Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 01:16
Behavioral task
behavioral1
Sample
JaffaCakes118_093a393488a6f0355551284128a899e5bd76be3ab86a8861f5dfb906195c2d63.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_093a393488a6f0355551284128a899e5bd76be3ab86a8861f5dfb906195c2d63.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_093a393488a6f0355551284128a899e5bd76be3ab86a8861f5dfb906195c2d63.exe
-
Size
1.3MB
-
MD5
cf0ad2d3ec0bbc4497b85dbb2f0ddeee
-
SHA1
0b344c08f9675c6ee675a0f493b3b21863de0431
-
SHA256
093a393488a6f0355551284128a899e5bd76be3ab86a8861f5dfb906195c2d63
-
SHA512
09ecc53ee18236dc934e613480f60bf0ef25504a3d33dc64e765121be95b5592a480b3848e116c380e4b5ff11d31e5924d35d4548b32ad6c46352661a167cb20
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3444 2060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4164 2060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4968 2060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4156 2060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3120 2060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 876 2060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3380 2060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1352 2060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 2060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1448 2060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1076 2060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1556 2060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 2060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1776 2060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 2060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3332 2060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3992 2060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4704 2060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4480 2060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5024 2060 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4860 2060 schtasks.exe 86 -
resource yara_rule behavioral2/files/0x000a000000023bb3-10.dat dcrat behavioral2/memory/4300-13-0x0000000000660000-0x0000000000770000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4984 powershell.exe 980 powershell.exe 1372 powershell.exe 1640 powershell.exe 3228 powershell.exe 1592 powershell.exe 4988 powershell.exe 920 powershell.exe 1348 powershell.exe 3236 powershell.exe -
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation JaffaCakes118_093a393488a6f0355551284128a899e5bd76be3ab86a8861f5dfb906195c2d63.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Registry.exe -
Executes dropped EXE 16 IoCs
pid Process 4300 DllCommonsvc.exe 3364 Registry.exe 4212 Registry.exe 4248 Registry.exe 4720 Registry.exe 4920 Registry.exe 2640 Registry.exe 3528 Registry.exe 988 Registry.exe 1872 Registry.exe 4328 Registry.exe 2820 Registry.exe 2248 Registry.exe 4980 Registry.exe 2596 Registry.exe 5056 Registry.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs
flow ioc 54 raw.githubusercontent.com 41 raw.githubusercontent.com 46 raw.githubusercontent.com 45 raw.githubusercontent.com 47 raw.githubusercontent.com 53 raw.githubusercontent.com 55 raw.githubusercontent.com 57 raw.githubusercontent.com 13 raw.githubusercontent.com 19 raw.githubusercontent.com 56 raw.githubusercontent.com 12 raw.githubusercontent.com 40 raw.githubusercontent.com 15 raw.githubusercontent.com 39 raw.githubusercontent.com -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Multimedia Platform\e1ef82546f0b02 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\9e8d7a4ca61bd9 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\TextInputHost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\22eafd247d37c3 DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\InputMethod\CHT\sihost.exe DllCommonsvc.exe File created C:\Windows\InputMethod\CHT\66fc9ff0ee96c2 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_093a393488a6f0355551284128a899e5bd76be3ab86a8861f5dfb906195c2d63.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings JaffaCakes118_093a393488a6f0355551284128a899e5bd76be3ab86a8861f5dfb906195c2d63.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings Registry.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3380 schtasks.exe 1448 schtasks.exe 2056 schtasks.exe 2960 schtasks.exe 4704 schtasks.exe 3444 schtasks.exe 1156 schtasks.exe 4860 schtasks.exe 4968 schtasks.exe 3120 schtasks.exe 2740 schtasks.exe 3992 schtasks.exe 5024 schtasks.exe 2632 schtasks.exe 876 schtasks.exe 1076 schtasks.exe 1040 schtasks.exe 4480 schtasks.exe 1616 schtasks.exe 1988 schtasks.exe 4156 schtasks.exe 2800 schtasks.exe 4164 schtasks.exe 1776 schtasks.exe 3332 schtasks.exe 1556 schtasks.exe 1352 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 55 IoCs
pid Process 4300 DllCommonsvc.exe 4300 DllCommonsvc.exe 4300 DllCommonsvc.exe 4300 DllCommonsvc.exe 4300 DllCommonsvc.exe 4300 DllCommonsvc.exe 4300 DllCommonsvc.exe 4300 DllCommonsvc.exe 4300 DllCommonsvc.exe 920 powershell.exe 920 powershell.exe 4988 powershell.exe 4988 powershell.exe 4984 powershell.exe 4984 powershell.exe 980 powershell.exe 980 powershell.exe 3236 powershell.exe 3236 powershell.exe 1348 powershell.exe 1348 powershell.exe 1372 powershell.exe 1372 powershell.exe 3228 powershell.exe 3228 powershell.exe 4984 powershell.exe 1592 powershell.exe 1592 powershell.exe 1640 powershell.exe 1640 powershell.exe 920 powershell.exe 4988 powershell.exe 3364 Registry.exe 3364 Registry.exe 3236 powershell.exe 980 powershell.exe 1592 powershell.exe 3228 powershell.exe 1348 powershell.exe 1372 powershell.exe 1640 powershell.exe 4212 Registry.exe 4248 Registry.exe 4720 Registry.exe 4920 Registry.exe 2640 Registry.exe 3528 Registry.exe 988 Registry.exe 1872 Registry.exe 4328 Registry.exe 2820 Registry.exe 2248 Registry.exe 4980 Registry.exe 2596 Registry.exe 5056 Registry.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 4300 DllCommonsvc.exe Token: SeDebugPrivilege 920 powershell.exe Token: SeDebugPrivilege 4988 powershell.exe Token: SeDebugPrivilege 4984 powershell.exe Token: SeDebugPrivilege 980 powershell.exe Token: SeDebugPrivilege 3236 powershell.exe Token: SeDebugPrivilege 1348 powershell.exe Token: SeDebugPrivilege 1372 powershell.exe Token: SeDebugPrivilege 1592 powershell.exe Token: SeDebugPrivilege 3228 powershell.exe Token: SeDebugPrivilege 3364 Registry.exe Token: SeDebugPrivilege 1640 powershell.exe Token: SeDebugPrivilege 4212 Registry.exe Token: SeDebugPrivilege 4248 Registry.exe Token: SeDebugPrivilege 4720 Registry.exe Token: SeDebugPrivilege 4920 Registry.exe Token: SeDebugPrivilege 2640 Registry.exe Token: SeDebugPrivilege 3528 Registry.exe Token: SeDebugPrivilege 988 Registry.exe Token: SeDebugPrivilege 1872 Registry.exe Token: SeDebugPrivilege 4328 Registry.exe Token: SeDebugPrivilege 2820 Registry.exe Token: SeDebugPrivilege 2248 Registry.exe Token: SeDebugPrivilege 4980 Registry.exe Token: SeDebugPrivilege 2596 Registry.exe Token: SeDebugPrivilege 5056 Registry.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2552 wrote to memory of 3556 2552 JaffaCakes118_093a393488a6f0355551284128a899e5bd76be3ab86a8861f5dfb906195c2d63.exe 82 PID 2552 wrote to memory of 3556 2552 JaffaCakes118_093a393488a6f0355551284128a899e5bd76be3ab86a8861f5dfb906195c2d63.exe 82 PID 2552 wrote to memory of 3556 2552 JaffaCakes118_093a393488a6f0355551284128a899e5bd76be3ab86a8861f5dfb906195c2d63.exe 82 PID 3556 wrote to memory of 1368 3556 WScript.exe 83 PID 3556 wrote to memory of 1368 3556 WScript.exe 83 PID 3556 wrote to memory of 1368 3556 WScript.exe 83 PID 1368 wrote to memory of 4300 1368 cmd.exe 85 PID 1368 wrote to memory of 4300 1368 cmd.exe 85 PID 4300 wrote to memory of 1640 4300 DllCommonsvc.exe 114 PID 4300 wrote to memory of 1640 4300 DllCommonsvc.exe 114 PID 4300 wrote to memory of 1372 4300 DllCommonsvc.exe 115 PID 4300 wrote to memory of 1372 4300 DllCommonsvc.exe 115 PID 4300 wrote to memory of 3236 4300 DllCommonsvc.exe 116 PID 4300 wrote to memory of 3236 4300 DllCommonsvc.exe 116 PID 4300 wrote to memory of 4984 4300 DllCommonsvc.exe 117 PID 4300 wrote to memory of 4984 4300 DllCommonsvc.exe 117 PID 4300 wrote to memory of 1348 4300 DllCommonsvc.exe 118 PID 4300 wrote to memory of 1348 4300 DllCommonsvc.exe 118 PID 4300 wrote to memory of 920 4300 DllCommonsvc.exe 119 PID 4300 wrote to memory of 920 4300 DllCommonsvc.exe 119 PID 4300 wrote to memory of 980 4300 DllCommonsvc.exe 121 PID 4300 wrote to memory of 980 4300 DllCommonsvc.exe 121 PID 4300 wrote to memory of 4988 4300 DllCommonsvc.exe 122 PID 4300 wrote to memory of 4988 4300 DllCommonsvc.exe 122 PID 4300 wrote to memory of 1592 4300 DllCommonsvc.exe 124 PID 4300 wrote to memory of 1592 4300 DllCommonsvc.exe 124 PID 4300 wrote to memory of 3228 4300 DllCommonsvc.exe 125 PID 4300 wrote to memory of 3228 4300 DllCommonsvc.exe 125 PID 4300 wrote to memory of 3364 4300 DllCommonsvc.exe 134 PID 4300 wrote to memory of 3364 4300 DllCommonsvc.exe 134 PID 3364 wrote to memory of 4848 3364 Registry.exe 135 PID 3364 wrote to memory of 4848 3364 Registry.exe 135 PID 4848 wrote to memory of 2712 4848 cmd.exe 137 PID 4848 wrote to memory of 2712 4848 cmd.exe 137 PID 4848 wrote to memory of 4212 4848 cmd.exe 138 PID 4848 wrote to memory of 4212 4848 cmd.exe 138 PID 4212 wrote to memory of 3948 4212 Registry.exe 139 PID 4212 wrote to memory of 3948 4212 Registry.exe 139 PID 3948 wrote to memory of 4160 3948 cmd.exe 141 PID 3948 wrote to memory of 4160 3948 cmd.exe 141 PID 3948 wrote to memory of 4248 3948 cmd.exe 145 PID 3948 wrote to memory of 4248 3948 cmd.exe 145 PID 4248 wrote to memory of 3436 4248 Registry.exe 147 PID 4248 wrote to memory of 3436 4248 Registry.exe 147 PID 3436 wrote to memory of 3076 3436 cmd.exe 149 PID 3436 wrote to memory of 3076 3436 cmd.exe 149 PID 3436 wrote to memory of 4720 3436 cmd.exe 154 PID 3436 wrote to memory of 4720 3436 cmd.exe 154 PID 4720 wrote to memory of 1032 4720 Registry.exe 155 PID 4720 wrote to memory of 1032 4720 Registry.exe 155 PID 1032 wrote to memory of 2628 1032 cmd.exe 157 PID 1032 wrote to memory of 2628 1032 cmd.exe 157 PID 1032 wrote to memory of 4920 1032 cmd.exe 158 PID 1032 wrote to memory of 4920 1032 cmd.exe 158 PID 4920 wrote to memory of 1192 4920 Registry.exe 159 PID 4920 wrote to memory of 1192 4920 Registry.exe 159 PID 1192 wrote to memory of 1348 1192 cmd.exe 161 PID 1192 wrote to memory of 1348 1192 cmd.exe 161 PID 1192 wrote to memory of 2640 1192 cmd.exe 162 PID 1192 wrote to memory of 2640 1192 cmd.exe 162 PID 2640 wrote to memory of 4716 2640 Registry.exe 163 PID 2640 wrote to memory of 4716 2640 Registry.exe 163 PID 4716 wrote to memory of 2332 4716 cmd.exe 165 PID 4716 wrote to memory of 2332 4716 cmd.exe 165 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_093a393488a6f0355551284128a899e5bd76be3ab86a8861f5dfb906195c2d63.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_093a393488a6f0355551284128a899e5bd76be3ab86a8861f5dfb906195c2d63.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\PrintHood\Registry.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\InputMethod\CHT\sihost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\TextInputHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3228
-
-
C:\Users\Admin\PrintHood\Registry.exe"C:\Users\Admin\PrintHood\Registry.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TmtjCtAJTq.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2712
-
-
C:\Users\Admin\PrintHood\Registry.exe"C:\Users\Admin\PrintHood\Registry.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:4160
-
-
C:\Users\Admin\PrintHood\Registry.exe"C:\Users\Admin\PrintHood\Registry.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\23CLvB8Ots.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:3076
-
-
C:\Users\Admin\PrintHood\Registry.exe"C:\Users\Admin\PrintHood\Registry.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2628
-
-
C:\Users\Admin\PrintHood\Registry.exe"C:\Users\Admin\PrintHood\Registry.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvFVSjZSRs.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1348
-
-
C:\Users\Admin\PrintHood\Registry.exe"C:\Users\Admin\PrintHood\Registry.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat"16⤵
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2332
-
-
C:\Users\Admin\PrintHood\Registry.exe"C:\Users\Admin\PrintHood\Registry.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3528 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat"18⤵PID:3820
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2028
-
-
C:\Users\Admin\PrintHood\Registry.exe"C:\Users\Admin\PrintHood\Registry.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A1nTHBcTHH.bat"20⤵PID:1020
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2348
-
-
C:\Users\Admin\PrintHood\Registry.exe"C:\Users\Admin\PrintHood\Registry.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yEObGBIDe.bat"22⤵PID:816
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:3056
-
-
C:\Users\Admin\PrintHood\Registry.exe"C:\Users\Admin\PrintHood\Registry.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4328 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat"24⤵PID:4828
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1708
-
-
C:\Users\Admin\PrintHood\Registry.exe"C:\Users\Admin\PrintHood\Registry.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\23CLvB8Ots.bat"26⤵PID:2164
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:396
-
-
C:\Users\Admin\PrintHood\Registry.exe"C:\Users\Admin\PrintHood\Registry.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OoUlhQHDc2.bat"28⤵PID:5020
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:3724
-
-
C:\Users\Admin\PrintHood\Registry.exe"C:\Users\Admin\PrintHood\Registry.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4980 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat"30⤵PID:1640
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:4016
-
-
C:\Users\Admin\PrintHood\Registry.exe"C:\Users\Admin\PrintHood\Registry.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat"32⤵PID:4848
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:233⤵PID:808
-
-
C:\Users\Admin\PrintHood\Registry.exe"C:\Users\Admin\PrintHood\Registry.exe"33⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5056
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\PrintHood\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\PrintHood\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\providercommon\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\InputMethod\CHT\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\InputMethod\CHT\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Windows\InputMethod\CHT\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\providercommon\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
64B
MD5f29c703e714479aef5d204d494b44fa6
SHA11aed3be5a2588a2702cd3ddef8600d80fb1fe67d
SHA256af70fbef29b9f7842ad0cf36f02975c1d4b5753995981194d967b9fe3f38451b
SHA5126cee929f3a2f0c279008b40fe2ce185fb51377365f870dfb35c0136930501331b69df8ac83ce9613f68b9a9e85f2869667ffe3d9c4ec40e63fc0cbd137388ad3
-
Filesize
202B
MD51093321979fcf691fea81f17f04a0674
SHA1834b79263936fb5c562cfc0d5a03a65a6832e290
SHA25637b39f98769ddf45a5ca39d0321a7ac955dc11121b0e9cfa83bc31b63c02bf20
SHA512b63f2aa2cc771e92a3823c208f5e3019308ec5b8ff8d57ed5720d04bcd0fbcd2f031e59a8fd5824060a5a3f7590a2d3110807a29e90ec8ded0934e35851310a6
-
Filesize
202B
MD5e20995ed64598e917afdc83e4d577baf
SHA12935b9916b3c20cc6828a7167857ff0188c76fd9
SHA256121dd5ab26da595799969705699d40f7ce068629f0e0157f2c828f487c22d2b1
SHA5128a98bb20a543ad951334ce2674233a603eb636142fb8358cab42646e87d31649e0fd092ae7468ef8f20546c9ddc11727dad8b5a855ef95da4460891ab5f7f90f
-
Filesize
202B
MD51ee21650cfb3352ada9afed3f0e40f6f
SHA1aa3f6c4224324a50296079b5069d7e1e99c0bba8
SHA256a4384d6ed6e21c831cf8e2ba3705ceb9d00484c1ab2e2df8013a1249a09ed650
SHA512f9cdf61ec0df46b45b6d32be44bdbd58e3103913fd085cd8f7c5c94236380a6fceb5d86f88df048424ad6846f2f841462ca32923805b854a77205365f88430d1
-
Filesize
202B
MD5b2b68904a1f26852a9573e54d6d1d949
SHA15f664bd68fb2a095352988bc9c21f0f622439bf9
SHA2565f25179561c142c75707193ede02b6ffb6f7effba63e774a8fc90d7cd25034f6
SHA51200b1296d4cbb8aff739e11510226e83138a3382fc38cb6795e0654d8bfc217d4d3372a7ba96c9b27066ec76acc2160911d519f290bda2d0985966a9c1c43a8f1
-
Filesize
202B
MD539592c387ea6b501077f8e13bca90258
SHA10de2a1c5af7d8032dc0508869343a592c51b4a19
SHA256e1220b55ab16594a136202f469df8cbfb08b5e15a84cf91daced8dd10dd1b370
SHA51203ed3df9973e797c83f359dccfd0fdd531a54840ebcfa3a249eacbf05fded78cc84c6d3fb98666c8eb9ac7fa804e22dcaf952e4e82ff7c884085763a146e5995
-
Filesize
202B
MD5bf65dbd3d0f65982cc47705fbdc3f0bf
SHA15a2f00f6cf9067920b3f736c594235cfc94d030f
SHA256345a75d95108b2b045db9f24915f6a1381f11303d0cab0dee618f0739746560b
SHA512df0943c7495eb4b5e848e3471e65c4cf8582fc354a1a8be8b5bc4a9062c4e3dbf28004812b20c80d6f9bda150b950ba57782adacd2c622de45e37631d0560ad4
-
Filesize
202B
MD52d8b3e38a1b33a05007bbfdf716ae3b7
SHA123955c422e45dbe6e5c0bbd12d5e719876948f5a
SHA25698ca1bcc53770d0f41380b790772336d9a1487f00171bcbf1890b2b877abd60a
SHA512ee05702cd0a7cc0b2aba1e1d20ac4d0b635cb0209f0bafae0bcd04e9bdba952dbda202a11d2940362782ccf3e404c4dc854c21a122d46e5a3e7607a7186a776b
-
Filesize
202B
MD5cebaa995299ebd35bb487a4b3e9311b8
SHA178a0eb772be02ce07dcd1b33ca2750613914759f
SHA256d00024715e2ffea1adc6be4ad47d03b7855e7e95c5f40dfac253484778a2d39a
SHA51237e3a44eb3ee7078241519fd98d78f3f08622e0b1478bf8a3fc38563a0248fe2ed878dc6a73fe026d624bcfaed9e996e34f0a68bccc331685c6b83c63fcc50cc
-
Filesize
202B
MD5f508087a6d909b582a08d95111dfc441
SHA125b963431e48bbc8eeab37ddb2e15561227d3e07
SHA25685dba0a073ab706c5de3a68cfee587498f60b848eea0491e2e85b5d70dd0ec2b
SHA51207e2cdd63ab619838e8ee932738233946101748c1901f3a4bfadb483883deb3d505c2d2a06946643cbf9d4c5ea9554776ebc65b349b5163d2010a29203744ff6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
202B
MD5bb45a6c5e265e93b6dd5609c9fa72f84
SHA13f3d21aa2f47e68c61a8008e7f3ed50490b02c2d
SHA256feec05e4a51587f6d9ea78a13c57f2d8e089a5a75a9cdac6ab54c09a68cc122a
SHA51293d8d054865e21d0797cdf0df99c9832135564fbe83acf5a12cf1f630449679b6385d783eea65eb613887631a5e6c109dce38f2914ffc715f1f6dc0d30e3e209
-
Filesize
202B
MD58d07d27e19c1ed90bd1d06a527ac5a62
SHA10c70a98d3971f4179eb9c6071a9a9fcd7080ba52
SHA2560f3ab7c60cfe774c2c1f242e4cebe35b77bda42de9961b14ea3e270aa431ecbf
SHA512e2c83d89fd46fa8c4ae8a9d61b74c7fa6dd07558e96259786f106b92a63625477544c09b64ecab8d4525322704acc21450e51b048c040d4d9e624acc905be21a
-
Filesize
202B
MD5fa8aaee0192d5304bf27eb941d5196c8
SHA156dff7f46567865aabda0546ad2ea45f8c3bb30a
SHA2567edbd542a053218b859d9ba316ae46a4a220fbd6d3adaec8eb789a6d577efd57
SHA51299d15ff60eee042c4a0b08cab0353e0ea5a0b31a16ea3c79b66e6edb453a55c9e146a173a302a5b12a40c5c452246e4c20ad1ceb508bb94e3a32a66897f4d760
-
Filesize
202B
MD5322db055cd633fa11409f83603cbd2ff
SHA1e6f6ecc1a578314edf975153dfb66d3a22607103
SHA2569f78fcfd4123eed68d097329f2371edc7bcb5a504aaeb5f2eb0b16fe664ad393
SHA512c835f5244ae6a47914cd46fd6727b00deea6f98f5c1191d76c30d587a057e5f8d7592b48b86cb4767b74217dd7c45ca2955e564c712e9557e6d99617701f4ac2
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478