe0a0d3a71aa4b15942a0c907136c8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55ec380469e10aed9de1e7e315ba9a665
SHA12f80da7e805d8852be82a75db67b40b55870e1e4
SHA256c7d1b616816fee055ee3cbc475bfd4fa6f22761962bdc3603534dd329fc1cefc
SHA51237bc0fad86951816f7de05a1d0b705916d611a1e38c0dc530f41d691379b78a37d37f93df97b7ea6eaf0c1669fd8fbbff2e8b5282dc0536a69a122ae7286adb5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50762ea0188ff0e8b8911f0c90dd374a3
SHA115c4749fb7278b7b809ade7b798a501b4a25e90b
SHA256b9d070fac12cb13d2843ca30b6c268890aafa5445d50c486765c89d31a014f27
SHA5122ee980552acbb5ceca535f6e0194fc4088b3bec0288927d62732ab85387a1f4a42c6dbd76017b5e405fecb428685f8c0401a07f7cb311c99706c2b433a8dfa3e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c121ed662a519d17a340948293ded32c
SHA1757fafff672304b3636df501e710f82562368828
SHA2568335a45de8b18c768a662539216db60f70db61f1fc11a2c8977e3b9eacc3967e
SHA512ba12e30d16371d93f02df7ce968d05cd1ce3664492b293af21c74b99c0f621f212b29b7f257b7883a21934fb3df92c50f56095f587dad44c4c5baba71f848e46
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
221B
MD5bbe15c1fbb11222b6eea91f2fd854f82
SHA14a6b6e159e4c87ad271ec36f1286ba134015a02d
SHA25679b5a686f18545218d8d6c3f3f51f23126a13c49549f60067d3d0f99490be740
SHA512ab97c9dff785077eadecf8e3e12c5f703d7d2aadf483c2753ebc6e82656f55f79de31ebd4b832563fa6da8207da076c98c0676c65dd56eae4d8310ee30a4e595
-
Filesize
221B
MD57a4159602f929a3048d6aa523f683b05
SHA19d7c825b7f8e23c9806f2bdbf5610847c3a849a7
SHA25652f5bfb5bf0a7b7f11dd35dc0437255f1d941e40b326bbf7b8f666822142d6d6
SHA512bdabccd8b7655771238a94db0a7e80dea9559d43ea7f29bb54f6e1db7c53247127980fb4a302ef646bf7f26b8c56c06e8393dfbd61d4a0e098b51b1ae832a0cf
-
Filesize
221B
MD59b4fdaa688f21f89468723de69d439bb
SHA147a035248aed81fe82b8b7bc8b5f249d8a4bf40b
SHA2564d2a740ed1ffdf0be765287dedcfd8f41a535f07ecccd32c9ea86db37b8c43e1
SHA512bbb06fb09cd1ce57b93c496bb1b228726de38a8a5eaa07fc09fd943f5598f328487a715ebed7bc2df3df2deed08c0040acef06e5e1889aa3d479a193efc19227
-
Filesize
221B
MD5db71919c2f9bc9e9d847f9dc328e2dd3
SHA146a44d44fe7ca43bdbbe7451539272878b41585e
SHA256b7da24ed1a0bac172c2764ff3e88e99737106a8f7b7df09b61ed5da589ee283e
SHA51257ccdf1ee0a85c7393818ef8a85bf8673156e9f2629a6b0c28d079cf04d31c670f1c89b15ab7594d051d6eafc6ff4cfba04c5b1872feb0bb013d47f2ca2d11d8
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
221B
MD5888ed69f54545c03302a5e5fd0175a49
SHA15538bff378911ab5516ed04b7073ef815e96df80
SHA256b87cae9a83a9acde20ca1c902f976e229a3490d7c3061457fbf62e0bfddfca4e
SHA512c191b1bf2735e50c6ce72da4e5da66e489bcc87df02c57cc824f7eeee3cfe6f1a21e467ec6695ad697ed87044e69ade87818347f5ba8339d74f3df622b665a0e
-
Filesize
221B
MD5f1289adbf642f576b7f1b53c7ef00bbd
SHA14f1395916f0886e14aa7405f9a8108955b9df764
SHA256f91de56aca49a4b9cd3ac8f2b81259471bdb96923896bb0ce10bf8d1fed1f796
SHA5122570541e485b31e1e8551c873b9244c292ca0b960f38ae1feb25c997a8e2fc74fac65536f2a2c416fe6f606ff2ae13a4f3377117f35d7ae00e9b39db3e861ecf
-
Filesize
221B
MD53ca0b1add0059c3258752912ef529a8e
SHA1f85841ee824cf697e516744c0054aedf8182597c
SHA256256aaea51528d09f1aafd25b20518c6d3f20385a4803fa6904e0759470935c46
SHA512a103a784f3302e93352987b408051d892ba51041f203fa7217f4965e5fd913f1bd634807e9185731f7893ca002a8c8a9de633af1c813d6ef5e8eabaff95b79f7
-
Filesize
221B
MD521269e59353586bbb43c7e987df450ce
SHA1f9c5aad5ce118dca45b9eee7c62675ae0de1c705
SHA2562b5cadf4475f2874246a4e0315944d26cc651237e5d9dfa18ff1581d7955fe2c
SHA512be72283cd214f8e9a4539f7a7f1232fe931353e9c82dba5e63f295552e1a170a494e1d4a5aa061cf1aa1c5f9253e802a0fcd8a011cc28384e932bc9832dbcc63
-
Filesize
221B
MD5815b7104d513570fde6344a8a9e27168
SHA1ecb9cbcb4441f80a1fe473db6a82ebaa9a3f9b9d
SHA2568fc962d6b2ad757575f457dab5dd676c1cf679bae4ec0f60f0623a3cda3f863c
SHA512a29869f258c8972fa005449ba18ee9e926a6a7c2dcdfe31bb795e528d2f95838d891457a26d5ec0780565793d9b3d2ea4a1bc8701b15f0597c9eaeee645b0da2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YP1CTHXWVJ3E67MD9JT3.temp
Filesize7KB
MD535edee54363b4a5304001359aab01ef7
SHA17b5e87c9f69a87d08c2f49a4a6757916b895309c
SHA25612951bda19c90486c11b4822972526b11d19f148bb5b16739399ad2a92ed3614
SHA512359ffc226bd97d447ca14cb31608faa4b614aa79b0b5b8462ad1472f6c9abd60f1a7c8506e0f2077372584007a89b966464654b6c88107e1487e3cf17b7cb585
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394