Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
01/11/2022, 10:38
Behavioral task
behavioral1
Sample
33473ea0cb5aec66b7388943978b9cacd9f8c6843090e6ec05a22d10e96e8ef9.exe
Resource
win10-20220812-en
General
-
Target
33473ea0cb5aec66b7388943978b9cacd9f8c6843090e6ec05a22d10e96e8ef9.exe
-
Size
1.3MB
-
MD5
f7299874531fc831f613494fb647cc2b
-
SHA1
083526deb18f054ef3299c45796a7bb0b0864036
-
SHA256
33473ea0cb5aec66b7388943978b9cacd9f8c6843090e6ec05a22d10e96e8ef9
-
SHA512
13699c8200eec921574f4e40d99879539465a33950f9c0c86fbdecfba1dbd18970816b9ce143d3147504f6dc20c1820f45fd6780eb0ed9a59cc4dbc76a4e8655
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4248 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4628 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3152 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3648 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3856 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5064 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5100 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5080 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4984 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4116 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4664 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4600 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3124 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4568 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4508 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4516 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4632 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4488 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 416 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 496 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 508 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 660 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1608 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1232 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1208 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1440 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1196 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1100 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1052 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4528 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4720 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4608 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3284 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 204 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3296 4236 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3268 4236 schtasks.exe 70 -
resource yara_rule behavioral1/files/0x000800000001ac1b-280.dat dcrat behavioral1/files/0x000800000001ac1b-281.dat dcrat behavioral1/memory/4868-282-0x0000000000640000-0x0000000000750000-memory.dmp dcrat behavioral1/files/0x000600000001ac26-684.dat dcrat behavioral1/files/0x000600000001ac26-683.dat dcrat behavioral1/files/0x000600000001ac26-755.dat dcrat behavioral1/files/0x000600000001ac26-761.dat dcrat behavioral1/files/0x000600000001ac26-766.dat dcrat behavioral1/files/0x000600000001ac26-772.dat dcrat behavioral1/files/0x000600000001ac26-777.dat dcrat behavioral1/files/0x000600000001ac26-783.dat dcrat behavioral1/files/0x000600000001ac26-788.dat dcrat behavioral1/files/0x000600000001ac26-794.dat dcrat behavioral1/files/0x000600000001ac26-799.dat dcrat behavioral1/files/0x000600000001ac26-804.dat dcrat behavioral1/files/0x000600000001ac26-810.dat dcrat behavioral1/files/0x000600000001ac26-816.dat dcrat behavioral1/files/0x000600000001ac26-821.dat dcrat -
Executes dropped EXE 15 IoCs
pid Process 4868 DllCommonsvc.exe 780 services.exe 2188 services.exe 4960 services.exe 2396 services.exe 4244 services.exe 4876 services.exe 4248 services.exe 4780 services.exe 1864 services.exe 3648 services.exe 3732 services.exe 4740 services.exe 2116 services.exe 1564 services.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 9 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\dllhost.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\5940a34987c991 DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\explorer.exe DllCommonsvc.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Idle.exe DllCommonsvc.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\Cursors\dwm.exe DllCommonsvc.exe File created C:\Windows\Cursors\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Windows\Resources\Maps\font\services.exe DllCommonsvc.exe File created C:\Windows\Resources\Maps\font\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Windows\rescache\_merged\taskhostw.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 660 schtasks.exe 3268 schtasks.exe 4248 schtasks.exe 4600 schtasks.exe 4608 schtasks.exe 204 schtasks.exe 3296 schtasks.exe 2884 schtasks.exe 1100 schtasks.exe 2052 schtasks.exe 2252 schtasks.exe 4516 schtasks.exe 1608 schtasks.exe 3284 schtasks.exe 3648 schtasks.exe 508 schtasks.exe 4664 schtasks.exe 4632 schtasks.exe 416 schtasks.exe 496 schtasks.exe 1440 schtasks.exe 1196 schtasks.exe 5080 schtasks.exe 4116 schtasks.exe 1232 schtasks.exe 4528 schtasks.exe 3124 schtasks.exe 4568 schtasks.exe 5064 schtasks.exe 4508 schtasks.exe 1208 schtasks.exe 1052 schtasks.exe 4720 schtasks.exe 3152 schtasks.exe 3856 schtasks.exe 4984 schtasks.exe 4488 schtasks.exe 4628 schtasks.exe 5100 schtasks.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings services.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings services.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings 33473ea0cb5aec66b7388943978b9cacd9f8c6843090e6ec05a22d10e96e8ef9.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings services.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings services.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings services.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings services.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings services.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings services.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings services.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings services.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings services.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings services.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings services.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4868 DllCommonsvc.exe 4868 DllCommonsvc.exe 4868 DllCommonsvc.exe 4868 DllCommonsvc.exe 4868 DllCommonsvc.exe 4868 DllCommonsvc.exe 4868 DllCommonsvc.exe 4868 DllCommonsvc.exe 4868 DllCommonsvc.exe 4868 DllCommonsvc.exe 4868 DllCommonsvc.exe 4868 DllCommonsvc.exe 4868 DllCommonsvc.exe 4868 DllCommonsvc.exe 4868 DllCommonsvc.exe 4868 DllCommonsvc.exe 4868 DllCommonsvc.exe 4868 DllCommonsvc.exe 2108 powershell.exe 2108 powershell.exe 2108 powershell.exe 2148 powershell.exe 2148 powershell.exe 1852 powershell.exe 1852 powershell.exe 812 powershell.exe 812 powershell.exe 784 powershell.exe 428 powershell.exe 784 powershell.exe 428 powershell.exe 2708 powershell.exe 2708 powershell.exe 4500 powershell.exe 4500 powershell.exe 2636 powershell.exe 2636 powershell.exe 2320 powershell.exe 2320 powershell.exe 3784 powershell.exe 3784 powershell.exe 2076 powershell.exe 2076 powershell.exe 3244 powershell.exe 3244 powershell.exe 784 powershell.exe 428 powershell.exe 2708 powershell.exe 4500 powershell.exe 2320 powershell.exe 3244 powershell.exe 2108 powershell.exe 1852 powershell.exe 2148 powershell.exe 2076 powershell.exe 2636 powershell.exe 812 powershell.exe 3784 powershell.exe 428 powershell.exe 2708 powershell.exe 3244 powershell.exe 4500 powershell.exe 2320 powershell.exe 784 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4868 DllCommonsvc.exe Token: SeDebugPrivilege 2108 powershell.exe Token: SeDebugPrivilege 2148 powershell.exe Token: SeDebugPrivilege 1852 powershell.exe Token: SeDebugPrivilege 812 powershell.exe Token: SeDebugPrivilege 2708 powershell.exe Token: SeDebugPrivilege 784 powershell.exe Token: SeDebugPrivilege 428 powershell.exe Token: SeDebugPrivilege 4500 powershell.exe Token: SeDebugPrivilege 2636 powershell.exe Token: SeDebugPrivilege 2320 powershell.exe Token: SeDebugPrivilege 3784 powershell.exe Token: SeDebugPrivilege 2076 powershell.exe Token: SeDebugPrivilege 3244 powershell.exe Token: SeIncreaseQuotaPrivilege 2108 powershell.exe Token: SeSecurityPrivilege 2108 powershell.exe Token: SeTakeOwnershipPrivilege 2108 powershell.exe Token: SeLoadDriverPrivilege 2108 powershell.exe Token: SeSystemProfilePrivilege 2108 powershell.exe Token: SeSystemtimePrivilege 2108 powershell.exe Token: SeProfSingleProcessPrivilege 2108 powershell.exe Token: SeIncBasePriorityPrivilege 2108 powershell.exe Token: SeCreatePagefilePrivilege 2108 powershell.exe Token: SeBackupPrivilege 2108 powershell.exe Token: SeRestorePrivilege 2108 powershell.exe Token: SeShutdownPrivilege 2108 powershell.exe Token: SeDebugPrivilege 2108 powershell.exe Token: SeSystemEnvironmentPrivilege 2108 powershell.exe Token: SeRemoteShutdownPrivilege 2108 powershell.exe Token: SeUndockPrivilege 2108 powershell.exe Token: SeManageVolumePrivilege 2108 powershell.exe Token: 33 2108 powershell.exe Token: 34 2108 powershell.exe Token: 35 2108 powershell.exe Token: 36 2108 powershell.exe Token: SeIncreaseQuotaPrivilege 428 powershell.exe Token: SeSecurityPrivilege 428 powershell.exe Token: SeTakeOwnershipPrivilege 428 powershell.exe Token: SeLoadDriverPrivilege 428 powershell.exe Token: SeSystemProfilePrivilege 428 powershell.exe Token: SeSystemtimePrivilege 428 powershell.exe Token: SeProfSingleProcessPrivilege 428 powershell.exe Token: SeIncBasePriorityPrivilege 428 powershell.exe Token: SeCreatePagefilePrivilege 428 powershell.exe Token: SeBackupPrivilege 428 powershell.exe Token: SeRestorePrivilege 428 powershell.exe Token: SeShutdownPrivilege 428 powershell.exe Token: SeDebugPrivilege 428 powershell.exe Token: SeSystemEnvironmentPrivilege 428 powershell.exe Token: SeRemoteShutdownPrivilege 428 powershell.exe Token: SeUndockPrivilege 428 powershell.exe Token: SeManageVolumePrivilege 428 powershell.exe Token: 33 428 powershell.exe Token: 34 428 powershell.exe Token: 35 428 powershell.exe Token: 36 428 powershell.exe Token: SeIncreaseQuotaPrivilege 2708 powershell.exe Token: SeSecurityPrivilege 2708 powershell.exe Token: SeTakeOwnershipPrivilege 2708 powershell.exe Token: SeLoadDriverPrivilege 2708 powershell.exe Token: SeSystemProfilePrivilege 2708 powershell.exe Token: SeSystemtimePrivilege 2708 powershell.exe Token: SeProfSingleProcessPrivilege 2708 powershell.exe Token: SeIncBasePriorityPrivilege 2708 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3064 wrote to memory of 4296 3064 33473ea0cb5aec66b7388943978b9cacd9f8c6843090e6ec05a22d10e96e8ef9.exe 66 PID 3064 wrote to memory of 4296 3064 33473ea0cb5aec66b7388943978b9cacd9f8c6843090e6ec05a22d10e96e8ef9.exe 66 PID 3064 wrote to memory of 4296 3064 33473ea0cb5aec66b7388943978b9cacd9f8c6843090e6ec05a22d10e96e8ef9.exe 66 PID 4296 wrote to memory of 3912 4296 WScript.exe 67 PID 4296 wrote to memory of 3912 4296 WScript.exe 67 PID 4296 wrote to memory of 3912 4296 WScript.exe 67 PID 3912 wrote to memory of 4868 3912 cmd.exe 69 PID 3912 wrote to memory of 4868 3912 cmd.exe 69 PID 4868 wrote to memory of 2148 4868 DllCommonsvc.exe 110 PID 4868 wrote to memory of 2148 4868 DllCommonsvc.exe 110 PID 4868 wrote to memory of 2108 4868 DllCommonsvc.exe 112 PID 4868 wrote to memory of 2108 4868 DllCommonsvc.exe 112 PID 4868 wrote to memory of 1852 4868 DllCommonsvc.exe 114 PID 4868 wrote to memory of 1852 4868 DllCommonsvc.exe 114 PID 4868 wrote to memory of 812 4868 DllCommonsvc.exe 117 PID 4868 wrote to memory of 812 4868 DllCommonsvc.exe 117 PID 4868 wrote to memory of 784 4868 DllCommonsvc.exe 116 PID 4868 wrote to memory of 784 4868 DllCommonsvc.exe 116 PID 4868 wrote to memory of 2708 4868 DllCommonsvc.exe 118 PID 4868 wrote to memory of 2708 4868 DllCommonsvc.exe 118 PID 4868 wrote to memory of 2636 4868 DllCommonsvc.exe 119 PID 4868 wrote to memory of 2636 4868 DllCommonsvc.exe 119 PID 4868 wrote to memory of 428 4868 DllCommonsvc.exe 120 PID 4868 wrote to memory of 428 4868 DllCommonsvc.exe 120 PID 4868 wrote to memory of 2388 4868 DllCommonsvc.exe 124 PID 4868 wrote to memory of 2388 4868 DllCommonsvc.exe 124 PID 4868 wrote to memory of 3784 4868 DllCommonsvc.exe 125 PID 4868 wrote to memory of 3784 4868 DllCommonsvc.exe 125 PID 4868 wrote to memory of 2320 4868 DllCommonsvc.exe 126 PID 4868 wrote to memory of 2320 4868 DllCommonsvc.exe 126 PID 4868 wrote to memory of 4500 4868 DllCommonsvc.exe 128 PID 4868 wrote to memory of 4500 4868 DllCommonsvc.exe 128 PID 4868 wrote to memory of 2076 4868 DllCommonsvc.exe 132 PID 4868 wrote to memory of 2076 4868 DllCommonsvc.exe 132 PID 4868 wrote to memory of 3244 4868 DllCommonsvc.exe 133 PID 4868 wrote to memory of 3244 4868 DllCommonsvc.exe 133 PID 4868 wrote to memory of 3580 4868 DllCommonsvc.exe 138 PID 4868 wrote to memory of 3580 4868 DllCommonsvc.exe 138 PID 3580 wrote to memory of 3324 3580 cmd.exe 140 PID 3580 wrote to memory of 3324 3580 cmd.exe 140 PID 3580 wrote to memory of 780 3580 cmd.exe 142 PID 3580 wrote to memory of 780 3580 cmd.exe 142 PID 780 wrote to memory of 3480 780 services.exe 145 PID 780 wrote to memory of 3480 780 services.exe 145 PID 3480 wrote to memory of 3628 3480 cmd.exe 144 PID 3480 wrote to memory of 3628 3480 cmd.exe 144 PID 3480 wrote to memory of 2188 3480 cmd.exe 146 PID 3480 wrote to memory of 2188 3480 cmd.exe 146 PID 2188 wrote to memory of 1368 2188 services.exe 147 PID 2188 wrote to memory of 1368 2188 services.exe 147 PID 1368 wrote to memory of 4380 1368 cmd.exe 149 PID 1368 wrote to memory of 4380 1368 cmd.exe 149 PID 1368 wrote to memory of 4960 1368 cmd.exe 150 PID 1368 wrote to memory of 4960 1368 cmd.exe 150 PID 4960 wrote to memory of 4572 4960 services.exe 151 PID 4960 wrote to memory of 4572 4960 services.exe 151 PID 4572 wrote to memory of 4368 4572 cmd.exe 153 PID 4572 wrote to memory of 4368 4572 cmd.exe 153 PID 4572 wrote to memory of 2396 4572 cmd.exe 154 PID 4572 wrote to memory of 2396 4572 cmd.exe 154 PID 2396 wrote to memory of 4824 2396 services.exe 156 PID 2396 wrote to memory of 4824 2396 services.exe 156 PID 4824 wrote to memory of 3116 4824 cmd.exe 157 PID 4824 wrote to memory of 3116 4824 cmd.exe 157
Processes
-
C:\Users\Admin\AppData\Local\Temp\33473ea0cb5aec66b7388943978b9cacd9f8c6843090e6ec05a22d10e96e8ef9.exe"C:\Users\Admin\AppData\Local\Temp\33473ea0cb5aec66b7388943978b9cacd9f8c6843090e6ec05a22d10e96e8ef9.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Maps\font\services.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dllhost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\explorer.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'5⤵PID:2388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\wininit.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\winlogon.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Idle.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\dwm.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3244
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mftNZ3WrbF.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:3324
-
-
C:\Windows\Resources\Maps\font\services.exe"C:\Windows\Resources\Maps\font\services.exe"6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GrfoiSU1wP.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\Resources\Maps\font\services.exe"C:\Windows\Resources\Maps\font\services.exe"8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:4380
-
-
C:\Windows\Resources\Maps\font\services.exe"C:\Windows\Resources\Maps\font\services.exe"10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:4368
-
-
C:\Windows\Resources\Maps\font\services.exe"C:\Windows\Resources\Maps\font\services.exe"12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:3116
-
-
C:\Windows\Resources\Maps\font\services.exe"C:\Windows\Resources\Maps\font\services.exe"14⤵
- Executes dropped EXE
- Modifies registry class
PID:4244 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TZCyxGcg3L.bat"15⤵PID:4448
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:5100
-
-
C:\Windows\Resources\Maps\font\services.exe"C:\Windows\Resources\Maps\font\services.exe"16⤵
- Executes dropped EXE
- Modifies registry class
PID:4876 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4vfhrz6qhB.bat"17⤵PID:4808
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2704
-
-
C:\Windows\Resources\Maps\font\services.exe"C:\Windows\Resources\Maps\font\services.exe"18⤵
- Executes dropped EXE
- Modifies registry class
PID:4248 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat"19⤵PID:3032
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:3788
-
-
C:\Windows\Resources\Maps\font\services.exe"C:\Windows\Resources\Maps\font\services.exe"20⤵
- Executes dropped EXE
- Modifies registry class
PID:4780 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat"21⤵PID:936
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1236
-
-
C:\Windows\Resources\Maps\font\services.exe"C:\Windows\Resources\Maps\font\services.exe"22⤵
- Executes dropped EXE
- Modifies registry class
PID:1864 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p8yPRkR6MR.bat"23⤵PID:3400
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:4736
-
-
C:\Windows\Resources\Maps\font\services.exe"C:\Windows\Resources\Maps\font\services.exe"24⤵
- Executes dropped EXE
- Modifies registry class
PID:3648 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat"25⤵PID:4068
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:4896
-
-
C:\Windows\Resources\Maps\font\services.exe"C:\Windows\Resources\Maps\font\services.exe"26⤵
- Executes dropped EXE
- Modifies registry class
PID:3732 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hANH4lx1y1.bat"27⤵PID:4956
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:2148
-
-
C:\Windows\Resources\Maps\font\services.exe"C:\Windows\Resources\Maps\font\services.exe"28⤵
- Executes dropped EXE
- Modifies registry class
PID:4740 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uruRJY5g5x.bat"29⤵PID:3384
-
C:\Windows\Resources\Maps\font\services.exe"C:\Windows\Resources\Maps\font\services.exe"30⤵
- Executes dropped EXE
- Modifies registry class
PID:2116 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat"31⤵PID:4800
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:232⤵PID:2108
-
-
C:\Windows\Resources\Maps\font\services.exe"C:\Windows\Resources\Maps\font\services.exe"32⤵
- Executes dropped EXE
PID:1564
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\Maps\font\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Resources\Maps\font\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\Maps\font\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\providercommon\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\providercommon\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Videos\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Videos\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\odt\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\Cursors\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Cursors\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3268
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:21⤵PID:3628
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:21⤵PID:3908
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1KB
MD5d63ff49d7c92016feb39812e4db10419
SHA12307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA51200f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a
-
Filesize
1KB
MD5882942a81cb291b68e08ccef00457f7b
SHA1654cb307f350c2649158828c3a4e6109d07ad711
SHA2562b94abb0dab627b79a0bad337876118f5198346175c6e4cee441442c78150479
SHA51274aa632e67135ee285e0f985d93da9b127b92e133cc51ff53895d810cc9c30ac2dd0c12f903f8d13b83c900fccc51af74368faf7d3e2d8e165bfff5d16060e44
-
Filesize
1KB
MD5882942a81cb291b68e08ccef00457f7b
SHA1654cb307f350c2649158828c3a4e6109d07ad711
SHA2562b94abb0dab627b79a0bad337876118f5198346175c6e4cee441442c78150479
SHA51274aa632e67135ee285e0f985d93da9b127b92e133cc51ff53895d810cc9c30ac2dd0c12f903f8d13b83c900fccc51af74368faf7d3e2d8e165bfff5d16060e44
-
Filesize
1KB
MD5ab51c32729e135f689b2e3fb0e0894f9
SHA1bfe3f3d615793eaa66d5837b348cb63399d52726
SHA256090d59261898c70afe96d74592953f3f5d492c50c780eb120e6c813054e19130
SHA512307e7bc41f521db8dbb6d7ad53dcd4d16a3454ce63b9128652f20b5ceb0f59b4d721081da6e9e383f091341e038b6d86ae10e7f8bf456cfc27f0628b42941596
-
Filesize
1KB
MD5ab51c32729e135f689b2e3fb0e0894f9
SHA1bfe3f3d615793eaa66d5837b348cb63399d52726
SHA256090d59261898c70afe96d74592953f3f5d492c50c780eb120e6c813054e19130
SHA512307e7bc41f521db8dbb6d7ad53dcd4d16a3454ce63b9128652f20b5ceb0f59b4d721081da6e9e383f091341e038b6d86ae10e7f8bf456cfc27f0628b42941596
-
Filesize
1KB
MD57b309ee2005ac3bfe743a84f15c85ef9
SHA14d069ce352abe066896b0ad7e4a896da1cebaf98
SHA256e8e550a75b8d03d87bd9b99c59db43b9c0e83becffc4c6b03427148e7afd509c
SHA5120f5d002130d03735f7215895c1ae5d14fc027dcf8aa0a15b158e2c172a200d9886937b4329aba079c9f4a05ffe76104d33108b4743deaa281123481d0a2319d8
-
Filesize
1KB
MD57b309ee2005ac3bfe743a84f15c85ef9
SHA14d069ce352abe066896b0ad7e4a896da1cebaf98
SHA256e8e550a75b8d03d87bd9b99c59db43b9c0e83becffc4c6b03427148e7afd509c
SHA5120f5d002130d03735f7215895c1ae5d14fc027dcf8aa0a15b158e2c172a200d9886937b4329aba079c9f4a05ffe76104d33108b4743deaa281123481d0a2319d8
-
Filesize
1KB
MD581e014853763e4dc4c97825c1f7f7033
SHA14f2c52c647b536dbeaa6a2acfc8f4ae93e3cc3c6
SHA256a0feba5c6030cd830ea35568951d785815198a91493558462bbf02469ed0176f
SHA512abd748b02306de935e392c27eb02c1d3a099dc6d8e578b50c84e62ef84b23af490dd9760408eafd8bd0bf3dc9313566cfc0dfb6dc92696030e7411d890563517
-
Filesize
1KB
MD581e014853763e4dc4c97825c1f7f7033
SHA14f2c52c647b536dbeaa6a2acfc8f4ae93e3cc3c6
SHA256a0feba5c6030cd830ea35568951d785815198a91493558462bbf02469ed0176f
SHA512abd748b02306de935e392c27eb02c1d3a099dc6d8e578b50c84e62ef84b23af490dd9760408eafd8bd0bf3dc9313566cfc0dfb6dc92696030e7411d890563517
-
Filesize
1KB
MD5f57b73efbb60154b26af589eaccdd892
SHA1f258580fad36acf26688934bbddec40c155e40f2
SHA256de10e1a92d9d0e0457b4a070fbeaf34282c4e51d68f2bb3167bf62d3fa00dd22
SHA5129db06c69c661e57414efa28d2886465a48eca1f581ea8676e8c8b2ff2cc07d56be490dbe787bb65449eb2b335e7c53bf5b8e54db93b21ca478244def423462c1
-
Filesize
1KB
MD5a9ed7a1e8c9d3ee26fbb7c309f96c73c
SHA1af01799ba56d245dac47f0315ceb042a20b50e01
SHA256ebdcdfca32e6b9be979ad92e7f98560bbbcde3c484748bdb117c8543cacf00a5
SHA5128b4b77ae926908c57c37ffd22334f91db079724025dc8ca88f9c71977dbfe626933e88fcd6ba2b42df688881f710378b86cc75718e8c9861a82b8f5ac54f3f5f
-
Filesize
1KB
MD5a9ed7a1e8c9d3ee26fbb7c309f96c73c
SHA1af01799ba56d245dac47f0315ceb042a20b50e01
SHA256ebdcdfca32e6b9be979ad92e7f98560bbbcde3c484748bdb117c8543cacf00a5
SHA5128b4b77ae926908c57c37ffd22334f91db079724025dc8ca88f9c71977dbfe626933e88fcd6ba2b42df688881f710378b86cc75718e8c9861a82b8f5ac54f3f5f
-
Filesize
208B
MD5ea0a095b68a30009b08b58b75c976afd
SHA1f6ec9b505b9f3c55f7abca24f2028bafeaa0a701
SHA25604e81ad3f4dd2748c0fe29d3360579fc0bbaa2883d37eb570c9a0b938bdb071c
SHA5128732c20422723ff86e9748599f1f127feb45ad1954b9a1363553e303c8fbc71805d754eb15fec6871ba78b4da20ff9bbe8dc823725f1c2f8da0549afd79ecb22
-
Filesize
208B
MD5862773261cba9a05cdafe29331f1da62
SHA16e95507aed1ab9d8378886284a03af3385007dcc
SHA2560f38626ad11000e2c2b9984f9259fc09caf26adf9bef26480ba323e3660fda5b
SHA51241398fd8ea84eb015411458fa3dce9ed52e4f32a3fd8d83bb0a38e595d0e7701a44f9d49d849d663ac0d0de1d586431408cd99f979acbab7af4fc2ef02e4aae9
-
Filesize
208B
MD56ad5ce5542450f5f3cf6b20b9b3a06ca
SHA13ce2d6f72b5eab6480160c7ba68bcb020336ffad
SHA256138d1c15df8ff4d333b54c7affc5f57f49ba050e9838e58c2b91fed61cbb649a
SHA5125ae9ff4083e9a4c1a3f89baf954de3a4d6cf52fb35140583f041ec84b24d51b1ccb439d1c9b0697e2e0717d97401fea4d4a2e67915c1f4c43566965e3b29574c
-
Filesize
208B
MD57a1e2c0ff8d90f444af2b7339f0ec48e
SHA1e582a533f4fe7b9d4599d4ca582e3760f8f2f72e
SHA256fd324733b076dfaf685c8ff2b8063e3148846b36dae5b54f622765e31d0cb978
SHA51270afcd0bf2c25d25e1a16e34386b36bb83f6d02ca3721f98fc8597cdcb61dd1685f5c5b51a06dcdb6ab508624ec745debb7bf694498d513e3ab287fb9638eca6
-
Filesize
208B
MD569810fb43d328d2a47788a29f0c7ea1f
SHA179cdc1a93dbabd6b6fa48f2b4ff79d4b09d1c528
SHA256dffb09c7a6a3673c141e73f85ebfc6a4dcb0ccce74f65ff49dd2c7e777caaec4
SHA512c3501bcb679f58f0eec5b8421afeaba06855df8ad8ca19ae5d11b8360bf545b3934571b205b2a4be2e8c847d696e06e54e1533ced90867a31bc95ddbe96b390a
-
Filesize
208B
MD5c9a5fced6bfa2d6775976569b458b9d9
SHA183362d4fcc507fa715ac6ae10a30be0c72f9a5a2
SHA2563d12f24c6cca4ef57738a40519ba95b2df677c07f53285bb77e8f598937e2823
SHA5128bd3ef15c38597055ac229aca59fe211188161bc5df1e3a28326882a4dd37bc93ea8a8914b9bc6ea53c271edb3ef156bb645d7c1a9b59bfbafeab81a1567a70a
-
Filesize
208B
MD58bda044dbb8a43431283ff4ec741cea1
SHA13383299bc3e27dd8dd4ef2ac97eb52e55c315d54
SHA256b62cf77f10ff514613892059352284df14709c3718def739eef9ddd4dbf166c5
SHA512a486ad4ae2ed8115b00a7272ffc1835c2a80b48e1d84d1e856d85175de73e15e9c73cda6bb19349b9ea8af5b5ec23131c25ada07a371e22053ffc06c9f983f38
-
Filesize
208B
MD5b145283042566f4c6d25c21e39fd91fe
SHA14d8569c8552d9c4e913cd1e8bd6b4c313d242bf3
SHA256808b2ca14a64a0806818dcd6979d70cef811151d6a2042c13af5da2167685025
SHA512705d912e42ed20398190dc6bb13bd13525ea3076ba85087ad561332b3c638ea623a000a6563961fffc0040a325ba54bbab91ea6d85177c00f6af3f5c706ff383
-
Filesize
208B
MD556e4518bc6a48002ab756291640a322e
SHA1a0f95428e1baced6ca084fb2716845b65f75f5be
SHA2568ecb7ad08212b379c8f900203bc54b5e3d5562ce53655deaa02295e2b1bb80d6
SHA512d22dfeff13760d8ab31d096786d6ce43cd74cf240d181464bf8d3b4c5fd987c03aeccbc97bf84f637ae3c76289719e374901a35bd64f2aeff38ad63121b65751
-
Filesize
208B
MD545ae6ceb150843934bce08ffc16b2000
SHA1be067b3be757c1ecc66b4acfe98e030613dc52f0
SHA256368c6c38ee1a16a6db56c20a7d5a695bf2072bcf5a3dc5ebb52216462d7fcb2a
SHA512b77076c6ab897a40e26ef2e11dcafb793bf66e2eec7549f34d1807c873cc4f2194f51aa58fbc248848723511c21c48deae32c82da3dc8ad06690123777bdb738
-
Filesize
208B
MD5cb0410ffad04a3dd96a35fef2ab0d097
SHA1da934750b0b640a5d56daf30aa6e136ef1a620f6
SHA25640f270cb327b13a1de4b0ff08cbe3800fd46136a31ef58796a16f0f12e870ee6
SHA51276d6ea5f5bee41b15daecadf279541b6cac6376da3b5393a7dbe5184797bf50053fe055f37551dd65bbe248d21ad54b41073f483557579b11ba64339c59ff8ba
-
Filesize
208B
MD5c7b94de1d801ec9e81a054e5765a3f0d
SHA10010741fecfd25825084d0a354f4a94e144349b8
SHA256751f43ffc2415e7ca4f1854e18a2baf033f2ea58031a8ba750594e14c247ec02
SHA512108ed7e48b1ed01f659a93ff456455849d2362f01355bc35fef96b5558514b9fec3aed653a8df88d2cb04912516fbe225616eab3a4ca2a0f7f855a4510838cb9
-
Filesize
208B
MD50d45e7acce0109888cf245b7f5a9bbc8
SHA1a0abcfa2fb59807be06136ae95b445046860ff0d
SHA256385d96851f0f07de5d6a82e668c7ca84a7fa9ab51bc8fad8b3bfc7b863a9b667
SHA512246112f7cda3ce28bf2a6213772c7f4718e073f6e83c9bf1f89a9a30a8eacc2885704628aba6e5cd65b231afca6c9a8781c8f8705996df1ab7a9430dae10dd28
-
Filesize
208B
MD5361780c4ca74a284d718f65b9f94e971
SHA1d8b28381c51ac7656577e205f1b49b434ff9404f
SHA2564d985076977d2099de24d396263248be3a6843df11d61c1a599201a67cbcffcd
SHA512a4f64c1fe20804950363e0030366f939a02e919b8306aea617ba554a00be5ec93c3c8091bc2e222e1a9be4277f7c8da7d7e083e35f73a4c344b8ffa4cf04f873
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478