Analysis
-
max time kernel
146s -
max time network
143s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
01/11/2022, 11:43
Behavioral task
behavioral1
Sample
d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad.exe
Resource
win10-20220812-en
General
-
Target
d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad.exe
-
Size
1.3MB
-
MD5
a37c7bb0f9b5bbd814388bc40cd5d638
-
SHA1
821717ebf915edd7c627dbe52b8e1fd18e76d482
-
SHA256
d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad
-
SHA512
bac98a4ab9d84e2568f549df981a2a25713f141fd7eedf8c0562e763a25f70ab6702ff2e0ec5b06faf09aafd4aeed37fb461dca2a3ae1ca6b84d12b28690641c
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 3996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3128 3996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4384 3996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4336 3996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4648 3996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4636 3996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5024 3996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5068 3996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5040 3996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4964 3996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4928 3996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 3996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3668 3996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1576 3996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 3996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4512 3996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4548 3996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4380 3996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4676 3996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4492 3996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4672 3996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4428 3996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 820 3996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4696 3996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4692 3996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3132 3996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1108 3996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1064 3996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1440 3996 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1268 3996 schtasks.exe 70 -
resource yara_rule behavioral1/files/0x000800000001ac2d-279.dat dcrat behavioral1/files/0x000800000001ac2d-280.dat dcrat behavioral1/memory/4984-281-0x0000000000E50000-0x0000000000F60000-memory.dmp dcrat behavioral1/files/0x000600000001ac49-323.dat dcrat behavioral1/files/0x000600000001ac49-324.dat dcrat behavioral1/files/0x000600000001ac49-667.dat dcrat behavioral1/files/0x000600000001ac49-674.dat dcrat behavioral1/files/0x000600000001ac49-679.dat dcrat behavioral1/files/0x000600000001ac49-684.dat dcrat behavioral1/files/0x000600000001ac49-689.dat dcrat behavioral1/files/0x000600000001ac49-694.dat dcrat behavioral1/files/0x000600000001ac49-700.dat dcrat behavioral1/files/0x000600000001ac49-705.dat dcrat behavioral1/files/0x000600000001ac49-710.dat dcrat behavioral1/files/0x000600000001ac49-715.dat dcrat behavioral1/files/0x000600000001ac49-720.dat dcrat -
Executes dropped EXE 13 IoCs
pid Process 4984 DllCommonsvc.exe 4448 dwm.exe 1684 dwm.exe 1448 dwm.exe 4240 dwm.exe 3896 dwm.exe 1152 dwm.exe 4884 dwm.exe 4228 dwm.exe 4640 dwm.exe 860 dwm.exe 3508 dwm.exe 4232 dwm.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\886983d96e3d3e DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\RemotePackages\RemoteDesktops\conhost.exe DllCommonsvc.exe File created C:\Windows\RemotePackages\RemoteDesktops\088424020bedd6 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5024 schtasks.exe 4548 schtasks.exe 1108 schtasks.exe 4964 schtasks.exe 3004 schtasks.exe 4380 schtasks.exe 1268 schtasks.exe 3128 schtasks.exe 4648 schtasks.exe 5068 schtasks.exe 5040 schtasks.exe 4676 schtasks.exe 3132 schtasks.exe 1064 schtasks.exe 3668 schtasks.exe 2544 schtasks.exe 4512 schtasks.exe 4428 schtasks.exe 4696 schtasks.exe 4636 schtasks.exe 1576 schtasks.exe 4492 schtasks.exe 4672 schtasks.exe 1440 schtasks.exe 4692 schtasks.exe 3016 schtasks.exe 4384 schtasks.exe 4336 schtasks.exe 4928 schtasks.exe 820 schtasks.exe -
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings dwm.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4984 DllCommonsvc.exe 4984 DllCommonsvc.exe 4984 DllCommonsvc.exe 4984 DllCommonsvc.exe 4984 DllCommonsvc.exe 4984 DllCommonsvc.exe 4984 DllCommonsvc.exe 4984 DllCommonsvc.exe 4984 DllCommonsvc.exe 4984 DllCommonsvc.exe 4984 DllCommonsvc.exe 4984 DllCommonsvc.exe 4984 DllCommonsvc.exe 4984 DllCommonsvc.exe 996 powershell.exe 996 powershell.exe 860 powershell.exe 860 powershell.exe 1808 powershell.exe 1808 powershell.exe 4584 powershell.exe 4584 powershell.exe 3308 powershell.exe 3308 powershell.exe 996 powershell.exe 3312 powershell.exe 3312 powershell.exe 2204 powershell.exe 2204 powershell.exe 2892 powershell.exe 2892 powershell.exe 640 powershell.exe 640 powershell.exe 1876 powershell.exe 1876 powershell.exe 2980 powershell.exe 2980 powershell.exe 4584 powershell.exe 4448 dwm.exe 4448 dwm.exe 996 powershell.exe 2980 powershell.exe 2892 powershell.exe 640 powershell.exe 1876 powershell.exe 3308 powershell.exe 1808 powershell.exe 860 powershell.exe 4584 powershell.exe 2980 powershell.exe 2892 powershell.exe 3312 powershell.exe 2204 powershell.exe 1876 powershell.exe 640 powershell.exe 3308 powershell.exe 1808 powershell.exe 860 powershell.exe 3312 powershell.exe 2204 powershell.exe 1684 dwm.exe 1448 dwm.exe 4240 dwm.exe 3896 dwm.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4984 DllCommonsvc.exe Token: SeDebugPrivilege 996 powershell.exe Token: SeDebugPrivilege 860 powershell.exe Token: SeDebugPrivilege 1808 powershell.exe Token: SeDebugPrivilege 4584 powershell.exe Token: SeDebugPrivilege 3308 powershell.exe Token: SeDebugPrivilege 4448 dwm.exe Token: SeDebugPrivilege 3312 powershell.exe Token: SeDebugPrivilege 2204 powershell.exe Token: SeDebugPrivilege 2892 powershell.exe Token: SeDebugPrivilege 640 powershell.exe Token: SeDebugPrivilege 1876 powershell.exe Token: SeDebugPrivilege 2980 powershell.exe Token: SeIncreaseQuotaPrivilege 996 powershell.exe Token: SeSecurityPrivilege 996 powershell.exe Token: SeTakeOwnershipPrivilege 996 powershell.exe Token: SeLoadDriverPrivilege 996 powershell.exe Token: SeSystemProfilePrivilege 996 powershell.exe Token: SeSystemtimePrivilege 996 powershell.exe Token: SeProfSingleProcessPrivilege 996 powershell.exe Token: SeIncBasePriorityPrivilege 996 powershell.exe Token: SeCreatePagefilePrivilege 996 powershell.exe Token: SeBackupPrivilege 996 powershell.exe Token: SeRestorePrivilege 996 powershell.exe Token: SeShutdownPrivilege 996 powershell.exe Token: SeDebugPrivilege 996 powershell.exe Token: SeSystemEnvironmentPrivilege 996 powershell.exe Token: SeRemoteShutdownPrivilege 996 powershell.exe Token: SeUndockPrivilege 996 powershell.exe Token: SeManageVolumePrivilege 996 powershell.exe Token: 33 996 powershell.exe Token: 34 996 powershell.exe Token: 35 996 powershell.exe Token: 36 996 powershell.exe Token: SeIncreaseQuotaPrivilege 1808 powershell.exe Token: SeSecurityPrivilege 1808 powershell.exe Token: SeTakeOwnershipPrivilege 1808 powershell.exe Token: SeLoadDriverPrivilege 1808 powershell.exe Token: SeSystemProfilePrivilege 1808 powershell.exe Token: SeSystemtimePrivilege 1808 powershell.exe Token: SeProfSingleProcessPrivilege 1808 powershell.exe Token: SeIncBasePriorityPrivilege 1808 powershell.exe Token: SeCreatePagefilePrivilege 1808 powershell.exe Token: SeBackupPrivilege 1808 powershell.exe Token: SeRestorePrivilege 1808 powershell.exe Token: SeShutdownPrivilege 1808 powershell.exe Token: SeDebugPrivilege 1808 powershell.exe Token: SeSystemEnvironmentPrivilege 1808 powershell.exe Token: SeRemoteShutdownPrivilege 1808 powershell.exe Token: SeUndockPrivilege 1808 powershell.exe Token: SeManageVolumePrivilege 1808 powershell.exe Token: 33 1808 powershell.exe Token: 34 1808 powershell.exe Token: 35 1808 powershell.exe Token: 36 1808 powershell.exe Token: SeIncreaseQuotaPrivilege 640 powershell.exe Token: SeSecurityPrivilege 640 powershell.exe Token: SeTakeOwnershipPrivilege 640 powershell.exe Token: SeLoadDriverPrivilege 640 powershell.exe Token: SeSystemProfilePrivilege 640 powershell.exe Token: SeSystemtimePrivilege 640 powershell.exe Token: SeProfSingleProcessPrivilege 640 powershell.exe Token: SeIncBasePriorityPrivilege 640 powershell.exe Token: SeCreatePagefilePrivilege 640 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2692 wrote to memory of 4836 2692 d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad.exe 66 PID 2692 wrote to memory of 4836 2692 d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad.exe 66 PID 2692 wrote to memory of 4836 2692 d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad.exe 66 PID 4836 wrote to memory of 4232 4836 WScript.exe 67 PID 4836 wrote to memory of 4232 4836 WScript.exe 67 PID 4836 wrote to memory of 4232 4836 WScript.exe 67 PID 4232 wrote to memory of 4984 4232 cmd.exe 69 PID 4232 wrote to memory of 4984 4232 cmd.exe 69 PID 4984 wrote to memory of 996 4984 DllCommonsvc.exe 101 PID 4984 wrote to memory of 996 4984 DllCommonsvc.exe 101 PID 4984 wrote to memory of 860 4984 DllCommonsvc.exe 103 PID 4984 wrote to memory of 860 4984 DllCommonsvc.exe 103 PID 4984 wrote to memory of 1808 4984 DllCommonsvc.exe 106 PID 4984 wrote to memory of 1808 4984 DllCommonsvc.exe 106 PID 4984 wrote to memory of 4584 4984 DllCommonsvc.exe 105 PID 4984 wrote to memory of 4584 4984 DllCommonsvc.exe 105 PID 4984 wrote to memory of 3312 4984 DllCommonsvc.exe 107 PID 4984 wrote to memory of 3312 4984 DllCommonsvc.exe 107 PID 4984 wrote to memory of 3308 4984 DllCommonsvc.exe 111 PID 4984 wrote to memory of 3308 4984 DllCommonsvc.exe 111 PID 4984 wrote to memory of 2204 4984 DllCommonsvc.exe 109 PID 4984 wrote to memory of 2204 4984 DllCommonsvc.exe 109 PID 4984 wrote to memory of 2892 4984 DllCommonsvc.exe 113 PID 4984 wrote to memory of 2892 4984 DllCommonsvc.exe 113 PID 4984 wrote to memory of 640 4984 DllCommonsvc.exe 115 PID 4984 wrote to memory of 640 4984 DllCommonsvc.exe 115 PID 4984 wrote to memory of 1876 4984 DllCommonsvc.exe 116 PID 4984 wrote to memory of 1876 4984 DllCommonsvc.exe 116 PID 4984 wrote to memory of 2980 4984 DllCommonsvc.exe 117 PID 4984 wrote to memory of 2980 4984 DllCommonsvc.exe 117 PID 4984 wrote to memory of 4448 4984 DllCommonsvc.exe 123 PID 4984 wrote to memory of 4448 4984 DllCommonsvc.exe 123 PID 4448 wrote to memory of 4684 4448 dwm.exe 124 PID 4448 wrote to memory of 4684 4448 dwm.exe 124 PID 4684 wrote to memory of 4644 4684 cmd.exe 127 PID 4684 wrote to memory of 4644 4684 cmd.exe 127 PID 4684 wrote to memory of 1684 4684 cmd.exe 128 PID 4684 wrote to memory of 1684 4684 cmd.exe 128 PID 1684 wrote to memory of 4288 1684 dwm.exe 129 PID 1684 wrote to memory of 4288 1684 dwm.exe 129 PID 4288 wrote to memory of 4316 4288 cmd.exe 131 PID 4288 wrote to memory of 4316 4288 cmd.exe 131 PID 4288 wrote to memory of 1448 4288 cmd.exe 132 PID 4288 wrote to memory of 1448 4288 cmd.exe 132 PID 1448 wrote to memory of 1780 1448 dwm.exe 133 PID 1448 wrote to memory of 1780 1448 dwm.exe 133 PID 1780 wrote to memory of 1108 1780 cmd.exe 135 PID 1780 wrote to memory of 1108 1780 cmd.exe 135 PID 1780 wrote to memory of 4240 1780 cmd.exe 136 PID 1780 wrote to memory of 4240 1780 cmd.exe 136 PID 4240 wrote to memory of 984 4240 dwm.exe 137 PID 4240 wrote to memory of 984 4240 dwm.exe 137 PID 984 wrote to memory of 2096 984 cmd.exe 139 PID 984 wrote to memory of 2096 984 cmd.exe 139 PID 984 wrote to memory of 3896 984 cmd.exe 140 PID 984 wrote to memory of 3896 984 cmd.exe 140 PID 3896 wrote to memory of 3320 3896 dwm.exe 143 PID 3896 wrote to memory of 3320 3896 dwm.exe 143 PID 3320 wrote to memory of 3768 3320 cmd.exe 141 PID 3320 wrote to memory of 3768 3320 cmd.exe 141 PID 3320 wrote to memory of 1152 3320 cmd.exe 144 PID 3320 wrote to memory of 1152 3320 cmd.exe 144 PID 1152 wrote to memory of 5112 1152 dwm.exe 145 PID 1152 wrote to memory of 5112 1152 dwm.exe 145
Processes
-
C:\Users\Admin\AppData\Local\Temp\d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad.exe"C:\Users\Admin\AppData\Local\Temp\d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\conhost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3312
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OfficeClickToRun.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\taskhostw.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\csrss.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteDesktops\conhost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-
C:\Users\Default User\dwm.exe"C:\Users\Default User\dwm.exe"5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:4644
-
-
C:\Users\Default User\dwm.exe"C:\Users\Default User\dwm.exe"7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:4316
-
-
C:\Users\Default User\dwm.exe"C:\Users\Default User\dwm.exe"9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YQG5KQjShu.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1108
-
-
C:\Users\Default User\dwm.exe"C:\Users\Default User\dwm.exe"11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VJj2LbMAw3.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2096
-
-
C:\Users\Default User\dwm.exe"C:\Users\Default User\dwm.exe"13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o4pIGJu18c.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Users\Default User\dwm.exe"C:\Users\Default User\dwm.exe"15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat"16⤵PID:5112
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:4280
-
-
C:\Users\Default User\dwm.exe"C:\Users\Default User\dwm.exe"17⤵
- Executes dropped EXE
- Modifies registry class
PID:4884 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\svsOdT1nlB.bat"18⤵PID:3668
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:4444
-
-
C:\Users\Default User\dwm.exe"C:\Users\Default User\dwm.exe"19⤵
- Executes dropped EXE
- Modifies registry class
PID:4228 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat"20⤵PID:2136
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2368
-
-
C:\Users\Default User\dwm.exe"C:\Users\Default User\dwm.exe"21⤵
- Executes dropped EXE
- Modifies registry class
PID:4640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat"22⤵PID:676
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:4332
-
-
C:\Users\Default User\dwm.exe"C:\Users\Default User\dwm.exe"23⤵
- Executes dropped EXE
- Modifies registry class
PID:860 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9kwbr7Wkdx.bat"24⤵PID:4676
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:820
-
-
C:\Users\Default User\dwm.exe"C:\Users\Default User\dwm.exe"25⤵
- Executes dropped EXE
- Modifies registry class
PID:3508 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat"26⤵PID:3948
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:4852
-
-
C:\Users\Default User\dwm.exe"C:\Users\Default User\dwm.exe"27⤵
- Executes dropped EXE
PID:4232
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\providercommon\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\odt\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\providercommon\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\odt\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\providercommon\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\odt\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\RemotePackages\RemoteDesktops\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\RemotePackages\RemoteDesktops\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1268
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:21⤵PID:3768
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d63ff49d7c92016feb39812e4db10419
SHA12307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA51200f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD517ff2cda63c3ff833d82d7091b117676
SHA1e02aca278ef80f24b59dd1b9a7040e27f3f260ff
SHA2565c7267f685c849537ccb0f45303ece85ba686305cdac8bbfc0e3f492d36f209b
SHA51273c39c8204114f61bbc1b3a63a6bde57e8718de28260af7bc457746934cd84568b63591a8e5bb2fb61ac313e880b90dda09cc5a9961d3051772e90eb9d0a7694
-
Filesize
1KB
MD517ff2cda63c3ff833d82d7091b117676
SHA1e02aca278ef80f24b59dd1b9a7040e27f3f260ff
SHA2565c7267f685c849537ccb0f45303ece85ba686305cdac8bbfc0e3f492d36f209b
SHA51273c39c8204114f61bbc1b3a63a6bde57e8718de28260af7bc457746934cd84568b63591a8e5bb2fb61ac313e880b90dda09cc5a9961d3051772e90eb9d0a7694
-
Filesize
1KB
MD5770e25deb575e0b7e12440d1daaae11c
SHA1007ff4a515f085813f700f2ac58c4ce89cfdcffb
SHA2561726ed716cbceb42987e47e89e84f56442b0a97a218135c29e80a7a20e3a6f92
SHA512d44f2d5c3994611ff65288578e46aecf7148b5171d77c25f076a612d9211c3430fa1b4943adde91c9b872cc9f78eb07417f448390a19c05ee51c89230074d599
-
Filesize
1KB
MD5770e25deb575e0b7e12440d1daaae11c
SHA1007ff4a515f085813f700f2ac58c4ce89cfdcffb
SHA2561726ed716cbceb42987e47e89e84f56442b0a97a218135c29e80a7a20e3a6f92
SHA512d44f2d5c3994611ff65288578e46aecf7148b5171d77c25f076a612d9211c3430fa1b4943adde91c9b872cc9f78eb07417f448390a19c05ee51c89230074d599
-
Filesize
1KB
MD5c0b6c977cd8160ea1d032de187f5edc2
SHA1f2c68d0e4069a8473a6f5ef405f28bdc8cf26b41
SHA256cc61b7579677c0ded5496afaa7575ee665bd4e89d291e8968cae5568bd1445c3
SHA51208b2d4a330a42090fc1ef07785478e418df7c477fb5354359c5aa36050c84dabf2a5ea98720434588f542cd25a361242a4898d5a0aed0e534b366adf151b0ca9
-
Filesize
1KB
MD585227c7d04950473b8a39335a5d5d180
SHA160e5fe87e9396864884a4a0ae2817c93fdcb4066
SHA2564087649b14677ee586718b826d1de8b3c79b6562295fcade372936bbe63ec93b
SHA5121d45f3c818c64cab0dad91bc0bf64bce160bf35662e3eda9e5c1e6c156dc6f22009d13a88f4a33ea0bdb95ec328269612cdfd95d917590b17223e89d632349f7
-
Filesize
1KB
MD53985020ab434157da02385c52ec285e6
SHA12e3e913f675ca3585637428eaf63820e5ba88049
SHA25699fbfced2673a0f470413a1d07378952c4bb56951bd15173f5c94cf7f3a2d3d7
SHA51289d5f3de0d6f0fffdefe8921805e31f60d9c17f65191ff2deefdb8edfdd8e08cf3d67053454209ca157edb48de3e1ef7f55b9112702eafa0748e53c14645ba37
-
Filesize
1KB
MD53985020ab434157da02385c52ec285e6
SHA12e3e913f675ca3585637428eaf63820e5ba88049
SHA25699fbfced2673a0f470413a1d07378952c4bb56951bd15173f5c94cf7f3a2d3d7
SHA51289d5f3de0d6f0fffdefe8921805e31f60d9c17f65191ff2deefdb8edfdd8e08cf3d67053454209ca157edb48de3e1ef7f55b9112702eafa0748e53c14645ba37
-
Filesize
1KB
MD55dd00c7ba9f272b7f4c57f468c41b93d
SHA115782aca42890803597aaebf2a45b8cbfbfc8729
SHA2563155b21e853a00cb37cb5c56d9a1cfad02f27325c29edd49aeb934e2b5e30d09
SHA5122741d6fef900f3a80381420ecb112c3f73fc9d3b6f78ba2a0e90d8081d1ef202319fca67aa713fb87607913f7d404714cb61a8e7b4bffabfc29df8c3ece04c95
-
Filesize
194B
MD59e04d28a7ab8c30cfb95f3c32a6ce159
SHA1c955ed3b088d65603195ad6870adf36eea5ed9d1
SHA2567ee12c49e8cc8e9b3f73dc48b9d285f5cce56ef63c5869c6f8d623630a2ea0d7
SHA512217d24296e8e990b5deeaceca48dbea3e277ca7c367f2630e8eae7a6ec67372eda9a2749e2a116630e52dcd2391f5f9d3ca3c9038f286c5fd84339deb46abe81
-
Filesize
194B
MD582fdb3d21a86f08857c35643740be813
SHA12febcd7bcbecf0f90455537f56b34c1ae4eb8cca
SHA25674a7b3f25d90e08aa363cf102066265a40da64ec10481397aaaf3dcb4c4a0333
SHA512fe86ef71a2b73b87a433cc97191424c752279cee8aee5b86cf94c1a1c3db33cef59327dc593dc481579f2edd964ea8d51345f7849d88ec5a2f39d3ebd0868c58
-
Filesize
194B
MD520f7c485b03cc57ad6f7cbefdb37bb7c
SHA10b21875774ee80dde89019ee4c4e8c3227418eb3
SHA256964047e7f05d197b9940bb8076bd6d49ad0d45b75500f5fedf19de0de180065f
SHA51292e87d15064694dd29fcbee49ffce49aeb6e19314a3ef2b8410d2047f97142a902ac11968cdea66ffa373caac1a0852d1e7f0f4c4ba70d8642f984c4c93c5e47
-
Filesize
194B
MD520f7c485b03cc57ad6f7cbefdb37bb7c
SHA10b21875774ee80dde89019ee4c4e8c3227418eb3
SHA256964047e7f05d197b9940bb8076bd6d49ad0d45b75500f5fedf19de0de180065f
SHA51292e87d15064694dd29fcbee49ffce49aeb6e19314a3ef2b8410d2047f97142a902ac11968cdea66ffa373caac1a0852d1e7f0f4c4ba70d8642f984c4c93c5e47
-
Filesize
194B
MD58eaade41e684463c9b93bb92421b8279
SHA138548fecfc349b79462d58397a5cbf532aa4cd29
SHA25673205143e2a24566d29fd0cad1594e82a9a268d99ea73ad40a446251807e7b59
SHA5120574c841c5cb1dc3226fd889f7f88b90ccd462452fd10395cd7689df49c6ce49bff357dd41ea43dc655b6a2a4864f9b4df885daf22b72ce2b3b085fb149aec78
-
Filesize
194B
MD5d9d80d20110f3c63629454c8813104a3
SHA11e5131b32f16f215b917fa6489557b03e83e7c03
SHA2567bfadaeb5da17ad334bc8186e07352edbe4b1dfd013dd69a0573d703119fa81a
SHA51291bc82b1d0a7d215b12561afd9e9f4f959b87cd83c03591b8b2ad65060de8138fb590b3839506bd8aa4ad1827c31dd41a1c0b236c51cb5db62c311824e0be732
-
Filesize
194B
MD5954e8e2d19ad41a101c20ee8282ef6a4
SHA1e700643bc5ae16c11cddc3cddaa3ca3a46527d02
SHA25619248ded61a3ab46dd62feeb25ac9d76505a134add7afc47cdb2dd1a9a29ce1a
SHA5120a2821b80d7293414ec15f3592082ff26151feae7277170f44caf0c52dd986a48930b8717558a305d9c31db0ab9ef0680d3a4c914d4cdb982bc7ddb579dff5d8
-
Filesize
194B
MD5da3939045d8a4d5bfd6bc2dbad6da27b
SHA196ad34d7e6d5f9bd87569596542a0fddd1da03fe
SHA256bb51a9f95bc97d807b3cd6dca42d2e065ba0af927f17c4a63fcc049c55a63c9b
SHA5120fb4e7b30025a727a11ee7d61991bcf3c877508b4292a407227f12ae5598b4c1860f4d2270bcb51b898540b05a7cdd9b387fd3d8bbcbb8c2b06f4c71e2a9fa86
-
Filesize
194B
MD5f180b4aa885cec7de334bb81ee482bf9
SHA1d887016220db2cba6fe22fd7779926160b45b2e0
SHA256df47d40b0dcd29f35faf794d18a43d719bb648510e0add40f87b19e83719a963
SHA51280a1d90249e15b2bf3d23bcd75727a82390e19d1dacab167865b732e8ab4eedf721dfe3586fd301a848e854cfbf6da532242076919e621a9383c5ad6e378be9e
-
Filesize
194B
MD56d8c63418c2eee313755a943d87f0844
SHA111c75c446b177406e045b2c16fa39c4e4bb94751
SHA256bf68d79c6422632d1ed34b810f9cf19a2c611e07a936d612cbec41d7e11c9938
SHA51291754098553b38a4ac02e8fab725418cda31a0939898465ab823b6690a109ab1d0fb26e5344e49d8bce62617cd95f44074740d5f38ffd45a3d55df45cbc40692
-
Filesize
194B
MD5be1e81f24f40a40b7d0c0f16f0129965
SHA1752659fcbd4b5573f9b159f72940f7ada96bf493
SHA2562701fbfeb4f31d6672d55fb1515ed8ebff1d360013e9af56bdcfcc17b827b40a
SHA512dca32b4b48b60fb27237b7ddea473815be1f56703763260865ef0b5f55bd5464a24085306fc6a0c9db336d3fbfa2c18d7402043527d77b74ad9d19b08ce31dbb
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478