Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
01/11/2022, 11:37
Behavioral task
behavioral1
Sample
f6d8d45ee3eec21b23f3c43324baa937b2364cce5e0748b50cbb1661d5a8b2f8.exe
Resource
win10-20220901-en
General
-
Target
f6d8d45ee3eec21b23f3c43324baa937b2364cce5e0748b50cbb1661d5a8b2f8.exe
-
Size
1.3MB
-
MD5
540f580f1975e6ad3b45dc3ad3a3c233
-
SHA1
b91b221b6606d681c16ad7fca2f3f5d019323b20
-
SHA256
f6d8d45ee3eec21b23f3c43324baa937b2364cce5e0748b50cbb1661d5a8b2f8
-
SHA512
f6e70b41260552d33ba69be58c9c4fe9d129dc14ed74d86a481c7feda8b13fb8e18a1192ffe02c9004dd2ec26d1b2ef8faa76bdfc8bc001b947fa050f85203fd
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3184 4072 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3168 4072 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4960 4072 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3116 4072 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4972 4072 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4932 4072 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4976 4072 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4864 4072 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4824 4072 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4808 4072 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4872 4072 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4804 4072 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5024 4072 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 4072 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3868 4072 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4692 4072 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4788 4072 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4984 4072 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4660 4072 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4628 4072 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3520 4072 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3112 4072 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 928 4072 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5072 4072 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 380 4072 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4452 4072 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 4072 schtasks.exe 70 -
resource yara_rule behavioral1/files/0x000900000001abdf-284.dat dcrat behavioral1/files/0x000900000001abdf-285.dat dcrat behavioral1/memory/4616-286-0x0000000000EF0000-0x0000000001000000-memory.dmp dcrat behavioral1/files/0x000200000001ac0d-617.dat dcrat behavioral1/files/0x000200000001ac0d-616.dat dcrat behavioral1/files/0x000200000001ac0d-673.dat dcrat behavioral1/files/0x000200000001ac0d-679.dat dcrat behavioral1/files/0x000200000001ac0d-685.dat dcrat behavioral1/files/0x000200000001ac0d-690.dat dcrat behavioral1/files/0x000200000001ac0d-695.dat dcrat behavioral1/files/0x000200000001ac0d-700.dat dcrat behavioral1/files/0x000200000001ac0d-705.dat dcrat behavioral1/files/0x000200000001ac0d-711.dat dcrat behavioral1/files/0x000200000001ac0d-717.dat dcrat behavioral1/files/0x000200000001ac0d-722.dat dcrat behavioral1/files/0x000200000001ac0d-727.dat dcrat -
Executes dropped EXE 13 IoCs
pid Process 4616 DllCommonsvc.exe 4692 System.exe 4472 System.exe 1304 System.exe 1016 System.exe 4264 System.exe 2288 System.exe 2780 System.exe 4028 System.exe 416 System.exe 524 System.exe 4276 System.exe 5020 System.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 9 IoCs
description ioc Process File created C:\Program Files\Java\jdk1.8.0_66\bin\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files\Windows Mail\en-US\sppsvc.exe DllCommonsvc.exe File created C:\Program Files\Windows Mail\en-US\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\lsass.exe DllCommonsvc.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\lsass.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office16\csrss.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office16\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\System.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\27d1bcfc3c54e0 DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Provisioning\Cosa\OEM\winlogon.exe DllCommonsvc.exe File created C:\Windows\Provisioning\Cosa\OEM\cc11b995f2a76d DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4976 schtasks.exe 4864 schtasks.exe 4628 schtasks.exe 3112 schtasks.exe 3168 schtasks.exe 4972 schtasks.exe 380 schtasks.exe 2008 schtasks.exe 4660 schtasks.exe 5072 schtasks.exe 3184 schtasks.exe 4960 schtasks.exe 4824 schtasks.exe 5024 schtasks.exe 3868 schtasks.exe 4984 schtasks.exe 4692 schtasks.exe 3116 schtasks.exe 4932 schtasks.exe 4872 schtasks.exe 1996 schtasks.exe 4452 schtasks.exe 4788 schtasks.exe 4808 schtasks.exe 4804 schtasks.exe 3520 schtasks.exe 928 schtasks.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings f6d8d45ee3eec21b23f3c43324baa937b2364cce5e0748b50cbb1661d5a8b2f8.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings System.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4616 DllCommonsvc.exe 4616 DllCommonsvc.exe 4616 DllCommonsvc.exe 4616 DllCommonsvc.exe 4616 DllCommonsvc.exe 4616 DllCommonsvc.exe 4616 DllCommonsvc.exe 4616 DllCommonsvc.exe 4616 DllCommonsvc.exe 4616 DllCommonsvc.exe 4616 DllCommonsvc.exe 4616 DllCommonsvc.exe 4616 DllCommonsvc.exe 4616 DllCommonsvc.exe 4616 DllCommonsvc.exe 4616 DllCommonsvc.exe 4616 DllCommonsvc.exe 4616 DllCommonsvc.exe 4616 DllCommonsvc.exe 1772 powershell.exe 1180 powershell.exe 1280 powershell.exe 1500 powershell.exe 3312 powershell.exe 880 powershell.exe 4200 powershell.exe 208 powershell.exe 3264 powershell.exe 1280 powershell.exe 2232 powershell.exe 1772 powershell.exe 880 powershell.exe 208 powershell.exe 1180 powershell.exe 1180 powershell.exe 1280 powershell.exe 1280 powershell.exe 208 powershell.exe 208 powershell.exe 880 powershell.exe 880 powershell.exe 1772 powershell.exe 4200 powershell.exe 3312 powershell.exe 1500 powershell.exe 3312 powershell.exe 1500 powershell.exe 3264 powershell.exe 3264 powershell.exe 2232 powershell.exe 1180 powershell.exe 2232 powershell.exe 4200 powershell.exe 4200 powershell.exe 3312 powershell.exe 1500 powershell.exe 3264 powershell.exe 2232 powershell.exe 4692 System.exe 4692 System.exe 4472 System.exe 1304 System.exe 1016 System.exe 4264 System.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4616 DllCommonsvc.exe Token: SeDebugPrivilege 1772 powershell.exe Token: SeDebugPrivilege 1180 powershell.exe Token: SeDebugPrivilege 1280 powershell.exe Token: SeDebugPrivilege 1500 powershell.exe Token: SeDebugPrivilege 3312 powershell.exe Token: SeDebugPrivilege 880 powershell.exe Token: SeDebugPrivilege 4200 powershell.exe Token: SeDebugPrivilege 208 powershell.exe Token: SeDebugPrivilege 3264 powershell.exe Token: SeDebugPrivilege 2232 powershell.exe Token: SeIncreaseQuotaPrivilege 208 powershell.exe Token: SeSecurityPrivilege 208 powershell.exe Token: SeTakeOwnershipPrivilege 208 powershell.exe Token: SeLoadDriverPrivilege 208 powershell.exe Token: SeSystemProfilePrivilege 208 powershell.exe Token: SeSystemtimePrivilege 208 powershell.exe Token: SeProfSingleProcessPrivilege 208 powershell.exe Token: SeIncBasePriorityPrivilege 208 powershell.exe Token: SeCreatePagefilePrivilege 208 powershell.exe Token: SeBackupPrivilege 208 powershell.exe Token: SeRestorePrivilege 208 powershell.exe Token: SeShutdownPrivilege 208 powershell.exe Token: SeDebugPrivilege 208 powershell.exe Token: SeSystemEnvironmentPrivilege 208 powershell.exe Token: SeRemoteShutdownPrivilege 208 powershell.exe Token: SeUndockPrivilege 208 powershell.exe Token: SeManageVolumePrivilege 208 powershell.exe Token: 33 208 powershell.exe Token: 34 208 powershell.exe Token: 35 208 powershell.exe Token: 36 208 powershell.exe Token: SeIncreaseQuotaPrivilege 1280 powershell.exe Token: SeSecurityPrivilege 1280 powershell.exe Token: SeTakeOwnershipPrivilege 1280 powershell.exe Token: SeLoadDriverPrivilege 1280 powershell.exe Token: SeSystemProfilePrivilege 1280 powershell.exe Token: SeSystemtimePrivilege 1280 powershell.exe Token: SeProfSingleProcessPrivilege 1280 powershell.exe Token: SeIncBasePriorityPrivilege 1280 powershell.exe Token: SeCreatePagefilePrivilege 1280 powershell.exe Token: SeBackupPrivilege 1280 powershell.exe Token: SeRestorePrivilege 1280 powershell.exe Token: SeShutdownPrivilege 1280 powershell.exe Token: SeDebugPrivilege 1280 powershell.exe Token: SeSystemEnvironmentPrivilege 1280 powershell.exe Token: SeRemoteShutdownPrivilege 1280 powershell.exe Token: SeUndockPrivilege 1280 powershell.exe Token: SeManageVolumePrivilege 1280 powershell.exe Token: 33 1280 powershell.exe Token: 34 1280 powershell.exe Token: 35 1280 powershell.exe Token: 36 1280 powershell.exe Token: SeIncreaseQuotaPrivilege 880 powershell.exe Token: SeSecurityPrivilege 880 powershell.exe Token: SeTakeOwnershipPrivilege 880 powershell.exe Token: SeLoadDriverPrivilege 880 powershell.exe Token: SeSystemProfilePrivilege 880 powershell.exe Token: SeSystemtimePrivilege 880 powershell.exe Token: SeProfSingleProcessPrivilege 880 powershell.exe Token: SeIncBasePriorityPrivilege 880 powershell.exe Token: SeCreatePagefilePrivilege 880 powershell.exe Token: SeBackupPrivilege 880 powershell.exe Token: SeRestorePrivilege 880 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1980 wrote to memory of 3512 1980 f6d8d45ee3eec21b23f3c43324baa937b2364cce5e0748b50cbb1661d5a8b2f8.exe 66 PID 1980 wrote to memory of 3512 1980 f6d8d45ee3eec21b23f3c43324baa937b2364cce5e0748b50cbb1661d5a8b2f8.exe 66 PID 1980 wrote to memory of 3512 1980 f6d8d45ee3eec21b23f3c43324baa937b2364cce5e0748b50cbb1661d5a8b2f8.exe 66 PID 3512 wrote to memory of 5100 3512 WScript.exe 67 PID 3512 wrote to memory of 5100 3512 WScript.exe 67 PID 3512 wrote to memory of 5100 3512 WScript.exe 67 PID 5100 wrote to memory of 4616 5100 cmd.exe 69 PID 5100 wrote to memory of 4616 5100 cmd.exe 69 PID 4616 wrote to memory of 1280 4616 DllCommonsvc.exe 98 PID 4616 wrote to memory of 1280 4616 DllCommonsvc.exe 98 PID 4616 wrote to memory of 1180 4616 DllCommonsvc.exe 105 PID 4616 wrote to memory of 1180 4616 DllCommonsvc.exe 105 PID 4616 wrote to memory of 1772 4616 DllCommonsvc.exe 100 PID 4616 wrote to memory of 1772 4616 DllCommonsvc.exe 100 PID 4616 wrote to memory of 1500 4616 DllCommonsvc.exe 101 PID 4616 wrote to memory of 1500 4616 DllCommonsvc.exe 101 PID 4616 wrote to memory of 880 4616 DllCommonsvc.exe 102 PID 4616 wrote to memory of 880 4616 DllCommonsvc.exe 102 PID 4616 wrote to memory of 4200 4616 DllCommonsvc.exe 106 PID 4616 wrote to memory of 4200 4616 DllCommonsvc.exe 106 PID 4616 wrote to memory of 3312 4616 DllCommonsvc.exe 107 PID 4616 wrote to memory of 3312 4616 DllCommonsvc.exe 107 PID 4616 wrote to memory of 208 4616 DllCommonsvc.exe 110 PID 4616 wrote to memory of 208 4616 DllCommonsvc.exe 110 PID 4616 wrote to memory of 3264 4616 DllCommonsvc.exe 115 PID 4616 wrote to memory of 3264 4616 DllCommonsvc.exe 115 PID 4616 wrote to memory of 2232 4616 DllCommonsvc.exe 111 PID 4616 wrote to memory of 2232 4616 DllCommonsvc.exe 111 PID 4616 wrote to memory of 4408 4616 DllCommonsvc.exe 118 PID 4616 wrote to memory of 4408 4616 DllCommonsvc.exe 118 PID 4408 wrote to memory of 768 4408 cmd.exe 120 PID 4408 wrote to memory of 768 4408 cmd.exe 120 PID 4408 wrote to memory of 4692 4408 cmd.exe 122 PID 4408 wrote to memory of 4692 4408 cmd.exe 122 PID 4692 wrote to memory of 4812 4692 System.exe 123 PID 4692 wrote to memory of 4812 4692 System.exe 123 PID 4812 wrote to memory of 4844 4812 cmd.exe 125 PID 4812 wrote to memory of 4844 4812 cmd.exe 125 PID 4812 wrote to memory of 4472 4812 cmd.exe 126 PID 4812 wrote to memory of 4472 4812 cmd.exe 126 PID 4472 wrote to memory of 4800 4472 System.exe 127 PID 4472 wrote to memory of 4800 4472 System.exe 127 PID 4800 wrote to memory of 1980 4800 cmd.exe 129 PID 4800 wrote to memory of 1980 4800 cmd.exe 129 PID 4800 wrote to memory of 1304 4800 cmd.exe 130 PID 4800 wrote to memory of 1304 4800 cmd.exe 130 PID 1304 wrote to memory of 2932 1304 System.exe 131 PID 1304 wrote to memory of 2932 1304 System.exe 131 PID 2932 wrote to memory of 2688 2932 cmd.exe 133 PID 2932 wrote to memory of 2688 2932 cmd.exe 133 PID 2932 wrote to memory of 1016 2932 cmd.exe 134 PID 2932 wrote to memory of 1016 2932 cmd.exe 134 PID 1016 wrote to memory of 1296 1016 System.exe 135 PID 1016 wrote to memory of 1296 1016 System.exe 135 PID 1296 wrote to memory of 1576 1296 cmd.exe 137 PID 1296 wrote to memory of 1576 1296 cmd.exe 137 PID 1296 wrote to memory of 4264 1296 cmd.exe 138 PID 1296 wrote to memory of 4264 1296 cmd.exe 138 PID 4264 wrote to memory of 2164 4264 System.exe 139 PID 4264 wrote to memory of 2164 4264 System.exe 139 PID 2164 wrote to memory of 3788 2164 cmd.exe 141 PID 2164 wrote to memory of 3788 2164 cmd.exe 141 PID 2164 wrote to memory of 2288 2164 cmd.exe 142 PID 2164 wrote to memory of 2288 2164 cmd.exe 142
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6d8d45ee3eec21b23f3c43324baa937b2364cce5e0748b50cbb1661d5a8b2f8.exe"C:\Users\Admin\AppData\Local\Temp\f6d8d45ee3eec21b23f3c43324baa937b2364cce5e0748b50cbb1661d5a8b2f8.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office16\csrss.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.8.0_66\bin\lsass.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1180
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Provisioning\Cosa\OEM\winlogon.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3312
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\System.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\sppsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\dwm.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3264
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\d8sB0Cn4pv.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:768
-
-
C:\Program Files (x86)\MSBuild\Microsoft\System.exe"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:4844
-
-
C:\Program Files (x86)\MSBuild\Microsoft\System.exe"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1980
-
-
C:\Program Files (x86)\MSBuild\Microsoft\System.exe"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2688
-
-
C:\Program Files (x86)\MSBuild\Microsoft\System.exe"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hevtjRcN1r.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1576
-
-
C:\Program Files (x86)\MSBuild\Microsoft\System.exe"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat"15⤵
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:3788
-
-
C:\Program Files (x86)\MSBuild\Microsoft\System.exe"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"16⤵
- Executes dropped EXE
- Modifies registry class
PID:2288 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"17⤵PID:364
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:3276
-
-
C:\Program Files (x86)\MSBuild\Microsoft\System.exe"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"18⤵
- Executes dropped EXE
- Modifies registry class
PID:2780 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat"19⤵PID:3488
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:656
-
-
C:\Program Files (x86)\MSBuild\Microsoft\System.exe"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"20⤵
- Executes dropped EXE
- Modifies registry class
PID:4028 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat"21⤵PID:1556
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:4508
-
-
C:\Program Files (x86)\MSBuild\Microsoft\System.exe"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"22⤵
- Executes dropped EXE
- Modifies registry class
PID:416 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat"23⤵PID:4700
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:4616
-
-
C:\Program Files (x86)\MSBuild\Microsoft\System.exe"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"24⤵
- Executes dropped EXE
- Modifies registry class
PID:524 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat"25⤵PID:4220
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:5052
-
-
C:\Program Files (x86)\MSBuild\Microsoft\System.exe"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"26⤵
- Executes dropped EXE
- Modifies registry class
PID:4276 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LnIbptgF5R.bat"27⤵PID:768
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:3332
-
-
C:\Program Files (x86)\MSBuild\Microsoft\System.exe"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"28⤵
- Executes dropped EXE
PID:5020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk1.8.0_66\bin\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.8.0_66\bin\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jdk1.8.0_66\bin\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office16\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office16\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\providercommon\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\Provisioning\Cosa\OEM\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Provisioning\Cosa\OEM\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Provisioning\Cosa\OEM\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\en-US\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1KB
MD5d63ff49d7c92016feb39812e4db10419
SHA12307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA51200f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1KB
MD5abf7fc04f64886ca908084fdacf6b490
SHA16e54771bf8208d50eb2e28f19fbc39a89d73e177
SHA2561bdeec29a69dc2353c6fb83a30ef8e4c261ea619d52e59f46bd1171cc6b2603d
SHA5127baebde225b8510c43452a61695c14d85432ada4d568e2432775b04a90a912e7238b717d60397f6cd48409bf808c91e13489383b08ead8d5aada439d026183c9
-
Filesize
1KB
MD50bdfaa14d7814b541a77f4e97920dfd6
SHA1c239720eee47db7f7136bb78e37c539b9e735c4c
SHA2564c8946ef444ac60d731d674ad3d32a42edcd2a8d5fc984366f7c09eb24f5a272
SHA512dfa795a1fd4fc852064cfdf93602899685bf9c13c7c326feca76fc7f97f92662342c52b79b447bcbc20cd55ea724742a499ad8da8e7770377a3e04ae52351608
-
Filesize
1KB
MD5abf7fc04f64886ca908084fdacf6b490
SHA16e54771bf8208d50eb2e28f19fbc39a89d73e177
SHA2561bdeec29a69dc2353c6fb83a30ef8e4c261ea619d52e59f46bd1171cc6b2603d
SHA5127baebde225b8510c43452a61695c14d85432ada4d568e2432775b04a90a912e7238b717d60397f6cd48409bf808c91e13489383b08ead8d5aada439d026183c9
-
Filesize
1KB
MD5edf66e57ae463c5ef325c9c4c1387a42
SHA19cbe9222c0234720109eb65e8f08e6248a55331c
SHA256cc3587d30b9ca51a23d728d13a73edaa23cc91d786eda692fc7b938c1393c260
SHA512a9f99e62b3be13bf872558fa95e681122dae948c85534f698369dc648393982ca146d26a804bc9d4cd7bb2823f1f5adc8d05329bd83e20e8c31889009e090afd
-
Filesize
1KB
MD516702505b6f5af88f06aa6619382bf9a
SHA14b64f968c4a7889b5078a5ab44ced78813153db4
SHA25678a9f48ea9f2dc8e634ef056f2a976f7405cd4175bada9f5cbc0daf992da742c
SHA512a05a3937e8b49854ddf78c93ca35235ceb9f72ab67af36d00c268db28aff86e5120e4505eff0fa0adbd12298deca1515069f993a5f766353404f4723a6bb65d9
-
Filesize
1KB
MD5edf66e57ae463c5ef325c9c4c1387a42
SHA19cbe9222c0234720109eb65e8f08e6248a55331c
SHA256cc3587d30b9ca51a23d728d13a73edaa23cc91d786eda692fc7b938c1393c260
SHA512a9f99e62b3be13bf872558fa95e681122dae948c85534f698369dc648393982ca146d26a804bc9d4cd7bb2823f1f5adc8d05329bd83e20e8c31889009e090afd
-
Filesize
1KB
MD5edf66e57ae463c5ef325c9c4c1387a42
SHA19cbe9222c0234720109eb65e8f08e6248a55331c
SHA256cc3587d30b9ca51a23d728d13a73edaa23cc91d786eda692fc7b938c1393c260
SHA512a9f99e62b3be13bf872558fa95e681122dae948c85534f698369dc648393982ca146d26a804bc9d4cd7bb2823f1f5adc8d05329bd83e20e8c31889009e090afd
-
Filesize
1KB
MD529b209d9727cbb94862959a28841f6a8
SHA1dee0f0b5396aa5ef76f6b57e3882cb839d5b5c9c
SHA256cd1f4392ee8bb902981eff13c269ebc12130925aafab6826588f02b9339d2892
SHA512c326f8c3a27636a21323b1f9a1c55b49aa5760a4548a2208254143df51b6c822ee4cf1d6d7977f9864dd4e38373da9e90a50337172333d5cdc6adea1e4eea57d
-
Filesize
1KB
MD529b209d9727cbb94862959a28841f6a8
SHA1dee0f0b5396aa5ef76f6b57e3882cb839d5b5c9c
SHA256cd1f4392ee8bb902981eff13c269ebc12130925aafab6826588f02b9339d2892
SHA512c326f8c3a27636a21323b1f9a1c55b49aa5760a4548a2208254143df51b6c822ee4cf1d6d7977f9864dd4e38373da9e90a50337172333d5cdc6adea1e4eea57d
-
Filesize
216B
MD53ed2fe80a84d683cd56eb73d9a3681e6
SHA1f4c16e2024877802fa183a27f07b07e282fa6a55
SHA256a4baf1ea979bdec8fe986fe1028bf7f81ecee6e6fa53588664061dc0085f0acc
SHA5128518f4cfcfba920ae0ac795f78d9ba82fafb26aca6ab10fb7f1c142f48f93ac4a6c40af4f9a74988d01781614e135d238fb2e75cdbbad53f0556c8bd2a6228b6
-
Filesize
216B
MD51fda1ee45b830ae50b6a80ba6a98e869
SHA1d8ee1db1147d079390af15c795f4016fd6b19bf6
SHA25619fa24203dbccf01c388dec7ae3af84e3e948d368cf89d115fb6c57c55450b11
SHA5127be4a326681c0a473e09cfde1fc462d652bf11794ec28522afbfdced7db8083760b944ec2a4b458b97b911bb170a8d1bf623584d741c6c43025105ceb67b1f13
-
Filesize
216B
MD545889d1187ae42ea09e11c9181e92305
SHA1285246e52208a22e683394c3eafb22ea4018fc55
SHA2561d9e6e578418b7ea2be8322dbc8d10158a3042a277509551ce54e9ee3eee7b17
SHA51263c6347445193bbb5e77fa5fa466c3d53d0fad01beee309327f7fb4a3167d5d1d4ae41fa3df209cd3bae991c96f2e4f84536462c668bf8ddcb55675813776cb2
-
Filesize
216B
MD5bcad8f63bf49e1f04c7ed57f496269a1
SHA13ddde6230dfe21d802808253366f5e55b9b79642
SHA256918ae2ef1897af6a54b54ed74c1cdabc1d23c66e6a9391ecb27b13586165e73e
SHA5124e1c724b0e4de99bc08551dd13fbf7cd302f7bf9233b3bba09bce3a216afa40b1077f8f7048ace322c06b5f1d1f0b9bc94cf6f9f07c8916b1fc3b9fcf8d4697d
-
Filesize
216B
MD5d3544c44a7bb5b918122465af4ff2083
SHA11706b4f6a1428f0a1aa882b669c02351315b5133
SHA25614630635d69f1efa5a56695b79bbf94a1588942ab03e5120353356e8706a619f
SHA5125360249959b58e4e04a150d68f8f62553c22c41180c67ccc43c2be270f54e4165c848f39b6b0766aa905789595454ecfdf653cf3046334d43a8a4099376e9ba4
-
Filesize
216B
MD5a93422901e3b8c87e18da23a8d19291c
SHA12dbac899a2dd51f52097fbe53b93929c3d5b1c37
SHA256161d1fb4c39df0b031b5fb5e1decaa0368abc05858ce8cdd3b07da9ffb4094e4
SHA5126a841f4d99972b001e9e08cd4ab499c7ef19f4283a4fa91903c2baad6670f1135225100645428dfe8b91cb30d01a77a7602723613e48c2a6cb258b2d458b2849
-
Filesize
216B
MD54a7951267e8ff4bc00e1827e437b7485
SHA130ded6defac1a366d6dd9b4f567b965a20d77af8
SHA256aee9ba502ee5496e1ebe71928077ac7ab030d05e3948bd34732596d19e287334
SHA5127ddd53c8b8ca3a17598220ffc8465b528a85e8015471d81cce4952e83e5f78fe7748a1849ed41544b0a6dd9e8f72822cc41cbb40f66e4f3bd608f68250078447
-
Filesize
216B
MD57e5b4012fa636bc4a1cd12bc0b85a945
SHA11a10b718fff8381ab3716ec33bca7290ab560b26
SHA2563fb03f1bbd57e962cfa49464501a2db59f913a10131c750ab0c3b559c8e29d99
SHA51284778dc91f640ff95a1196dd129adbb0417bf9612305eef3e5df1424765514f71e00cff7551224378b4d9fe9c11cd3f64095508ee3534096038c331930117c64
-
Filesize
216B
MD52b27069a4eb0d4b4651d092e495f7939
SHA1620fdd482ef7318e89c07fd524e4877894480160
SHA256c698ac62e9896f4c2e0cbc23d804c730962ab5be5d8df975954f91ce7468129c
SHA5124d7cb0870f07279c117aad0a2686fef3917e993b7193319063efcfd7a5325c7eea8bef2371f1ce79131a965ab0fbb7f3c9dcca74ac01d34f4c7a841b3326ae06
-
Filesize
216B
MD569efed9115a94abf1d518ae2378de5fd
SHA15cd8e8d2193769e7acf8f53a800695c500bd6360
SHA2567dda6460cdbec09f0f7ba9b24312d5897815c35eb6a46c589fc1cdf59ef2d5ca
SHA512ace971a606dc0ac5aa100d62bc7da2d3334bd3aec2dc5a9e7976f099f57109969486f8385b2d1998b6de21081f18623f6059503a88d70191ffc46435c296b26b
-
Filesize
216B
MD5d64dcb4f2e0cc43a77f6662be41773d2
SHA1f34a62f0198f7a792bf3b9435587294a32b40e3c
SHA2568bbc252ec1c568ec22a3c61d1fa923a71a9973569dd495299d1b7a074cdc2640
SHA5129e0ee12550eafdfbaf00d83fae9293516f1d8bf6dbb0e1470d96689f3f2e082492dbfac75a1f0dad611ec57ebe4c0a805d499504cf6122a96041384b3a8d067a
-
Filesize
216B
MD5befcb53f41f729946fd4ee4dd08f85ee
SHA126e2ecb0e57888e01d268663d687e28e3d208c43
SHA256f0b24bbcfec58d1355ae10da3d3d822fda9633593982c6cad8a2148a701efd95
SHA512f3ed8f8ee70a9e4959c865ccb56e078adbab5a84987b2ae527dfbc880f6b373b206162ff3a95ed2d2664639813ee852318f06168ab5a7a708737d0aa59d6b568
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478