Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 23:04
Behavioral task
behavioral1
Sample
JaffaCakes118_b1b53bfb3eb96f58f1772cf35db12598b4cdcc1e9f34850f968939c56ee10b3d.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_b1b53bfb3eb96f58f1772cf35db12598b4cdcc1e9f34850f968939c56ee10b3d.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_b1b53bfb3eb96f58f1772cf35db12598b4cdcc1e9f34850f968939c56ee10b3d.exe
-
Size
1.3MB
-
MD5
8a99f0ae8b3d6c02c4c9396bbb7d79a9
-
SHA1
f5d1d261d27ba7efe0c4a63809a9b78c49e7433b
-
SHA256
b1b53bfb3eb96f58f1772cf35db12598b4cdcc1e9f34850f968939c56ee10b3d
-
SHA512
de97435f508d5ca4ae734d58a2c05c48710c629644cd706cf4a5c5b0da3d574fe9fc206fb130e64e42a882c6e91ec9b7702d707d47cba9d0a5580ffd65dd9b56
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4892 3956 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3156 3956 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3372 3956 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 3956 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 220 3956 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3124 3956 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4932 3956 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3300 3956 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 3956 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 3956 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 644 3956 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4300 3956 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3424 3956 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 3956 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 3956 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3152 3956 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1452 3956 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3728 3956 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4356 3956 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1004 3956 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 760 3956 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4164 3956 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4384 3956 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 3956 schtasks.exe 88 -
resource yara_rule behavioral2/files/0x0007000000023cb2-9.dat dcrat behavioral2/memory/4712-13-0x0000000000A60000-0x0000000000B70000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3676 powershell.exe 5012 powershell.exe 2816 powershell.exe 1084 powershell.exe 3024 powershell.exe 4924 powershell.exe 2904 powershell.exe 2328 powershell.exe 2228 powershell.exe 408 powershell.exe -
Checks computer location settings 2 TTPs 18 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation JaffaCakes118_b1b53bfb3eb96f58f1772cf35db12598b4cdcc1e9f34850f968939c56ee10b3d.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Idle.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Idle.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Idle.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Idle.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Idle.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Idle.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Idle.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Idle.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Idle.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Idle.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Idle.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Idle.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Idle.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Idle.exe -
Executes dropped EXE 16 IoCs
pid Process 4712 DllCommonsvc.exe 5104 DllCommonsvc.exe 5036 Idle.exe 5048 Idle.exe 4044 Idle.exe 2660 Idle.exe 1460 Idle.exe 2160 Idle.exe 1832 Idle.exe 4440 Idle.exe 2340 Idle.exe 1444 Idle.exe 4476 Idle.exe 4496 Idle.exe 4764 Idle.exe 3500 Idle.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs
flow ioc 39 raw.githubusercontent.com 45 raw.githubusercontent.com 53 raw.githubusercontent.com 57 raw.githubusercontent.com 19 raw.githubusercontent.com 44 raw.githubusercontent.com 46 raw.githubusercontent.com 56 raw.githubusercontent.com 58 raw.githubusercontent.com 18 raw.githubusercontent.com 40 raw.githubusercontent.com 49 raw.githubusercontent.com 54 raw.githubusercontent.com 35 raw.githubusercontent.com 55 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\MSBuild\RuntimeBroker.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\9e8d7a4ca61bd9 DllCommonsvc.exe File created C:\Program Files\Windows Defender\de-DE\powershell.exe DllCommonsvc.exe File created C:\Program Files\Windows Defender\de-DE\e978f868350d50 DllCommonsvc.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\assembly\Idle.exe DllCommonsvc.exe File opened for modification C:\Windows\assembly\Idle.exe DllCommonsvc.exe File created C:\Windows\assembly\6ccacd8608530f DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b1b53bfb3eb96f58f1772cf35db12598b4cdcc1e9f34850f968939c56ee10b3d.exe -
Modifies registry class 16 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings JaffaCakes118_b1b53bfb3eb96f58f1772cf35db12598b4cdcc1e9f34850f968939c56ee10b3d.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings Idle.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2352 schtasks.exe 3124 schtasks.exe 3424 schtasks.exe 3152 schtasks.exe 4892 schtasks.exe 3372 schtasks.exe 4932 schtasks.exe 1692 schtasks.exe 1452 schtasks.exe 3728 schtasks.exe 760 schtasks.exe 2268 schtasks.exe 3156 schtasks.exe 220 schtasks.exe 3300 schtasks.exe 2612 schtasks.exe 4356 schtasks.exe 1004 schtasks.exe 4164 schtasks.exe 4384 schtasks.exe 2416 schtasks.exe 1672 schtasks.exe 644 schtasks.exe 4300 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 4712 DllCommonsvc.exe 2228 powershell.exe 3676 powershell.exe 5012 powershell.exe 2328 powershell.exe 3676 powershell.exe 5104 DllCommonsvc.exe 5104 DllCommonsvc.exe 5104 DllCommonsvc.exe 2228 powershell.exe 5012 powershell.exe 2328 powershell.exe 3024 powershell.exe 1084 powershell.exe 2904 powershell.exe 4924 powershell.exe 2816 powershell.exe 408 powershell.exe 4924 powershell.exe 3024 powershell.exe 2816 powershell.exe 1084 powershell.exe 2904 powershell.exe 408 powershell.exe 5036 Idle.exe 5048 Idle.exe 4044 Idle.exe 2660 Idle.exe 1460 Idle.exe 2160 Idle.exe 1832 Idle.exe 4440 Idle.exe 2340 Idle.exe 1444 Idle.exe 4476 Idle.exe 4496 Idle.exe 4764 Idle.exe 3500 Idle.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 4712 DllCommonsvc.exe Token: SeDebugPrivilege 5012 powershell.exe Token: SeDebugPrivilege 2228 powershell.exe Token: SeDebugPrivilege 3676 powershell.exe Token: SeDebugPrivilege 2328 powershell.exe Token: SeDebugPrivilege 5104 DllCommonsvc.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeDebugPrivilege 2904 powershell.exe Token: SeDebugPrivilege 1084 powershell.exe Token: SeDebugPrivilege 4924 powershell.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 408 powershell.exe Token: SeDebugPrivilege 5036 Idle.exe Token: SeDebugPrivilege 5048 Idle.exe Token: SeDebugPrivilege 4044 Idle.exe Token: SeDebugPrivilege 2660 Idle.exe Token: SeDebugPrivilege 1460 Idle.exe Token: SeDebugPrivilege 2160 Idle.exe Token: SeDebugPrivilege 1832 Idle.exe Token: SeDebugPrivilege 4440 Idle.exe Token: SeDebugPrivilege 2340 Idle.exe Token: SeDebugPrivilege 1444 Idle.exe Token: SeDebugPrivilege 4476 Idle.exe Token: SeDebugPrivilege 4496 Idle.exe Token: SeDebugPrivilege 4764 Idle.exe Token: SeDebugPrivilege 3500 Idle.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1576 wrote to memory of 4388 1576 JaffaCakes118_b1b53bfb3eb96f58f1772cf35db12598b4cdcc1e9f34850f968939c56ee10b3d.exe 83 PID 1576 wrote to memory of 4388 1576 JaffaCakes118_b1b53bfb3eb96f58f1772cf35db12598b4cdcc1e9f34850f968939c56ee10b3d.exe 83 PID 1576 wrote to memory of 4388 1576 JaffaCakes118_b1b53bfb3eb96f58f1772cf35db12598b4cdcc1e9f34850f968939c56ee10b3d.exe 83 PID 4388 wrote to memory of 3992 4388 WScript.exe 85 PID 4388 wrote to memory of 3992 4388 WScript.exe 85 PID 4388 wrote to memory of 3992 4388 WScript.exe 85 PID 3992 wrote to memory of 4712 3992 cmd.exe 87 PID 3992 wrote to memory of 4712 3992 cmd.exe 87 PID 4712 wrote to memory of 2328 4712 DllCommonsvc.exe 99 PID 4712 wrote to memory of 2328 4712 DllCommonsvc.exe 99 PID 4712 wrote to memory of 3676 4712 DllCommonsvc.exe 100 PID 4712 wrote to memory of 3676 4712 DllCommonsvc.exe 100 PID 4712 wrote to memory of 5012 4712 DllCommonsvc.exe 101 PID 4712 wrote to memory of 5012 4712 DllCommonsvc.exe 101 PID 4712 wrote to memory of 2228 4712 DllCommonsvc.exe 102 PID 4712 wrote to memory of 2228 4712 DllCommonsvc.exe 102 PID 4712 wrote to memory of 5104 4712 DllCommonsvc.exe 107 PID 4712 wrote to memory of 5104 4712 DllCommonsvc.exe 107 PID 5104 wrote to memory of 408 5104 DllCommonsvc.exe 123 PID 5104 wrote to memory of 408 5104 DllCommonsvc.exe 123 PID 5104 wrote to memory of 2816 5104 DllCommonsvc.exe 124 PID 5104 wrote to memory of 2816 5104 DllCommonsvc.exe 124 PID 5104 wrote to memory of 1084 5104 DllCommonsvc.exe 125 PID 5104 wrote to memory of 1084 5104 DllCommonsvc.exe 125 PID 5104 wrote to memory of 3024 5104 DllCommonsvc.exe 126 PID 5104 wrote to memory of 3024 5104 DllCommonsvc.exe 126 PID 5104 wrote to memory of 4924 5104 DllCommonsvc.exe 127 PID 5104 wrote to memory of 4924 5104 DllCommonsvc.exe 127 PID 5104 wrote to memory of 2904 5104 DllCommonsvc.exe 128 PID 5104 wrote to memory of 2904 5104 DllCommonsvc.exe 128 PID 5104 wrote to memory of 3396 5104 DllCommonsvc.exe 135 PID 5104 wrote to memory of 3396 5104 DllCommonsvc.exe 135 PID 3396 wrote to memory of 2216 3396 cmd.exe 137 PID 3396 wrote to memory of 2216 3396 cmd.exe 137 PID 3396 wrote to memory of 5036 3396 cmd.exe 139 PID 3396 wrote to memory of 5036 3396 cmd.exe 139 PID 5036 wrote to memory of 2892 5036 Idle.exe 146 PID 5036 wrote to memory of 2892 5036 Idle.exe 146 PID 2892 wrote to memory of 2212 2892 cmd.exe 148 PID 2892 wrote to memory of 2212 2892 cmd.exe 148 PID 2892 wrote to memory of 5048 2892 cmd.exe 156 PID 2892 wrote to memory of 5048 2892 cmd.exe 156 PID 5048 wrote to memory of 4472 5048 Idle.exe 160 PID 5048 wrote to memory of 4472 5048 Idle.exe 160 PID 4472 wrote to memory of 2456 4472 cmd.exe 162 PID 4472 wrote to memory of 2456 4472 cmd.exe 162 PID 4472 wrote to memory of 4044 4472 cmd.exe 165 PID 4472 wrote to memory of 4044 4472 cmd.exe 165 PID 4044 wrote to memory of 3488 4044 Idle.exe 167 PID 4044 wrote to memory of 3488 4044 Idle.exe 167 PID 3488 wrote to memory of 2368 3488 cmd.exe 169 PID 3488 wrote to memory of 2368 3488 cmd.exe 169 PID 3488 wrote to memory of 2660 3488 cmd.exe 171 PID 3488 wrote to memory of 2660 3488 cmd.exe 171 PID 2660 wrote to memory of 3616 2660 Idle.exe 173 PID 2660 wrote to memory of 3616 2660 Idle.exe 173 PID 3616 wrote to memory of 2448 3616 cmd.exe 175 PID 3616 wrote to memory of 2448 3616 cmd.exe 175 PID 3616 wrote to memory of 1460 3616 cmd.exe 178 PID 3616 wrote to memory of 1460 3616 cmd.exe 178 PID 1460 wrote to memory of 1076 1460 Idle.exe 180 PID 1460 wrote to memory of 1076 1460 Idle.exe 180 PID 1076 wrote to memory of 540 1076 cmd.exe 182 PID 1076 wrote to memory of 540 1076 cmd.exe 182 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b1b53bfb3eb96f58f1772cf35db12598b4cdcc1e9f34850f968939c56ee10b3d.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b1b53bfb3eb96f58f1772cf35db12598b4cdcc1e9f34850f968939c56ee10b3d.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sysmon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\Idle.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\RuntimeBroker.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\de-DE\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\RuntimeBroker.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SwwJiUUJDt.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2216
-
-
C:\Windows\assembly\Idle.exe"C:\Windows\assembly\Idle.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MKE9IzBoeI.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2212
-
-
C:\Windows\assembly\Idle.exe"C:\Windows\assembly\Idle.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNnEytbzjv.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2456
-
-
C:\Windows\assembly\Idle.exe"C:\Windows\assembly\Idle.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2368
-
-
C:\Windows\assembly\Idle.exe"C:\Windows\assembly\Idle.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OVj8bjUD5N.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2448
-
-
C:\Windows\assembly\Idle.exe"C:\Windows\assembly\Idle.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat"16⤵
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:540
-
-
C:\Windows\assembly\Idle.exe"C:\Windows\assembly\Idle.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat"18⤵PID:2168
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:4424
-
-
C:\Windows\assembly\Idle.exe"C:\Windows\assembly\Idle.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat"20⤵PID:4412
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2456
-
-
C:\Windows\assembly\Idle.exe"C:\Windows\assembly\Idle.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ATZuYpZxcK.bat"22⤵PID:5000
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2908
-
-
C:\Windows\assembly\Idle.exe"C:\Windows\assembly\Idle.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat"24⤵PID:1064
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2216
-
-
C:\Windows\assembly\Idle.exe"C:\Windows\assembly\Idle.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat"26⤵PID:2376
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:4152
-
-
C:\Windows\assembly\Idle.exe"C:\Windows\assembly\Idle.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4476 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OPOGTQits7.bat"28⤵PID:4360
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:4424
-
-
C:\Windows\assembly\Idle.exe"C:\Windows\assembly\Idle.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4496 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uq0hdwOOBc.bat"30⤵PID:3168
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:1400
-
-
C:\Windows\assembly\Idle.exe"C:\Windows\assembly\Idle.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4764 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat"32⤵PID:2364
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:233⤵PID:2732
-
-
C:\Windows\assembly\Idle.exe"C:\Windows\assembly\Idle.exe"33⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3500 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3gUlVaPHfz.bat"34⤵PID:4292
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:235⤵PID:1756
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\providercommon\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\providercommon\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\assembly\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\assembly\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\assembly\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\de-DE\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\de-DE\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA5128a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5b51dc9e5ec3c97f72b4ca9488bbb4462
SHA15c1e8c0b728cd124edcacefb399bbd5e25b21bd3
SHA256976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db
SHA5120e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280
-
Filesize
944B
MD5dd1d0b083fedf44b482a028fb70b96e8
SHA1dc9c027937c9f6d52268a1504cbae42a39c8d36a
SHA256cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c
SHA51296bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973
-
Filesize
944B
MD536c0eb4cc9fdffc5d2d368d7231ad514
SHA1ce52fda315ce5c60a0af506f87edb0c2b3fdebcc
SHA256f6efe796606c4be6422dfd070d8c8e1bcda5852520633e3ef071541ff29f359b
SHA5124ad7de3b286152386c4cfecb07d004d9ee3976c4e397d6a13b1ddee6524c4cb78b1c4bc9c2f984f321082f6ed6da2a2cd93f9954fd378b46f24fbf19bd15fb54
-
Filesize
944B
MD5e59140d6693b6a0f6a8617b45bdef9fe
SHA17157a22b2533d10fe8ed91d2c5782b44c79bbcde
SHA256baeb07292d7c8d7ba665a29178999ea08d4b26e8d05bb29c6dee8b8dad8de27e
SHA512117494cb9415e968827ec38ff11fe6eb4781a76476a2a580f08c5f2d5d4f7ccac425dfd81c16536342a32b42a7b3dffdf471dd2666b1a11ded9f57108c6df7b7
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
193B
MD5650060c2c30a16aafe28b5802755a4e9
SHA16d3ca47835d173ab856c57f1e54306141da0cb51
SHA256879358747f0c85f4c8cbe1987cfbcda03cc46854b49595b1f210e23547176aad
SHA512e7d79bb74d161760147a8a8f3fd800bb75a5c683ed0f8a15be275a0a92663a78f64b8790a8d1da50481377ec57385a01cd884a58aa3c370f9c9bd96c7d198807
-
Filesize
193B
MD5b6991a71dcbec7efcddc4f757901f0d0
SHA1dfa4d81a7cb0648a47f641616faecf58e0bb278b
SHA256b9d836441fb1b8cb6815fa80c8902996eaa86af3e0d7f5106f8fb2bf0505759f
SHA512b3ec21d31753e47f42981667d88dc89800f1c21d9ce5747759dc1b885c66da233135c7d878e11fd1b186a6061d21e0dd2ecee4816ca6499724dd860a1f4a1e38
-
Filesize
193B
MD51e4b1bca09b1221bc8b518843a7be38e
SHA1dc20b3b8d7fb336522c7a304442dfb68d9a17967
SHA2566a386b25f68355637d4b222c8e748d325864125e84b1f6ce47696b2c63665ecc
SHA512e253cfc68a9d4b999c8981151f4efbf3c4039a7b1bd3d7f1c75866feeb186886c4bca5de84085c3014964a1c857f2b1ac9604c1800ab572aa587989146b90426
-
Filesize
193B
MD5b85aa4eac62a0df7152f130f57f5accb
SHA1dd7bdcb0779d98a284df865aeb4d20add85b5c58
SHA2567c7379f57d529cdc66d5ab53b18a27f3a3dd9fed453f7089e4e56af8be0eef53
SHA5123f3c6178f83211a3453d9fc8e729fe2947ca482d812f4b9e9f35e38b2cd6a01e162d3aeaf2b93c0f0c16972eecd5d19258539073994b80ac9d8c6f332eca10ec
-
Filesize
193B
MD5bdac17d8167fb6cdf18efe4dc752250d
SHA125a255f425d44d6b1427ecf4fb5c76b7add3e6d4
SHA2566cef74ae1ce212ab474a992709ab37376543b1553e039fd1ec2a54b158d23ebd
SHA5126e17507cc6b1dd104d083667dd8b0a0c2d77748503807206ac5fb2c690e016b869667e2d3b42f04c7791935cf2a177743b76193b9601ff6d3931ea9d86aeb8b3
-
Filesize
193B
MD5147e6f4dec120a5d13cc5a79c6f3b078
SHA1a8c4ea6d16907919fb5671ea59b10a4def878925
SHA256a74ea47924be89e9593fd188e0e532a49b4fbed7264b4e1ce83e6a67f4ae87dd
SHA51270fe636d445e0f77a523bcd11f0b63ab0b8223153683148eeb1b0354e4c423e5d4630e43864fe5bebbfe40066b763ed3211686e7cbca7509baea05e055f910c3
-
Filesize
193B
MD5225a4825d80786ad36291d500d3f61aa
SHA17fb8c8860df27ec55d99dcb402557e6e71b67be0
SHA256a6c83b3a47dd6b0681660825afa4e004f61caa831224dd71c79655bc69e34116
SHA512630871f4e189ef0242e1a04e6a57f090443715a82685e4b6d1eac6f3bfd00c3b0b688d5aaf6b02448cc049d8e571d693dd2b00316f297d95211b4ee7795eb7e4
-
Filesize
193B
MD53da4539209a8eda70f7bd0f386839b19
SHA1dbad6c340eeb708c6f846a8dbfb11b9c55e353d3
SHA256272a01e9e13fdf2c53a9569223e4bbe91387a2a5416203113e34b32a5ec2fa14
SHA512416278fecc550cf9dc26311883fe33abcb1ff702c1fb77071061ce2ded24b3804d375e17e0d7d51fb9e7fbcff600ef81d3023bfbe8f0e738207e55a186e67b17
-
Filesize
193B
MD5cd32b128b4ed6e16b8056b582314fe60
SHA1188b18a30e76cf30868ad972d08e955be8a95d09
SHA2561a9dd76db9b4d5f364aeba84aa7966b31d417dada13bed605676ef6d4809482e
SHA512080ab4382b69cf6d6bcd5ab54b4bec58128b007420a115cd47084dcde4871450f8f6ccdf900202cf6d72309adab84d5fa7805cb64d12b8e246e4c7acbe9957e7
-
Filesize
193B
MD57885e919b96cce2d52922e2364723178
SHA1281abda2595dbbbd82bc0bdadf4707bed21da18d
SHA2561ee3211c26a7dd47bb76851f2be31df4d012739cd342174ee50762b2cd5f9313
SHA5121e45f8b3f5b8c74eafececaa45097e88149bd6e6b9eb97cc1358f8f7605f59859f6c8c947862d8be97c0dd7e181df4ea53c475656437e40e7e89cfa221247866
-
Filesize
193B
MD5db8631c254eb536ada742df82bb928b8
SHA169253adb096604e91634c1241313e35689033902
SHA2561275e372fc977daa4500dc0060e9f1b04a15fae99d78af0fb2107bf260666031
SHA51217de3aebe80154ed9430f69f2ccd02a0674043a6fe735f060aa9dac5bd5d78f402b41e1c272e491676d3b896fd631ccd443ae11478d79d65cf44c57850d28bc3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
193B
MD50e09c040d0649ddcc808770ce940ae9a
SHA15505daf03850b13690ce3a0576b8be81892f74b1
SHA25682bc398ff0828bc3ddba4f67e7dfb661fa32831751879b3c83663e09833cec50
SHA5124e88de91b8fa983892acef7c929818c728920af0670da9b94baca079169d3ab6f82d9c8f3cf5449e5d5568f0c630a697a707d90da1d72effebe0f0153af183ef
-
Filesize
193B
MD5ccd4f2971a92636488812b65152aa8b7
SHA10147ec1fbb5b00697b2e909f9f1143da772f0354
SHA2565cf880dde1da0dcd8565e5884519119d3a8b49bbbaba4c0ef7492576e278c9cc
SHA5127ee60ccbf01d6ce962b2134ef5422eb0e2009baf77c6ea0cc6952f419062bde5b914d316aa047c3e031ee0db5874d6f3766430b6de9881f57c453e6dd2a1cb64
-
Filesize
193B
MD5bd477b3551fa8c083acfa0e08ae8bbbe
SHA17b28500d8ee9cc06fb71f432ac5a229d4ae6af85
SHA256abe131399af26843609c332db359301304bfef1e27412ffab79e13a2cad772cb
SHA5120ba198c6431dd2eca2ec00c55edf3cfaff4e669d85f641d0131cdd34ae3e8137362849f1cff7eef5a88caa411737f589a8abe3f044dc4a9bac9d653d37808c81
-
Filesize
193B
MD5e9bf0ca8435cb013e2b399cc2e6588f7
SHA1f9fe3f52b46bb37a089d094944b42d9ee28c64d6
SHA256e2908cf734dda52fa2dcb55e38b2baea49ecab4899ab74fff7af1eeb56b4ea6b
SHA512f38c19c326b69c0320826422bcbdc62c41f8bb76b6ac60064d0ddbaba849734dca82fa38dd11ffd6f27dd2ed933fd49671fc9949351e51c6c91501e6fa07a47b
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478