Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 22:35
Behavioral task
behavioral1
Sample
JaffaCakes118_6ea4cc6e66f985d58966537a579b411d7d4cb09c54e70460cff865e321397c4d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_6ea4cc6e66f985d58966537a579b411d7d4cb09c54e70460cff865e321397c4d.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_6ea4cc6e66f985d58966537a579b411d7d4cb09c54e70460cff865e321397c4d.exe
-
Size
1.3MB
-
MD5
194603da69c0e73be36565d21cfb9846
-
SHA1
a18742d5b2078dc1187023dd3d5822be196ef7b8
-
SHA256
6ea4cc6e66f985d58966537a579b411d7d4cb09c54e70460cff865e321397c4d
-
SHA512
e7378fb181c3e451ebbd8ec802f8c8c54fbef313b641079dc74f23d5ec23f3f7088f2077aae556f5c43df017f7090a385f846494a8f9382f411f249285eeb8bc
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5048 4944 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 212 4944 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3532 4944 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 4944 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 4944 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 4944 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 4944 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 4944 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 4944 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 4944 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 4944 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4248 4944 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 840 4944 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 4944 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 4944 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 4944 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4708 4944 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4056 4944 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3800 4944 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1256 4944 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1208 4944 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3108 4944 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 4944 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4316 4944 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3964 4944 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 4944 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 4944 schtasks.exe 87 -
resource yara_rule behavioral2/files/0x0008000000023c87-10.dat dcrat behavioral2/memory/4028-13-0x0000000000540000-0x0000000000650000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3164 powershell.exe 3192 powershell.exe 4088 powershell.exe 2876 powershell.exe 3128 powershell.exe 2640 powershell.exe 4184 powershell.exe 1204 powershell.exe 4712 powershell.exe 2504 powershell.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation JaffaCakes118_6ea4cc6e66f985d58966537a579b411d7d4cb09c54e70460cff865e321397c4d.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation taskhostw.exe -
Executes dropped EXE 14 IoCs
pid Process 4028 DllCommonsvc.exe 2656 taskhostw.exe 2036 taskhostw.exe 4328 taskhostw.exe 4832 taskhostw.exe 1504 taskhostw.exe 396 taskhostw.exe 4500 taskhostw.exe 2568 taskhostw.exe 5048 taskhostw.exe 2224 taskhostw.exe 3628 taskhostw.exe 4468 taskhostw.exe 2524 taskhostw.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 15 raw.githubusercontent.com 16 raw.githubusercontent.com 40 raw.githubusercontent.com 41 raw.githubusercontent.com 45 raw.githubusercontent.com 46 raw.githubusercontent.com 56 raw.githubusercontent.com 25 raw.githubusercontent.com 39 raw.githubusercontent.com 53 raw.githubusercontent.com 54 raw.githubusercontent.com 55 raw.githubusercontent.com 57 raw.githubusercontent.com -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files\Reference Assemblies\5940a34987c991 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\9e8d7a4ca61bd9 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Multimedia Platform\ea9f0e6c9e2dcd DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\dllhost.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6ea4cc6e66f985d58966537a579b411d7d4cb09c54e70460cff865e321397c4d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings JaffaCakes118_6ea4cc6e66f985d58966537a579b411d7d4cb09c54e70460cff865e321397c4d.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings taskhostw.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2680 schtasks.exe 2080 schtasks.exe 1516 schtasks.exe 448 schtasks.exe 4056 schtasks.exe 4316 schtasks.exe 1952 schtasks.exe 3800 schtasks.exe 1256 schtasks.exe 1208 schtasks.exe 2844 schtasks.exe 3004 schtasks.exe 840 schtasks.exe 2140 schtasks.exe 212 schtasks.exe 3532 schtasks.exe 3108 schtasks.exe 2056 schtasks.exe 4248 schtasks.exe 2696 schtasks.exe 2580 schtasks.exe 4708 schtasks.exe 1748 schtasks.exe 5048 schtasks.exe 2860 schtasks.exe 3964 schtasks.exe 1692 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 45 IoCs
pid Process 4028 DllCommonsvc.exe 1204 powershell.exe 1204 powershell.exe 4088 powershell.exe 4088 powershell.exe 2504 powershell.exe 2504 powershell.exe 3192 powershell.exe 3192 powershell.exe 2640 powershell.exe 2640 powershell.exe 3164 powershell.exe 3164 powershell.exe 4184 powershell.exe 4184 powershell.exe 3128 powershell.exe 3128 powershell.exe 4712 powershell.exe 4712 powershell.exe 3128 powershell.exe 4712 powershell.exe 2876 powershell.exe 2876 powershell.exe 3192 powershell.exe 2656 taskhostw.exe 2656 taskhostw.exe 4088 powershell.exe 2640 powershell.exe 3164 powershell.exe 1204 powershell.exe 2504 powershell.exe 4184 powershell.exe 2876 powershell.exe 2036 taskhostw.exe 4328 taskhostw.exe 4832 taskhostw.exe 1504 taskhostw.exe 396 taskhostw.exe 4500 taskhostw.exe 2568 taskhostw.exe 5048 taskhostw.exe 2224 taskhostw.exe 3628 taskhostw.exe 4468 taskhostw.exe 2524 taskhostw.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 4028 DllCommonsvc.exe Token: SeDebugPrivilege 1204 powershell.exe Token: SeDebugPrivilege 4088 powershell.exe Token: SeDebugPrivilege 2504 powershell.exe Token: SeDebugPrivilege 3192 powershell.exe Token: SeDebugPrivilege 2640 powershell.exe Token: SeDebugPrivilege 3128 powershell.exe Token: SeDebugPrivilege 3164 powershell.exe Token: SeDebugPrivilege 4712 powershell.exe Token: SeDebugPrivilege 4184 powershell.exe Token: SeDebugPrivilege 2656 taskhostw.exe Token: SeDebugPrivilege 2876 powershell.exe Token: SeDebugPrivilege 2036 taskhostw.exe Token: SeDebugPrivilege 4328 taskhostw.exe Token: SeDebugPrivilege 4832 taskhostw.exe Token: SeDebugPrivilege 1504 taskhostw.exe Token: SeDebugPrivilege 396 taskhostw.exe Token: SeDebugPrivilege 4500 taskhostw.exe Token: SeDebugPrivilege 2568 taskhostw.exe Token: SeDebugPrivilege 5048 taskhostw.exe Token: SeDebugPrivilege 2224 taskhostw.exe Token: SeDebugPrivilege 3628 taskhostw.exe Token: SeDebugPrivilege 4468 taskhostw.exe Token: SeDebugPrivilege 2524 taskhostw.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2036 wrote to memory of 4936 2036 JaffaCakes118_6ea4cc6e66f985d58966537a579b411d7d4cb09c54e70460cff865e321397c4d.exe 82 PID 2036 wrote to memory of 4936 2036 JaffaCakes118_6ea4cc6e66f985d58966537a579b411d7d4cb09c54e70460cff865e321397c4d.exe 82 PID 2036 wrote to memory of 4936 2036 JaffaCakes118_6ea4cc6e66f985d58966537a579b411d7d4cb09c54e70460cff865e321397c4d.exe 82 PID 4936 wrote to memory of 4692 4936 WScript.exe 84 PID 4936 wrote to memory of 4692 4936 WScript.exe 84 PID 4936 wrote to memory of 4692 4936 WScript.exe 84 PID 4692 wrote to memory of 4028 4692 cmd.exe 86 PID 4692 wrote to memory of 4028 4692 cmd.exe 86 PID 4028 wrote to memory of 2876 4028 DllCommonsvc.exe 116 PID 4028 wrote to memory of 2876 4028 DllCommonsvc.exe 116 PID 4028 wrote to memory of 3128 4028 DllCommonsvc.exe 117 PID 4028 wrote to memory of 3128 4028 DllCommonsvc.exe 117 PID 4028 wrote to memory of 3164 4028 DllCommonsvc.exe 118 PID 4028 wrote to memory of 3164 4028 DllCommonsvc.exe 118 PID 4028 wrote to memory of 2504 4028 DllCommonsvc.exe 119 PID 4028 wrote to memory of 2504 4028 DllCommonsvc.exe 119 PID 4028 wrote to memory of 3192 4028 DllCommonsvc.exe 120 PID 4028 wrote to memory of 3192 4028 DllCommonsvc.exe 120 PID 4028 wrote to memory of 1204 4028 DllCommonsvc.exe 121 PID 4028 wrote to memory of 1204 4028 DllCommonsvc.exe 121 PID 4028 wrote to memory of 2640 4028 DllCommonsvc.exe 123 PID 4028 wrote to memory of 2640 4028 DllCommonsvc.exe 123 PID 4028 wrote to memory of 4184 4028 DllCommonsvc.exe 124 PID 4028 wrote to memory of 4184 4028 DllCommonsvc.exe 124 PID 4028 wrote to memory of 4712 4028 DllCommonsvc.exe 125 PID 4028 wrote to memory of 4712 4028 DllCommonsvc.exe 125 PID 4028 wrote to memory of 4088 4028 DllCommonsvc.exe 126 PID 4028 wrote to memory of 4088 4028 DllCommonsvc.exe 126 PID 4028 wrote to memory of 2656 4028 DllCommonsvc.exe 136 PID 4028 wrote to memory of 2656 4028 DllCommonsvc.exe 136 PID 2656 wrote to memory of 1928 2656 taskhostw.exe 143 PID 2656 wrote to memory of 1928 2656 taskhostw.exe 143 PID 1928 wrote to memory of 4936 1928 cmd.exe 145 PID 1928 wrote to memory of 4936 1928 cmd.exe 145 PID 1928 wrote to memory of 2036 1928 cmd.exe 153 PID 1928 wrote to memory of 2036 1928 cmd.exe 153 PID 2036 wrote to memory of 4804 2036 taskhostw.exe 155 PID 2036 wrote to memory of 4804 2036 taskhostw.exe 155 PID 4804 wrote to memory of 1912 4804 cmd.exe 157 PID 4804 wrote to memory of 1912 4804 cmd.exe 157 PID 4804 wrote to memory of 4328 4804 cmd.exe 162 PID 4804 wrote to memory of 4328 4804 cmd.exe 162 PID 4328 wrote to memory of 3632 4328 taskhostw.exe 164 PID 4328 wrote to memory of 3632 4328 taskhostw.exe 164 PID 3632 wrote to memory of 2800 3632 cmd.exe 166 PID 3632 wrote to memory of 2800 3632 cmd.exe 166 PID 3632 wrote to memory of 4832 3632 cmd.exe 168 PID 3632 wrote to memory of 4832 3632 cmd.exe 168 PID 4832 wrote to memory of 4380 4832 taskhostw.exe 170 PID 4832 wrote to memory of 4380 4832 taskhostw.exe 170 PID 4380 wrote to memory of 1196 4380 cmd.exe 172 PID 4380 wrote to memory of 1196 4380 cmd.exe 172 PID 4380 wrote to memory of 1504 4380 cmd.exe 174 PID 4380 wrote to memory of 1504 4380 cmd.exe 174 PID 1504 wrote to memory of 3400 1504 taskhostw.exe 176 PID 1504 wrote to memory of 3400 1504 taskhostw.exe 176 PID 3400 wrote to memory of 3052 3400 cmd.exe 178 PID 3400 wrote to memory of 3052 3400 cmd.exe 178 PID 3400 wrote to memory of 396 3400 cmd.exe 180 PID 3400 wrote to memory of 396 3400 cmd.exe 180 PID 396 wrote to memory of 4572 396 taskhostw.exe 182 PID 396 wrote to memory of 4572 396 taskhostw.exe 182 PID 4572 wrote to memory of 3836 4572 cmd.exe 184 PID 4572 wrote to memory of 3836 4572 cmd.exe 184 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ea4cc6e66f985d58966537a579b411d7d4cb09c54e70460cff865e321397c4d.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ea4cc6e66f985d58966537a579b411d7d4cb09c54e70460cff865e321397c4d.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4088
-
-
C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe"C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cU7BGbiaqd.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:4936
-
-
C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe"C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1912
-
-
C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe"C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2800
-
-
C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe"C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1196
-
-
C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe"C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YNa8GmLI5m.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:3052
-
-
C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe"C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yKdveU0JJ.bat"16⤵
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:3836
-
-
C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe"C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4500 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat"18⤵PID:1872
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:3080
-
-
C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe"C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ssDSZpddA3.bat"20⤵PID:4328
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2220
-
-
C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe"C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5048 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PeSwWR6joe.bat"22⤵PID:3996
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:4384
-
-
C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe"C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8pOjIocmws.bat"24⤵PID:1616
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1516
-
-
C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe"C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PeSwWR6joe.bat"26⤵PID:1284
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:864
-
-
C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe"C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4468 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j95GpUP4tv.bat"28⤵PID:744
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:4916
-
-
C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe"C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe"29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\providercommon\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
229B
MD5fb42ec862366b99e91fc112633212b23
SHA12ff8bdcf3d4d9f98468d23a1d305a6277d16b0f9
SHA256970fbfeca0bb4a5a6098db097eaae5c88a6ee2fa64cdcada27bdd90991498ca4
SHA512d6b05787588f64e92a8e3ee89bc1606bbdcb2b22341dec9a76f18e818885f0825210c7adf06007b3e4ceb45281b243b77c7dc6c31207b9724a242d4929feac6a
-
Filesize
229B
MD50450d6e2dcfb9d251be447695f85bd2f
SHA1108fdf09f9b8b7946cea710406492e9ae83738f2
SHA256eebffaba3614b3cbb62bd39e981572b3422310130cd352aa7da160740c2e7abf
SHA512cc53231651baad73e6f28a259a51efa654c27b83dcce5aaa766bdd25b518ca05ec657a4301f54975e27e95ef4732a5f6bd25bd7612efe3dfe5ffd5fcf6493d3e
-
Filesize
229B
MD510130fe6cfbe2434d966fa6a63c61805
SHA1feb825f93004a01030c46cb025e94ed58de50375
SHA2562fd1f4fc73e80f500642e25a03915bc909a28e8734bfa4084c9697228d653db0
SHA51256b901c9d23c4d3597fdeb7da8c7061657931409da5781de551877f42ed9f04dc5b7b91875192ebc975b4bae5013fac4877ea13e13526e02211d81591c4bfced
-
Filesize
229B
MD534789eb7d6c4bd3d6b3fdba486199f1d
SHA1889d3c168775230bdbdaab6cc9da1935189c7306
SHA256a90491e0dd288504bd6f21b5d63e3f45794bec571ca65feeeacf459d021a79e0
SHA5120d29b7915d819df7c44d225cd4d2c63d3d9e37806e732a9170bdaa5a72bc6bb59eeea7bb2599406023e71f6720fde038ec29a930d62e4ee3c92d6fb3cf05dafb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
229B
MD54c8d4f1036067dc6483f8eaf15d64d4d
SHA1c50b8fd15cd75302af23f09f19f29d671566d1a3
SHA256ad59e2aab4b4c456a46675e54586f5e204844dabe9fa8bfc0b566f12128c6478
SHA512b9a036519ee9d86302ae5a78a0dbdd868115d4c334718d09872cba0a93ef55f04683c62082120d1621f025846be8db83b803adde27379c89cb6f417ee5135b26
-
Filesize
229B
MD550a45c69a76616409d37a56156f5b3f0
SHA1b9958b9ff5b2288cdc19de701275954de801c69a
SHA25661b0e6da414b86e4e81eb0d2420bd35854118ddd44f03661d72ef553835be118
SHA51263df5ac6c495a0ebde544d035b85e369b2f94b24728e51f3cae5227a1eede82ab2a963f9d39e3340610e13b7b6060000aa184a12819b69591e00503c57904cb2
-
Filesize
229B
MD5084c4e2765f520987c32fc9368a0e643
SHA182014ab713fcc3c4ba020070981e74df31d64e7d
SHA2566d7ad98746a0358eb0a059cb3b21f70180f4b950baa208d43df00839e8fedfb1
SHA512dae67a377312901abcee664e9c4b33cfeeedafdce86b7b8c914342839dd7640fd910900276cbe6fc46c796a6ff4f093db71578921e7fd9edef3712717ccbbb58
-
Filesize
229B
MD570cda291bf16936ea9a6de4024bdeb3b
SHA10f84e79a806d594c3e52110e273b273cf74beda0
SHA256b02d26d9c1f998ce30da96bdc06e88f0088848f30b18b2e953bb9ad1e22dc3fd
SHA512e98483b04a17a459699e48ca50b69ede21d638f8671383243b99e957bbd16b09335c5526042429955adbb7ec8e5414123cc983bb8181567d8a74add4cca783c3
-
Filesize
229B
MD54a81bdc026b24b11073002bdede089b2
SHA134903daab040b7b4a8484b92c63ee9105a07ff4d
SHA256ba3dd5b3490c7e5bb1ef8cbb4099aded532b1aadb41516d2e2a30b7d3415a8a4
SHA51241f0f513fd9cd14f7752cc0be599f9d8ae1fe2d6d8f7ad2c2313b38d2cdfd85319f2346ebad862323fce592803727392690390741d71ae0c0cebfaec253631f2
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478