Analysis
-
max time kernel
123s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 00:43
Behavioral task
behavioral1
Sample
JaffaCakes118_5ff0fdf8aff7bcb0c15d0d9f28026aedc2cf3e4fbb9b37d1532bfde84eb0d0fc.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_5ff0fdf8aff7bcb0c15d0d9f28026aedc2cf3e4fbb9b37d1532bfde84eb0d0fc.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_5ff0fdf8aff7bcb0c15d0d9f28026aedc2cf3e4fbb9b37d1532bfde84eb0d0fc.exe
-
Size
1.3MB
-
MD5
4f01f846774d6aa86f007ff35694f359
-
SHA1
6fa86a12ba02f5d89cbdeee0f3ec57ba4828c1a4
-
SHA256
5ff0fdf8aff7bcb0c15d0d9f28026aedc2cf3e4fbb9b37d1532bfde84eb0d0fc
-
SHA512
6d0ae358fda729f153be34d4c9580ad1115a05a1a16eca679f878b95351ad4b98c1bb7552f4a0006eb08b91b3d751a0b6f173827645369313e67199eb7ad1ba4
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 660 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5096 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4084 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3960 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4256 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4760 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5104 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4908 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1532 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3640 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3664 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3940 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3808 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3604 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4628 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4400 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3628 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1148 1072 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1432 1072 schtasks.exe 86 -
resource yara_rule behavioral2/files/0x000a000000023b5c-10.dat dcrat behavioral2/memory/4156-13-0x0000000000410000-0x0000000000520000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1724 powershell.exe 888 powershell.exe 1636 powershell.exe 4476 powershell.exe 636 powershell.exe 3612 powershell.exe 1772 powershell.exe 2660 powershell.exe 4036 powershell.exe 4420 powershell.exe 1300 powershell.exe 208 powershell.exe -
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation JaffaCakes118_5ff0fdf8aff7bcb0c15d0d9f28026aedc2cf3e4fbb9b37d1532bfde84eb0d0fc.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe -
Executes dropped EXE 11 IoCs
pid Process 4156 DllCommonsvc.exe 3476 csrss.exe 4672 csrss.exe 1636 csrss.exe 1916 csrss.exe 5100 csrss.exe 3832 csrss.exe 920 csrss.exe 3568 csrss.exe 1712 csrss.exe 1772 csrss.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 39 raw.githubusercontent.com 43 raw.githubusercontent.com 44 raw.githubusercontent.com 45 raw.githubusercontent.com 54 raw.githubusercontent.com 55 raw.githubusercontent.com 16 raw.githubusercontent.com 24 raw.githubusercontent.com 38 raw.githubusercontent.com 52 raw.githubusercontent.com 53 raw.githubusercontent.com 56 raw.githubusercontent.com 17 raw.githubusercontent.com -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files\Microsoft Office 15\ClientX64\38384e6a620884 DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\fontdrvhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\explorer.exe DllCommonsvc.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\SearchApp.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\SppExtComObj.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\OfficeClickToRun.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\5b884080fd4f94 DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\csrss.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office 15\ClientX64\SearchApp.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\e6c9b481da804f DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Help\fontdrvhost.exe DllCommonsvc.exe File created C:\Windows\Help\5b884080fd4f94 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5ff0fdf8aff7bcb0c15d0d9f28026aedc2cf3e4fbb9b37d1532bfde84eb0d0fc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings JaffaCakes118_5ff0fdf8aff7bcb0c15d0d9f28026aedc2cf3e4fbb9b37d1532bfde84eb0d0fc.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings csrss.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1544 schtasks.exe 1532 schtasks.exe 3640 schtasks.exe 1432 schtasks.exe 2784 schtasks.exe 2260 schtasks.exe 4400 schtasks.exe 2980 schtasks.exe 4628 schtasks.exe 2876 schtasks.exe 5104 schtasks.exe 3940 schtasks.exe 1812 schtasks.exe 2096 schtasks.exe 2272 schtasks.exe 3808 schtasks.exe 1932 schtasks.exe 1332 schtasks.exe 3016 schtasks.exe 2072 schtasks.exe 4908 schtasks.exe 2920 schtasks.exe 3664 schtasks.exe 660 schtasks.exe 2500 schtasks.exe 3960 schtasks.exe 4256 schtasks.exe 3604 schtasks.exe 1148 schtasks.exe 5096 schtasks.exe 4084 schtasks.exe 4760 schtasks.exe 3628 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 57 IoCs
pid Process 4156 DllCommonsvc.exe 4156 DllCommonsvc.exe 4156 DllCommonsvc.exe 4156 DllCommonsvc.exe 4156 DllCommonsvc.exe 4156 DllCommonsvc.exe 4156 DllCommonsvc.exe 4156 DllCommonsvc.exe 4156 DllCommonsvc.exe 4156 DllCommonsvc.exe 636 powershell.exe 636 powershell.exe 4420 powershell.exe 4420 powershell.exe 2660 powershell.exe 2660 powershell.exe 1636 powershell.exe 1636 powershell.exe 3612 powershell.exe 3612 powershell.exe 1300 powershell.exe 1300 powershell.exe 1772 powershell.exe 1772 powershell.exe 1724 powershell.exe 1724 powershell.exe 4036 powershell.exe 4036 powershell.exe 888 powershell.exe 888 powershell.exe 208 powershell.exe 208 powershell.exe 4476 powershell.exe 4476 powershell.exe 888 powershell.exe 3476 csrss.exe 3476 csrss.exe 4036 powershell.exe 636 powershell.exe 4420 powershell.exe 2660 powershell.exe 3612 powershell.exe 1636 powershell.exe 1300 powershell.exe 1772 powershell.exe 1724 powershell.exe 4476 powershell.exe 208 powershell.exe 4672 csrss.exe 1636 csrss.exe 1916 csrss.exe 5100 csrss.exe 3832 csrss.exe 920 csrss.exe 3568 csrss.exe 1712 csrss.exe 1772 csrss.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 4156 DllCommonsvc.exe Token: SeDebugPrivilege 4420 powershell.exe Token: SeDebugPrivilege 636 powershell.exe Token: SeDebugPrivilege 2660 powershell.exe Token: SeDebugPrivilege 1636 powershell.exe Token: SeDebugPrivilege 3612 powershell.exe Token: SeDebugPrivilege 4036 powershell.exe Token: SeDebugPrivilege 1772 powershell.exe Token: SeDebugPrivilege 1300 powershell.exe Token: SeDebugPrivilege 1724 powershell.exe Token: SeDebugPrivilege 888 powershell.exe Token: SeDebugPrivilege 3476 csrss.exe Token: SeDebugPrivilege 208 powershell.exe Token: SeDebugPrivilege 4476 powershell.exe Token: SeDebugPrivilege 4672 csrss.exe Token: SeDebugPrivilege 1636 csrss.exe Token: SeDebugPrivilege 1916 csrss.exe Token: SeDebugPrivilege 5100 csrss.exe Token: SeDebugPrivilege 3832 csrss.exe Token: SeDebugPrivilege 920 csrss.exe Token: SeDebugPrivilege 3568 csrss.exe Token: SeDebugPrivilege 1712 csrss.exe Token: SeDebugPrivilege 1772 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4816 wrote to memory of 2852 4816 JaffaCakes118_5ff0fdf8aff7bcb0c15d0d9f28026aedc2cf3e4fbb9b37d1532bfde84eb0d0fc.exe 82 PID 4816 wrote to memory of 2852 4816 JaffaCakes118_5ff0fdf8aff7bcb0c15d0d9f28026aedc2cf3e4fbb9b37d1532bfde84eb0d0fc.exe 82 PID 4816 wrote to memory of 2852 4816 JaffaCakes118_5ff0fdf8aff7bcb0c15d0d9f28026aedc2cf3e4fbb9b37d1532bfde84eb0d0fc.exe 82 PID 2852 wrote to memory of 1920 2852 WScript.exe 83 PID 2852 wrote to memory of 1920 2852 WScript.exe 83 PID 2852 wrote to memory of 1920 2852 WScript.exe 83 PID 1920 wrote to memory of 4156 1920 cmd.exe 85 PID 1920 wrote to memory of 4156 1920 cmd.exe 85 PID 4156 wrote to memory of 4476 4156 DllCommonsvc.exe 122 PID 4156 wrote to memory of 4476 4156 DllCommonsvc.exe 122 PID 4156 wrote to memory of 636 4156 DllCommonsvc.exe 123 PID 4156 wrote to memory of 636 4156 DllCommonsvc.exe 123 PID 4156 wrote to memory of 4420 4156 DllCommonsvc.exe 124 PID 4156 wrote to memory of 4420 4156 DllCommonsvc.exe 124 PID 4156 wrote to memory of 1300 4156 DllCommonsvc.exe 125 PID 4156 wrote to memory of 1300 4156 DllCommonsvc.exe 125 PID 4156 wrote to memory of 3612 4156 DllCommonsvc.exe 126 PID 4156 wrote to memory of 3612 4156 DllCommonsvc.exe 126 PID 4156 wrote to memory of 208 4156 DllCommonsvc.exe 127 PID 4156 wrote to memory of 208 4156 DllCommonsvc.exe 127 PID 4156 wrote to memory of 1724 4156 DllCommonsvc.exe 128 PID 4156 wrote to memory of 1724 4156 DllCommonsvc.exe 128 PID 4156 wrote to memory of 888 4156 DllCommonsvc.exe 129 PID 4156 wrote to memory of 888 4156 DllCommonsvc.exe 129 PID 4156 wrote to memory of 1772 4156 DllCommonsvc.exe 130 PID 4156 wrote to memory of 1772 4156 DllCommonsvc.exe 130 PID 4156 wrote to memory of 2660 4156 DllCommonsvc.exe 131 PID 4156 wrote to memory of 2660 4156 DllCommonsvc.exe 131 PID 4156 wrote to memory of 4036 4156 DllCommonsvc.exe 132 PID 4156 wrote to memory of 4036 4156 DllCommonsvc.exe 132 PID 4156 wrote to memory of 1636 4156 DllCommonsvc.exe 133 PID 4156 wrote to memory of 1636 4156 DllCommonsvc.exe 133 PID 4156 wrote to memory of 3476 4156 DllCommonsvc.exe 145 PID 4156 wrote to memory of 3476 4156 DllCommonsvc.exe 145 PID 3476 wrote to memory of 5032 3476 csrss.exe 149 PID 3476 wrote to memory of 5032 3476 csrss.exe 149 PID 5032 wrote to memory of 3816 5032 cmd.exe 151 PID 5032 wrote to memory of 3816 5032 cmd.exe 151 PID 5032 wrote to memory of 4672 5032 cmd.exe 154 PID 5032 wrote to memory of 4672 5032 cmd.exe 154 PID 4672 wrote to memory of 2408 4672 csrss.exe 155 PID 4672 wrote to memory of 2408 4672 csrss.exe 155 PID 2408 wrote to memory of 4456 2408 cmd.exe 157 PID 2408 wrote to memory of 4456 2408 cmd.exe 157 PID 2408 wrote to memory of 1636 2408 cmd.exe 160 PID 2408 wrote to memory of 1636 2408 cmd.exe 160 PID 1636 wrote to memory of 1972 1636 csrss.exe 161 PID 1636 wrote to memory of 1972 1636 csrss.exe 161 PID 1972 wrote to memory of 1444 1972 cmd.exe 163 PID 1972 wrote to memory of 1444 1972 cmd.exe 163 PID 1972 wrote to memory of 1916 1972 cmd.exe 164 PID 1972 wrote to memory of 1916 1972 cmd.exe 164 PID 1916 wrote to memory of 4220 1916 csrss.exe 165 PID 1916 wrote to memory of 4220 1916 csrss.exe 165 PID 4220 wrote to memory of 5092 4220 cmd.exe 167 PID 4220 wrote to memory of 5092 4220 cmd.exe 167 PID 4220 wrote to memory of 5100 4220 cmd.exe 168 PID 4220 wrote to memory of 5100 4220 cmd.exe 168 PID 5100 wrote to memory of 4248 5100 csrss.exe 169 PID 5100 wrote to memory of 4248 5100 csrss.exe 169 PID 4248 wrote to memory of 2072 4248 cmd.exe 171 PID 4248 wrote to memory of 2072 4248 cmd.exe 171 PID 4248 wrote to memory of 3832 4248 cmd.exe 172 PID 4248 wrote to memory of 3832 4248 cmd.exe 172 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ff0fdf8aff7bcb0c15d0d9f28026aedc2cf3e4fbb9b37d1532bfde84eb0d0fc.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ff0fdf8aff7bcb0c15d0d9f28026aedc2cf3e4fbb9b37d1532bfde84eb0d0fc.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\SearchApp.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\OfficeClickToRun.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SearchApp.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
C:\Program Files\VideoLAN\VLC\csrss.exe"C:\Program Files\VideoLAN\VLC\csrss.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CPhDZIwY3l.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:3816
-
-
C:\Program Files\VideoLAN\VLC\csrss.exe"C:\Program Files\VideoLAN\VLC\csrss.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\goxiuQmrpE.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:4456
-
-
C:\Program Files\VideoLAN\VLC\csrss.exe"C:\Program Files\VideoLAN\VLC\csrss.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\peQnm3nkJb.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1444
-
-
C:\Program Files\VideoLAN\VLC\csrss.exe"C:\Program Files\VideoLAN\VLC\csrss.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vad0LeRbBz.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:5092
-
-
C:\Program Files\VideoLAN\VLC\csrss.exe"C:\Program Files\VideoLAN\VLC\csrss.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2072
-
-
C:\Program Files\VideoLAN\VLC\csrss.exe"C:\Program Files\VideoLAN\VLC\csrss.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3832 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mrWoaKD2ur.bat"16⤵PID:3920
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:4660
-
-
C:\Program Files\VideoLAN\VLC\csrss.exe"C:\Program Files\VideoLAN\VLC\csrss.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:920 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\auWhjrprfd.bat"18⤵PID:916
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:4360
-
-
C:\Program Files\VideoLAN\VLC\csrss.exe"C:\Program Files\VideoLAN\VLC\csrss.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3568 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nb2ryfxXmZ.bat"20⤵PID:528
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2768
-
-
C:\Program Files\VideoLAN\VLC\csrss.exe"C:\Program Files\VideoLAN\VLC\csrss.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nb2ryfxXmZ.bat"22⤵PID:4984
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2876
-
-
C:\Program Files\VideoLAN\VLC\csrss.exe"C:\Program Files\VideoLAN\VLC\csrss.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat"24⤵PID:548
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1956
-
-
C:\Program Files\VideoLAN\VLC\csrss.exe"C:\Program Files\VideoLAN\VLC\csrss.exe"25⤵PID:3196
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F5GJdikwFG.bat"26⤵PID:1412
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:3152
-
-
C:\Program Files\VideoLAN\VLC\csrss.exe"C:\Program Files\VideoLAN\VLC\csrss.exe"27⤵PID:836
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat"28⤵PID:5072
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:2012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Default\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\Help\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Help\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\providercommon\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\providercommon\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\providercommon\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD509c38bf09493920e93b25f37f1ae4efe
SHA142e5d800056f08481870c4ca2d0d48181ca8edc8
SHA25637874b332a80efcccee52825b3d71d1faaae3820e09b47c3f161628bf35cc255
SHA51291eacaafc2cd9f80338302d6b3cc3a1aa957752f63a449fb2c1ebcac2bcc59fd8624d4e042c488b5fbe73b881da86c9de819d500de8c7eb6bc0d3951a2bf9123
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
204B
MD5dbc95451426d38d7fea8e5b8693ab4f0
SHA1973737d2cdd16272f4ba2648097c85f958b95994
SHA25631dc39e3bb0170c00bd45b957e5a3e26620b22b4c165d76789f13ea9b122cafd
SHA51276160d7c39864dbed75dbf2c97ac46bec735890c5b26a73c551e908b3ccafa835055c33b6354b10f11a20b6ff6084de1d586becb6443ad6ff821fd896cb3f4ea
-
Filesize
204B
MD5b7424999534450ed77a84ab9d8b93842
SHA1aa4e6f50d48145c138c2abaf9e6ed3b057474895
SHA2560bb81652966c609cacab7f19a2181b3ccd4e92b7c40a4f25f7af95df6f45c65f
SHA5129f90522edb6698c59289ad8f549a86ea69679520d77ce0f82bccd5df0abececf4429d842165d36607da4d6de3499a87d8cae2dea96abe1159979ef99bd7e941b
-
Filesize
204B
MD531ef4583153e62240cb838b90d31d258
SHA10de988a411b0917ab8a8d0d2362610a825e5ad9b
SHA256431f494b3a4a0d776e7da1d08e0a0cdb8d9b70aa5b9dc0b299c140ddfe414ff3
SHA51222071fea55ba65eac99f7471d95c77673da1ad2732e02542c3fd9dd679156935d418f249504513c541fc1767dc5346e06f64771cd1bf2a15f5ddc8aa8d858dd2
-
Filesize
204B
MD5bcd981c7f9b6a2eb4863eae9b2f6f57e
SHA1ffa8221e0b9d33bb765ca37be2344602cc535319
SHA25615e1c42de19c05685a0a0a750675c18bce318728a59d71a1c88782fad6d3d44d
SHA512a115abba7e5821c107aaaf5d6f69698d1c3005f3869033e5899414a010a0a5c651b7ea542a5c836d778c8882b2f39fb2025e17347fb0fbf445f1b9aa4173420b
-
Filesize
204B
MD58f6e24efd7d732cb42cb54a9e43d512b
SHA1cb6dc4e2f1660ea7e3978eb2814990e39006cee6
SHA25603bf05f76f7f934eb503243a763f8d1e5e63d3b4c720832bc1131358850adfcb
SHA512063b6db1d982e1775ed59c408ba0640e745a309a884e13b79c0cc7ac3b28d26447577c72bd58ef6f15eb117a1926e2b69b246423ef392fa1e61df24fb7253cda
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
204B
MD5713fc2be1677875cffdfe7e996b0a7da
SHA19ce44a69dbff7f762513da1d4f6f1f1ec320fb62
SHA256b4cbf740ed3ccac67cdadb6efa1aee6f0de361229903b15fb62d1dea50e2e382
SHA512210dad70c1dc31ecfd6b8b5a2c334ed9f1dd841ffe870d31f8dc330486961056da52a900dcf8bc30f82cfcf8ce892d5fa774910b92a8a050da2e55ced185c473
-
Filesize
204B
MD534bbdd205e5192b8a23ea31229703715
SHA1ec1fdd81b0b4c4b02964ba927eaa8007be4aaffc
SHA256bb663b0106d69ade1578ac90835e8edc9352b5151e6b4f0a812f3a03cb1df8dd
SHA512307097de6e5ac326c2974a10302caad42f1a510768ea0fd95e3c7fb0c804aa1694f8f9e5c7f4d45699632b16304070df4ce4995b1b791fc2cd3ed09248b87948
-
Filesize
204B
MD5a444de0d9a35aa94c15d3e62de00f8ce
SHA124f18519e5d4dc7a18d641a389ec677021b4a28a
SHA256359cee3b3439f939fbfe697369eb440d93955c47e2fd747a4f5564e7e861f2ab
SHA512c7cb4493a18f1ab52b377ffba9078572f6dc83923a50bf5bd9009b75918c632df872dd958c6e75943d6730cafdb1d43c619b52f379eb386ab2121e9bda1642e2
-
Filesize
204B
MD5c9d328dda829baae3d0a0b60c71723f1
SHA1f7babf2c885d379737c4b4588f01b1f052d29c2b
SHA256a0b3a9dace2692d1bcbd6b7506097d20e6e7814a1452c91f5aae0dfc0e7c16b4
SHA512d79fc0f2929d2fc93f960d376592a279465a0ab860bd4864777a6b457194fa1413b0327760901fcd347578700552849b3d62517a42624b04040eb1562c79b517
-
Filesize
204B
MD5c6f455ab7baf18490527ff1b3cfaf1f6
SHA153b78f3495c730de7fab5b8db0b74d911e055016
SHA256dfe7c34f40021d7bd095fd18edb0651cc7b5012dfac9f983e9f355662de184fe
SHA512975b5ccd67c40180eb18b9ffd16b8cf50f8d6355d02b8eb4e36ae4c8561ce9bf9103130b9eee769acf1b46ffc2af9e8f3e703fe6fee9b2cf2fe4c8d7f0bd724a
-
Filesize
204B
MD591e0a228b88d8fcc2c21e0ed4578f3e6
SHA1fcf088b2f01600f0a8e17b82bf7d20d680ad6cbb
SHA2569970aaa5a3fbd98179b9698de5ca642588f7561bb7169f0680c916bb54e922f4
SHA512f4de9d40e656b54c4d6cd60d91b2c141f55adbe0da8fdc428def52fdba83a74bad396f05b93dfb1d0845853ffc6803f3183d0ff75cd45a9ac05cf8a3b1c6528e
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478