Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 21:06
Behavioral task
behavioral1
Sample
JaffaCakes118_afcb9eca113e024882261c3f92504ef92f683793423af7bc22e9453d7a887dd2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_afcb9eca113e024882261c3f92504ef92f683793423af7bc22e9453d7a887dd2.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_afcb9eca113e024882261c3f92504ef92f683793423af7bc22e9453d7a887dd2.exe
-
Size
1.3MB
-
MD5
596fa7efb6978c8cb9463f1b9f362284
-
SHA1
2fdac4fb18abdb83cd16c1a6d4cf7d48050e5003
-
SHA256
afcb9eca113e024882261c3f92504ef92f683793423af7bc22e9453d7a887dd2
-
SHA512
68dffb7d32b027cd142dcdd88bd973fbb3b4fb5759e6faf2a72f6072da1a710da4874a0e0e6ca6facab3cdbbffa30aa10e2da4291cfe4ae1097021f0f651c567
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3960 1536 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5108 1536 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3964 1536 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 1536 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 1536 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 1536 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3648 1536 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 1536 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2400 1536 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3520 1536 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4556 1536 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 1536 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 1536 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3444 1536 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 512 1536 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 1536 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4768 1536 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3696 1536 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3808 1536 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 1536 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3744 1536 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4616 1536 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1180 1536 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4292 1536 schtasks.exe 88 -
resource yara_rule behavioral2/files/0x000a000000023b68-10.dat dcrat behavioral2/memory/4984-13-0x0000000000090000-0x00000000001A0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4724 powershell.exe 1016 powershell.exe 2488 powershell.exe 1560 powershell.exe 372 powershell.exe 5112 powershell.exe 1916 powershell.exe 1716 powershell.exe 944 powershell.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation JaffaCakes118_afcb9eca113e024882261c3f92504ef92f683793423af7bc22e9453d7a887dd2.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation fontdrvhost.exe -
Executes dropped EXE 13 IoCs
pid Process 4984 DllCommonsvc.exe 2140 fontdrvhost.exe 4216 fontdrvhost.exe 3260 fontdrvhost.exe 2368 fontdrvhost.exe 372 fontdrvhost.exe 4012 fontdrvhost.exe 3976 fontdrvhost.exe 3252 fontdrvhost.exe 4540 fontdrvhost.exe 2972 fontdrvhost.exe 2704 fontdrvhost.exe 1224 fontdrvhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 58 raw.githubusercontent.com 18 raw.githubusercontent.com 43 raw.githubusercontent.com 44 raw.githubusercontent.com 48 raw.githubusercontent.com 55 raw.githubusercontent.com 56 raw.githubusercontent.com 57 raw.githubusercontent.com 19 raw.githubusercontent.com 28 raw.githubusercontent.com 42 raw.githubusercontent.com 49 raw.githubusercontent.com 59 raw.githubusercontent.com -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\icsxml\RuntimeBroker.exe DllCommonsvc.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files (x86)\Google\Update\29c1c3cc0f7685 DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\smss.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files\Crashpad\attachments\smss.exe DllCommonsvc.exe File created C:\Program Files\Crashpad\attachments\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office 15\ClientX64\5b884080fd4f94 DllCommonsvc.exe File created C:\Program Files (x86)\Google\Update\unsecapp.exe DllCommonsvc.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\bcastdvr\sppsvc.exe DllCommonsvc.exe File opened for modification C:\Windows\bcastdvr\sppsvc.exe DllCommonsvc.exe File created C:\Windows\bcastdvr\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Windows\PolicyDefinitions\de-DE\csrss.exe DllCommonsvc.exe File created C:\Windows\PolicyDefinitions\de-DE\886983d96e3d3e DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_afcb9eca113e024882261c3f92504ef92f683793423af7bc22e9453d7a887dd2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings JaffaCakes118_afcb9eca113e024882261c3f92504ef92f683793423af7bc22e9453d7a887dd2.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings fontdrvhost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2400 schtasks.exe 1708 schtasks.exe 3444 schtasks.exe 1180 schtasks.exe 2116 schtasks.exe 3648 schtasks.exe 2280 schtasks.exe 3520 schtasks.exe 4556 schtasks.exe 2864 schtasks.exe 512 schtasks.exe 4768 schtasks.exe 5108 schtasks.exe 3808 schtasks.exe 3744 schtasks.exe 3696 schtasks.exe 2820 schtasks.exe 2528 schtasks.exe 2084 schtasks.exe 4616 schtasks.exe 3960 schtasks.exe 1660 schtasks.exe 4292 schtasks.exe 3964 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 4984 DllCommonsvc.exe 4984 DllCommonsvc.exe 4984 DllCommonsvc.exe 1716 powershell.exe 1716 powershell.exe 1016 powershell.exe 1016 powershell.exe 944 powershell.exe 944 powershell.exe 2488 powershell.exe 2488 powershell.exe 5112 powershell.exe 5112 powershell.exe 1560 powershell.exe 1560 powershell.exe 4724 powershell.exe 4724 powershell.exe 944 powershell.exe 1916 powershell.exe 1916 powershell.exe 372 powershell.exe 372 powershell.exe 1016 powershell.exe 5112 powershell.exe 1716 powershell.exe 2488 powershell.exe 1560 powershell.exe 1916 powershell.exe 4724 powershell.exe 372 powershell.exe 2140 fontdrvhost.exe 4216 fontdrvhost.exe 3260 fontdrvhost.exe 2368 fontdrvhost.exe 372 fontdrvhost.exe 4012 fontdrvhost.exe 3976 fontdrvhost.exe 3252 fontdrvhost.exe 4540 fontdrvhost.exe 2972 fontdrvhost.exe 2704 fontdrvhost.exe 1224 fontdrvhost.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 4984 DllCommonsvc.exe Token: SeDebugPrivilege 1716 powershell.exe Token: SeDebugPrivilege 1016 powershell.exe Token: SeDebugPrivilege 944 powershell.exe Token: SeDebugPrivilege 2488 powershell.exe Token: SeDebugPrivilege 5112 powershell.exe Token: SeDebugPrivilege 1560 powershell.exe Token: SeDebugPrivilege 1916 powershell.exe Token: SeDebugPrivilege 4724 powershell.exe Token: SeDebugPrivilege 372 powershell.exe Token: SeDebugPrivilege 2140 fontdrvhost.exe Token: SeDebugPrivilege 4216 fontdrvhost.exe Token: SeDebugPrivilege 3260 fontdrvhost.exe Token: SeDebugPrivilege 2368 fontdrvhost.exe Token: SeDebugPrivilege 372 fontdrvhost.exe Token: SeDebugPrivilege 4012 fontdrvhost.exe Token: SeDebugPrivilege 3976 fontdrvhost.exe Token: SeDebugPrivilege 3252 fontdrvhost.exe Token: SeDebugPrivilege 4540 fontdrvhost.exe Token: SeDebugPrivilege 2972 fontdrvhost.exe Token: SeDebugPrivilege 2704 fontdrvhost.exe Token: SeDebugPrivilege 1224 fontdrvhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2520 wrote to memory of 3176 2520 JaffaCakes118_afcb9eca113e024882261c3f92504ef92f683793423af7bc22e9453d7a887dd2.exe 84 PID 2520 wrote to memory of 3176 2520 JaffaCakes118_afcb9eca113e024882261c3f92504ef92f683793423af7bc22e9453d7a887dd2.exe 84 PID 2520 wrote to memory of 3176 2520 JaffaCakes118_afcb9eca113e024882261c3f92504ef92f683793423af7bc22e9453d7a887dd2.exe 84 PID 3176 wrote to memory of 2228 3176 WScript.exe 85 PID 3176 wrote to memory of 2228 3176 WScript.exe 85 PID 3176 wrote to memory of 2228 3176 WScript.exe 85 PID 2228 wrote to memory of 4984 2228 cmd.exe 87 PID 2228 wrote to memory of 4984 2228 cmd.exe 87 PID 4984 wrote to memory of 372 4984 DllCommonsvc.exe 113 PID 4984 wrote to memory of 372 4984 DllCommonsvc.exe 113 PID 4984 wrote to memory of 944 4984 DllCommonsvc.exe 114 PID 4984 wrote to memory of 944 4984 DllCommonsvc.exe 114 PID 4984 wrote to memory of 4724 4984 DllCommonsvc.exe 115 PID 4984 wrote to memory of 4724 4984 DllCommonsvc.exe 115 PID 4984 wrote to memory of 1016 4984 DllCommonsvc.exe 116 PID 4984 wrote to memory of 1016 4984 DllCommonsvc.exe 116 PID 4984 wrote to memory of 2488 4984 DllCommonsvc.exe 117 PID 4984 wrote to memory of 2488 4984 DllCommonsvc.exe 117 PID 4984 wrote to memory of 1560 4984 DllCommonsvc.exe 118 PID 4984 wrote to memory of 1560 4984 DllCommonsvc.exe 118 PID 4984 wrote to memory of 5112 4984 DllCommonsvc.exe 119 PID 4984 wrote to memory of 5112 4984 DllCommonsvc.exe 119 PID 4984 wrote to memory of 1916 4984 DllCommonsvc.exe 120 PID 4984 wrote to memory of 1916 4984 DllCommonsvc.exe 120 PID 4984 wrote to memory of 1716 4984 DllCommonsvc.exe 121 PID 4984 wrote to memory of 1716 4984 DllCommonsvc.exe 121 PID 4984 wrote to memory of 3488 4984 DllCommonsvc.exe 130 PID 4984 wrote to memory of 3488 4984 DllCommonsvc.exe 130 PID 3488 wrote to memory of 3812 3488 cmd.exe 133 PID 3488 wrote to memory of 3812 3488 cmd.exe 133 PID 3488 wrote to memory of 2140 3488 cmd.exe 137 PID 3488 wrote to memory of 2140 3488 cmd.exe 137 PID 2140 wrote to memory of 4408 2140 fontdrvhost.exe 139 PID 2140 wrote to memory of 4408 2140 fontdrvhost.exe 139 PID 4408 wrote to memory of 4808 4408 cmd.exe 141 PID 4408 wrote to memory of 4808 4408 cmd.exe 141 PID 4408 wrote to memory of 4216 4408 cmd.exe 144 PID 4408 wrote to memory of 4216 4408 cmd.exe 144 PID 4216 wrote to memory of 2728 4216 fontdrvhost.exe 145 PID 4216 wrote to memory of 2728 4216 fontdrvhost.exe 145 PID 2728 wrote to memory of 2608 2728 cmd.exe 147 PID 2728 wrote to memory of 2608 2728 cmd.exe 147 PID 2728 wrote to memory of 3260 2728 cmd.exe 150 PID 2728 wrote to memory of 3260 2728 cmd.exe 150 PID 3260 wrote to memory of 1560 3260 fontdrvhost.exe 151 PID 3260 wrote to memory of 1560 3260 fontdrvhost.exe 151 PID 1560 wrote to memory of 4084 1560 cmd.exe 153 PID 1560 wrote to memory of 4084 1560 cmd.exe 153 PID 1560 wrote to memory of 2368 1560 cmd.exe 154 PID 1560 wrote to memory of 2368 1560 cmd.exe 154 PID 2368 wrote to memory of 5116 2368 fontdrvhost.exe 155 PID 2368 wrote to memory of 5116 2368 fontdrvhost.exe 155 PID 5116 wrote to memory of 3520 5116 cmd.exe 157 PID 5116 wrote to memory of 3520 5116 cmd.exe 157 PID 5116 wrote to memory of 372 5116 cmd.exe 158 PID 5116 wrote to memory of 372 5116 cmd.exe 158 PID 372 wrote to memory of 212 372 fontdrvhost.exe 159 PID 372 wrote to memory of 212 372 fontdrvhost.exe 159 PID 212 wrote to memory of 1288 212 cmd.exe 161 PID 212 wrote to memory of 1288 212 cmd.exe 161 PID 212 wrote to memory of 4012 212 cmd.exe 162 PID 212 wrote to memory of 4012 212 cmd.exe 162 PID 4012 wrote to memory of 1452 4012 fontdrvhost.exe 163 PID 4012 wrote to memory of 1452 4012 fontdrvhost.exe 163 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afcb9eca113e024882261c3f92504ef92f683793423af7bc22e9453d7a887dd2.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afcb9eca113e024882261c3f92504ef92f683793423af7bc22e9453d7a887dd2.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\bcastdvr\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\attachments\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\de-DE\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\unsecapp.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmxpVlvNzE.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:3812
-
-
C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l8nFZEr7oq.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:4808
-
-
C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ap6i2Y3psm.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2608
-
-
C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:4084
-
-
C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:3520
-
-
C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QY0o5k1hVk.bat"15⤵
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1288
-
-
C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat"17⤵PID:1452
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:4880
-
-
C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3976 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\t6OOvELCCF.bat"19⤵PID:4356
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2992
-
-
C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3252 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat"21⤵PID:5052
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2744
-
-
C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4540 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RdAvGBYmjZ.bat"23⤵PID:3372
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2372
-
-
C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat"25⤵PID:4244
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:5116
-
-
C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TZCyxGcg3L.bat"27⤵PID:468
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:4036
-
-
C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1224 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat"29⤵PID:852
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:230⤵PID:5104
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\bcastdvr\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\bcastdvr\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\bcastdvr\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Crashpad\attachments\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Crashpad\attachments\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\PolicyDefinitions\de-DE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\de-DE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\PolicyDefinitions\de-DE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5e094d3dd06d66000f1ef728ee6d8e60e
SHA14aa04aa09fc2aee0a44317f7f2a9fdc9325dec63
SHA256afa28f5bd38e21db0f71e21be34a6f7932e70ad80e2d3edc26fe1ffab231ce91
SHA5129c7d86abb71d17b992ca5aa474e492e18172068462512c7f4fe542b5e3674577fb48069f217a7f4ec1f2fa6edad64350ec8ddaccfa8200651b4d909c377ef3bb
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
227B
MD5d6ea79763abb435a409149af33cf304e
SHA15b15b5c61792dc57f97856ef2af3ea4310ad0ccb
SHA256306ed6eda5a185ada0be5a6198fad95698ce0fd5cfaea41ea5a0fe38a305a4cd
SHA51273da283dbe29019d6e4537a2e78d996c37877da296e96e7a0804a774d1104c0346a93dfaf25ea8e04c6aa2f53056899c5acb21e43429958f4ad65fafec30a062
-
Filesize
227B
MD5b2b6d9f8c0eb5aca61ead84c7a233d0c
SHA1f5535b0abf5b34c45e7672b631e30d762dc46c94
SHA256f9a3a86882cf7024f95d3efaeed73d168206c1b4264b7564db52852d08c0b1b9
SHA51214f75fcfcea8be19dbc7e451e30f56b132b9ceb400c8bd206bde18480644d13dc9ea8ff54189fbd291d20cfc5fa49e6043e27af13bd573729cf3d32a11b40678
-
Filesize
227B
MD571256b45f41621692ecdadb9e41f02f9
SHA188db31ab00ff1e8dfa895f6f1c48ebdf7c39a5c6
SHA256b454c83d13076f045e48f84d882c00e3238ce0c1a3ae384b28eebeaba1cd30ab
SHA5122252554ccfe263a4ca1eacd6068e6a5047b062613d66abc68a2217901688adb1e2f0618f71bb82cf34d962c191dc744f25b77c9667fbb96dbe9fbee9b26f648b
-
Filesize
227B
MD50911d147f23187baafac2a0b591fc813
SHA13f880007ee0fd10a14f5aab14c118d458404287b
SHA256fd937902c3212faefae523499085526165408645f791428904e53f2c3bc6e7f8
SHA5123cbf83d5a90e403bff10398b1aa70ec3f9e2a6fda1e7f543900d9c33b0ed0c80e12dd763d866a7c7fcb8d259b8afc4989869cffd93ccc05d13d1a2387ce054b8
-
Filesize
227B
MD5a446aeb11fe4713fe2dbc706e8d5aa76
SHA1a5975b593a1e41fcc89672c91e651be5e0713bf6
SHA256dd503e63f6e0ff64c9ad197d9f4307527488bcf2bad3f9028d14078814aa083a
SHA5123e2bbde2d4be39c83d70b9ad54fcabc6b25d453cc2c19799abbcdf4772f024731d8d00108d8ac456b0c696c6837ddf6edba0b64984a05584c4c4f2f40afc77be
-
Filesize
227B
MD53a9c0c4e62162b9bd56fdb4303c8c24a
SHA187e2e89d006919408e5c115c070beac8917f11d3
SHA2561f6d810dbdecb32edb060cd80c53cef1e0380e0b0b9c16cbdae93efca970deaf
SHA51217710c8443d067f638abcbb2ef6cbf1ca557dfc61b709c46d06ee114db4fd21472ccbbb6d407e63600f111584b08dff48abc51a8aab895200a88dff7c1419a30
-
Filesize
227B
MD5dcf58ff7c9e15e83af4abb41a7d802ca
SHA1614a74d3dfd83b3e0f57fa668c91fbd0dc4c198a
SHA256259c11696740981b7eed6d27be6000af9db6d898a4bad67d56273af98411b2e9
SHA5126e64ee00d4789f7365e64aa7051efabc23ca21e2b3b56d0ee3f992542470950bf810bcbbfed1bc4864d0e08472fb8e49e9192e413f567faed7d99c5843520f2d
-
Filesize
227B
MD5dd6575af5b036588940142882360385b
SHA18131ab0f506f2b2451cec0678b5584d56cd61c5b
SHA25607279addbec620fcb9da93ef1fa3aa5708f17b24c574591f565742a5b8d1260c
SHA5120190e01bd0e8aa9abf945717c0f509f10aaecc35747f260de3ebde2ae6e54cf2c2944ffb6a14d100eeb552bcb50186f09d1ba3a11ac1983f9871885eac9a66b3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
227B
MD5ab9cfd2312e2561ea66f9c149ce542a5
SHA1b8fe117af816e6ab3ec06ad53314df685248f920
SHA2566bfed17e34c580b898c278b42f169f5c13c47c9d9f5780386448cbb720c8c99e
SHA5122b1c0ed48517f86727074dfbdac23dc7fcd65e7c5f73776e7f543f0295ea273f66709794cc81a10fd0181bd43507efdf4313c34215d7b5f84d8983446c7c583c
-
Filesize
227B
MD5cba7e059a10289179adbef379916a5a8
SHA1407f122cde753f5d313ee25781bea9b6d42577bb
SHA25643e6ca4e10374a6aa3ae0dca12d2d37f76134f971a78447af93022a1c07bd3c5
SHA51210bfc65e26989645f8d7ff42f444401cc8f63953402e0429ea4bbdc735d26377226202bd9a602dba6ebd8652717181dc3cf74a8f337a94a819ea8cf3e5067ffb
-
Filesize
227B
MD5308efd3cb65e8223f0567a85483dce13
SHA1a560abd26c59df2cba77587a60507b32c5e5b1bc
SHA25698bbef3b536ac70d13713f49d33a88aba99d4effa52c7d2a07e4fbca9d5d5491
SHA51266ede5971a359c6e86090c1905729ac79015b40fddee5c5e592096f18091f1ddc4e27cb179681ea05091405bed96b1ebde49c4fd402cdd5ba833e294293a63f1
-
Filesize
227B
MD596adaa1686141a9227379abfd14d2c23
SHA192e6258e8235689f2ba6958bc11bc85b6e56b2e1
SHA256b08dcd4a31e413e63d37a2e86d78558799ee35fbaf1389d0655842b4f895ca68
SHA512f5545e7c92e0366e05d019cb49591c8f7d7e2ece44fc701432c63619acb1a25dd5405a46d516ddc496072d9a441e08a55046b281aa376b4e99eae2742c46e1e4
-
Filesize
227B
MD5184901647ec4d2fa7e27961917a64aa4
SHA1eedaa76baa434fce4ce17b905f86a15f48984688
SHA25696941b86b00eea3255c913ea193fe3217ff474168187042c2db6c57cdb6fec2c
SHA5121f70b6319ac7545241dc82fcf75d354f31edafcf27fe6523ef3886e4be4fdf25644e1730714c39caeeebe6eb4fd19455d25b9ab5a33111ed9f3215e2117f849b
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478