Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 02:07
Behavioral task
behavioral1
Sample
JaffaCakes118_af899e7205e3f3e028ece1c6ce02888edc3a2118f1590e3bdff27ebaa812a760.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_af899e7205e3f3e028ece1c6ce02888edc3a2118f1590e3bdff27ebaa812a760.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_af899e7205e3f3e028ece1c6ce02888edc3a2118f1590e3bdff27ebaa812a760.exe
-
Size
1.3MB
-
MD5
f6011a9af3bb76cebd2a579ef81b4dd2
-
SHA1
887ba1dd251ff6270adfd66f305d9c6eb6e4bcda
-
SHA256
af899e7205e3f3e028ece1c6ce02888edc3a2118f1590e3bdff27ebaa812a760
-
SHA512
7931a81e030fb51170e895d3170b8f30de6b9cbfb83c5201266b613a6a5747f71d930c2097af6d7f4f79b42c444ab5def0256fd9060fb4a65d225081fd652aa5
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 64 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4784 64 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3228 64 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3632 64 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4972 64 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 64 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3688 64 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5104 64 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5076 64 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3952 64 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 64 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 348 64 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4584 64 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3664 64 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 228 64 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3092 64 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 892 64 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 116 64 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 64 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 64 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 752 64 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 212 64 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4120 64 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4108 64 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4136 64 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3196 64 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 64 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1280 64 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 64 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 64 schtasks.exe 86 -
resource yara_rule behavioral2/files/0x0007000000023c97-10.dat dcrat behavioral2/memory/5092-13-0x00000000008D0000-0x00000000009E0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2396 powershell.exe 4524 powershell.exe 4896 powershell.exe 4564 powershell.exe 4184 powershell.exe 868 powershell.exe 2284 powershell.exe 3648 powershell.exe 1836 powershell.exe 3112 powershell.exe 1740 powershell.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation JaffaCakes118_af899e7205e3f3e028ece1c6ce02888edc3a2118f1590e3bdff27ebaa812a760.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe -
Executes dropped EXE 14 IoCs
pid Process 5092 DllCommonsvc.exe 3860 RuntimeBroker.exe 3080 RuntimeBroker.exe 4936 RuntimeBroker.exe 4676 RuntimeBroker.exe 1636 RuntimeBroker.exe 4908 RuntimeBroker.exe 4688 RuntimeBroker.exe 1564 RuntimeBroker.exe 4696 RuntimeBroker.exe 4836 RuntimeBroker.exe 2768 RuntimeBroker.exe 868 RuntimeBroker.exe 3632 RuntimeBroker.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 18 raw.githubusercontent.com 37 raw.githubusercontent.com 38 raw.githubusercontent.com 39 raw.githubusercontent.com 51 raw.githubusercontent.com 52 raw.githubusercontent.com 19 raw.githubusercontent.com 24 raw.githubusercontent.com 42 raw.githubusercontent.com 43 raw.githubusercontent.com 47 raw.githubusercontent.com 49 raw.githubusercontent.com 50 raw.githubusercontent.com -
Drops file in Program Files directory 11 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\5940a34987c991 DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\dllhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\5940a34987c991 DllCommonsvc.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\sihost.exe DllCommonsvc.exe File created C:\Program Files\Windows Multimedia Platform\upfc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\sysmon.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\121e5b5079f7c0 DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\dllhost.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office\PackageManifests\sihost.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office\PackageManifests\66fc9ff0ee96c2 DllCommonsvc.exe File created C:\Program Files\Windows Multimedia Platform\ea1d8f6d871115 DllCommonsvc.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\Assets\5b884080fd4f94 DllCommonsvc.exe File created C:\Windows\Logs\WindowsUpdate\sihost.exe DllCommonsvc.exe File created C:\Windows\Logs\WindowsUpdate\66fc9ff0ee96c2 DllCommonsvc.exe File created C:\Windows\ServiceState\EventLog\RuntimeBroker.exe DllCommonsvc.exe File created C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\Assets\fontdrvhost.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_af899e7205e3f3e028ece1c6ce02888edc3a2118f1590e3bdff27ebaa812a760.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings JaffaCakes118_af899e7205e3f3e028ece1c6ce02888edc3a2118f1590e3bdff27ebaa812a760.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2844 schtasks.exe 4136 schtasks.exe 4972 schtasks.exe 228 schtasks.exe 116 schtasks.exe 2088 schtasks.exe 3664 schtasks.exe 2276 schtasks.exe 2504 schtasks.exe 3228 schtasks.exe 5104 schtasks.exe 1280 schtasks.exe 4584 schtasks.exe 892 schtasks.exe 3092 schtasks.exe 4120 schtasks.exe 1636 schtasks.exe 1700 schtasks.exe 4784 schtasks.exe 3632 schtasks.exe 3688 schtasks.exe 348 schtasks.exe 752 schtasks.exe 212 schtasks.exe 5076 schtasks.exe 4108 schtasks.exe 3196 schtasks.exe 2716 schtasks.exe 2100 schtasks.exe 3952 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 5092 DllCommonsvc.exe 5092 DllCommonsvc.exe 5092 DllCommonsvc.exe 5092 DllCommonsvc.exe 5092 DllCommonsvc.exe 5092 DllCommonsvc.exe 5092 DllCommonsvc.exe 5092 DllCommonsvc.exe 5092 DllCommonsvc.exe 5092 DllCommonsvc.exe 5092 DllCommonsvc.exe 5092 DllCommonsvc.exe 4184 powershell.exe 4184 powershell.exe 4896 powershell.exe 4896 powershell.exe 1740 powershell.exe 1740 powershell.exe 868 powershell.exe 868 powershell.exe 4524 powershell.exe 4524 powershell.exe 2396 powershell.exe 2396 powershell.exe 3112 powershell.exe 3112 powershell.exe 2284 powershell.exe 2284 powershell.exe 1836 powershell.exe 1836 powershell.exe 3648 powershell.exe 3648 powershell.exe 4564 powershell.exe 4564 powershell.exe 868 powershell.exe 4184 powershell.exe 4896 powershell.exe 1740 powershell.exe 3648 powershell.exe 3112 powershell.exe 1836 powershell.exe 2284 powershell.exe 4564 powershell.exe 2396 powershell.exe 4524 powershell.exe 3860 RuntimeBroker.exe 3080 RuntimeBroker.exe 4936 RuntimeBroker.exe 4676 RuntimeBroker.exe 1636 RuntimeBroker.exe 4908 RuntimeBroker.exe 4688 RuntimeBroker.exe 1564 RuntimeBroker.exe 4696 RuntimeBroker.exe 4836 RuntimeBroker.exe 2768 RuntimeBroker.exe 868 RuntimeBroker.exe 3632 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 5092 DllCommonsvc.exe Token: SeDebugPrivilege 4184 powershell.exe Token: SeDebugPrivilege 4896 powershell.exe Token: SeDebugPrivilege 1740 powershell.exe Token: SeDebugPrivilege 868 powershell.exe Token: SeDebugPrivilege 4524 powershell.exe Token: SeDebugPrivilege 2396 powershell.exe Token: SeDebugPrivilege 3112 powershell.exe Token: SeDebugPrivilege 2284 powershell.exe Token: SeDebugPrivilege 3648 powershell.exe Token: SeDebugPrivilege 1836 powershell.exe Token: SeDebugPrivilege 4564 powershell.exe Token: SeDebugPrivilege 3860 RuntimeBroker.exe Token: SeDebugPrivilege 3080 RuntimeBroker.exe Token: SeDebugPrivilege 4936 RuntimeBroker.exe Token: SeDebugPrivilege 4676 RuntimeBroker.exe Token: SeDebugPrivilege 1636 RuntimeBroker.exe Token: SeDebugPrivilege 4908 RuntimeBroker.exe Token: SeDebugPrivilege 4688 RuntimeBroker.exe Token: SeDebugPrivilege 1564 RuntimeBroker.exe Token: SeDebugPrivilege 4696 RuntimeBroker.exe Token: SeDebugPrivilege 4836 RuntimeBroker.exe Token: SeDebugPrivilege 2768 RuntimeBroker.exe Token: SeDebugPrivilege 868 RuntimeBroker.exe Token: SeDebugPrivilege 3632 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4620 wrote to memory of 3560 4620 JaffaCakes118_af899e7205e3f3e028ece1c6ce02888edc3a2118f1590e3bdff27ebaa812a760.exe 82 PID 4620 wrote to memory of 3560 4620 JaffaCakes118_af899e7205e3f3e028ece1c6ce02888edc3a2118f1590e3bdff27ebaa812a760.exe 82 PID 4620 wrote to memory of 3560 4620 JaffaCakes118_af899e7205e3f3e028ece1c6ce02888edc3a2118f1590e3bdff27ebaa812a760.exe 82 PID 3560 wrote to memory of 380 3560 WScript.exe 83 PID 3560 wrote to memory of 380 3560 WScript.exe 83 PID 3560 wrote to memory of 380 3560 WScript.exe 83 PID 380 wrote to memory of 5092 380 cmd.exe 85 PID 380 wrote to memory of 5092 380 cmd.exe 85 PID 5092 wrote to memory of 4564 5092 DllCommonsvc.exe 117 PID 5092 wrote to memory of 4564 5092 DllCommonsvc.exe 117 PID 5092 wrote to memory of 1836 5092 DllCommonsvc.exe 118 PID 5092 wrote to memory of 1836 5092 DllCommonsvc.exe 118 PID 5092 wrote to memory of 4896 5092 DllCommonsvc.exe 119 PID 5092 wrote to memory of 4896 5092 DllCommonsvc.exe 119 PID 5092 wrote to memory of 4524 5092 DllCommonsvc.exe 120 PID 5092 wrote to memory of 4524 5092 DllCommonsvc.exe 120 PID 5092 wrote to memory of 4184 5092 DllCommonsvc.exe 121 PID 5092 wrote to memory of 4184 5092 DllCommonsvc.exe 121 PID 5092 wrote to memory of 868 5092 DllCommonsvc.exe 122 PID 5092 wrote to memory of 868 5092 DllCommonsvc.exe 122 PID 5092 wrote to memory of 1740 5092 DllCommonsvc.exe 123 PID 5092 wrote to memory of 1740 5092 DllCommonsvc.exe 123 PID 5092 wrote to memory of 3112 5092 DllCommonsvc.exe 124 PID 5092 wrote to memory of 3112 5092 DllCommonsvc.exe 124 PID 5092 wrote to memory of 2396 5092 DllCommonsvc.exe 125 PID 5092 wrote to memory of 2396 5092 DllCommonsvc.exe 125 PID 5092 wrote to memory of 3648 5092 DllCommonsvc.exe 126 PID 5092 wrote to memory of 3648 5092 DllCommonsvc.exe 126 PID 5092 wrote to memory of 2284 5092 DllCommonsvc.exe 127 PID 5092 wrote to memory of 2284 5092 DllCommonsvc.exe 127 PID 5092 wrote to memory of 5056 5092 DllCommonsvc.exe 139 PID 5092 wrote to memory of 5056 5092 DllCommonsvc.exe 139 PID 5056 wrote to memory of 1300 5056 cmd.exe 141 PID 5056 wrote to memory of 1300 5056 cmd.exe 141 PID 5056 wrote to memory of 3860 5056 cmd.exe 145 PID 5056 wrote to memory of 3860 5056 cmd.exe 145 PID 3860 wrote to memory of 1520 3860 RuntimeBroker.exe 149 PID 3860 wrote to memory of 1520 3860 RuntimeBroker.exe 149 PID 1520 wrote to memory of 4084 1520 cmd.exe 151 PID 1520 wrote to memory of 4084 1520 cmd.exe 151 PID 1520 wrote to memory of 3080 1520 cmd.exe 152 PID 1520 wrote to memory of 3080 1520 cmd.exe 152 PID 3080 wrote to memory of 2216 3080 RuntimeBroker.exe 153 PID 3080 wrote to memory of 2216 3080 RuntimeBroker.exe 153 PID 2216 wrote to memory of 1964 2216 cmd.exe 155 PID 2216 wrote to memory of 1964 2216 cmd.exe 155 PID 2216 wrote to memory of 4936 2216 cmd.exe 158 PID 2216 wrote to memory of 4936 2216 cmd.exe 158 PID 4936 wrote to memory of 624 4936 RuntimeBroker.exe 159 PID 4936 wrote to memory of 624 4936 RuntimeBroker.exe 159 PID 624 wrote to memory of 3704 624 cmd.exe 161 PID 624 wrote to memory of 3704 624 cmd.exe 161 PID 624 wrote to memory of 4676 624 cmd.exe 162 PID 624 wrote to memory of 4676 624 cmd.exe 162 PID 4676 wrote to memory of 468 4676 RuntimeBroker.exe 163 PID 4676 wrote to memory of 468 4676 RuntimeBroker.exe 163 PID 468 wrote to memory of 4280 468 cmd.exe 165 PID 468 wrote to memory of 4280 468 cmd.exe 165 PID 468 wrote to memory of 1636 468 cmd.exe 166 PID 468 wrote to memory of 1636 468 cmd.exe 166 PID 1636 wrote to memory of 1304 1636 RuntimeBroker.exe 167 PID 1636 wrote to memory of 1304 1636 RuntimeBroker.exe 167 PID 1304 wrote to memory of 4516 1304 cmd.exe 169 PID 1304 wrote to memory of 4516 1304 cmd.exe 169 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_af899e7205e3f3e028ece1c6ce02888edc3a2118f1590e3bdff27ebaa812a760.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_af899e7205e3f3e028ece1c6ce02888edc3a2118f1590e3bdff27ebaa812a760.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:380 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\PackageManifests\sihost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\WindowsUpdate\sihost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\upfc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\sysmon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\Assets\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4IM9wGN2db.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1300
-
-
C:\Users\Default User\RuntimeBroker.exe"C:\Users\Default User\RuntimeBroker.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0ZxjVk2zv8.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:4084
-
-
C:\Users\Default User\RuntimeBroker.exe"C:\Users\Default User\RuntimeBroker.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1964
-
-
C:\Users\Default User\RuntimeBroker.exe"C:\Users\Default User\RuntimeBroker.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1XclINWiF.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:3704
-
-
C:\Users\Default User\RuntimeBroker.exe"C:\Users\Default User\RuntimeBroker.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:4280
-
-
C:\Users\Default User\RuntimeBroker.exe"C:\Users\Default User\RuntimeBroker.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat"15⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:4516
-
-
C:\Users\Default User\RuntimeBroker.exe"C:\Users\Default User\RuntimeBroker.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4908 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zi4n06VBpB.bat"17⤵PID:3652
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2424
-
-
C:\Users\Default User\RuntimeBroker.exe"C:\Users\Default User\RuntimeBroker.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4688 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat"19⤵PID:380
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:3888
-
-
C:\Users\Default User\RuntimeBroker.exe"C:\Users\Default User\RuntimeBroker.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat"21⤵PID:908
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:4112
-
-
C:\Users\Default User\RuntimeBroker.exe"C:\Users\Default User\RuntimeBroker.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4696 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat"23⤵PID:4408
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:3556
-
-
C:\Users\Default User\RuntimeBroker.exe"C:\Users\Default User\RuntimeBroker.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4836 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ISA3vp411k.bat"25⤵PID:2284
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:4840
-
-
C:\Users\Default User\RuntimeBroker.exe"C:\Users\Default User\RuntimeBroker.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1kSioVLOLD.bat"27⤵PID:4968
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:4200
-
-
C:\Users\Default User\RuntimeBroker.exe"C:\Users\Default User\RuntimeBroker.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QRlBHoY6P9.bat"29⤵PID:3152
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:230⤵PID:2892
-
-
C:\Users\Default User\RuntimeBroker.exe"C:\Users\Default User\RuntimeBroker.exe"30⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3632
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\PackageManifests\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\PackageManifests\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Templates\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Templates\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Templates\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\WindowsUpdate\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Logs\WindowsUpdate\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\Logs\WindowsUpdate\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\providercommon\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\Assets\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\Assets\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\Assets\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
204B
MD5536a37997a88ea8d7c4ddb478924a226
SHA180e3f5edd13110515a5c23d03de287bdc02d84e5
SHA2564a4bbace3ed90662482d7025a542ef0c60a7bdb31dec666630b8adf3dc8c2afc
SHA512bac1369dd64eaafbf20214ca76c491e239ededfcea99ed018f0888bec73b3a464cd598845904a21c8afdb0dc3741409c85b22ecce94859b77c7a005ebde13e40
-
Filesize
204B
MD59be34514ee39eb1b215718af9333af14
SHA1865a5d3b71463f27eff95709b0683f6f6478576d
SHA2565b4a0ab95cecde55be83a8ce4fa51aabbf8437cbb927ef676ea0a1de8a84ace8
SHA512556663a0953ef43497f496d89f38794b0367dd36f9640ded559ecdba49f6ff06e2a2c99bf617b5030bf45a2dd4d41ef8140419e17016962589c607c40187ad18
-
Filesize
204B
MD5bdb91e06ed7ea847b27ba41883d091d1
SHA1059b18213e55ddf0a77236510076f9bc868aff2b
SHA256f7413909bfb02ab15288973db22da6cad40469acdc298c84fb683657a475c162
SHA5127f9fc0004fbaff8d3e3dd50b2c4ff4c45a2d48af5bf9af4e11e70962db28881ae22a2a1320d7733c8d57cc74da74b8b4a8f817f288fd402a02c5724f97f0adf2
-
Filesize
204B
MD53ba2dd71a971c394198131eee81a0140
SHA184583659068f3da8454a95ad35f14eb04dfa8898
SHA25616528d7aec9ae8760ab73c786a3b1172e3c483adf96f4ae90360abbdec4fe596
SHA5127842a374d77bd9699be599769dfe9652793d483bd6360e869c2f0670a123ed4b552d342c9c1881a50dd76a6a0767ffb9a11b0e905794f837d68d6343071825ca
-
Filesize
204B
MD5c3b733dd955e9ded9a52004d8fafe3a2
SHA1369ac8eeb5f76a1b7524fabc5def75ab5ced8aef
SHA256556d96f53b612b2d5923e9dd1c03f149da16af05fa4212208f707feb056d2752
SHA5121cab6476b2d7dde5255466f4b1d61ec58ae2d038a74e2869a89e24779418c3908e0abab264407fb08a5e581994236b35ea0ded7411d0b236e52a09a4cb1f5e54
-
Filesize
204B
MD5206321ea2e02fa0d9d03f3c708bc4e8f
SHA1e4bba8c68ee930cea061d85d2bb14b7c740979d2
SHA25679e87d6838d755702358abd35c132af626894803e29fc70c3c8a7bd8709aad24
SHA5125f62eb5b7f3847b0ef3a1037eef03832d61010ecdf6f681bd1f222791f239487a59ca65e12d0a2bb38f34e3874baab21fcb1cc9fc45fe561929de20da51750f4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
204B
MD57de1dd3e17706c780f0ec25ce22f079d
SHA1f1231abb5450273dfba53cbbb70bec19b40566ff
SHA256d775ca0d595a6a5c417f9f1563fad38317526fd2a251f78e1cacdaec382b7d5d
SHA512de716963472c45f3ec1e975ea838ba2bc21e6ff32032572592249e41d776e92b63f213157a50936ad2f83636ac74679a82318a1a2e6d255036e33b443ef1c066
-
Filesize
204B
MD5b30a9507509645145df0dfcb17eed725
SHA1773d41673143dcf4557b847f6ccc1e45e3d64eec
SHA256890e7e18d0c507896a6b063ca059904284cb84a723cf5dcf4adbb33a770fc97b
SHA51295c3ede2f3daeee2bb1f1b664266cee6abf4717a7240c89490b4f04e6818990e1575000854954c0249b18e87548a5a03f00758bed31ee3be2c200fbb6c4d74ee
-
Filesize
204B
MD5878d48fd22159d9c02fe96d2248001f6
SHA1fe92e43a3324b11ff43e791241fd71864ad2d975
SHA25682e8a0f85acd04f3a88922232ac48c1d59580b1755ac7368b7eb32040a72f7d9
SHA512650ac05a48664a8a18b63420d617a2f93bd53fb45e287ca0c2c8fb6a8e0e50a36c978c1de3dcf85f67a49d1e99dce165d279f5f3307d25fb74f0e15642cda8a8
-
Filesize
204B
MD50e4bb50bb4e4ca4e0f6d1aa2aaa321d2
SHA1d4a3fce722db7df24549e98086fbe8229dc29617
SHA25653669e687bcdce1597514608866129abbe548a011f30c47560dd667f9f298285
SHA512120e9266f6ed77d7163cb7ba56acb263eff05b4c4abe92b13226bfc88dfecbd25c770b098c4281a25a6650598bd9af3156f5400b7f0bb4af0c1603f3b2295615
-
Filesize
204B
MD5ed9015b71649e433da0aa12540e3a10a
SHA1e7948f73eb9735fb5205bc41f88420cc90a99e4c
SHA256b468b712624bb5579f2d334eeabfb831dd57a0113b0c2f828144a99148c77da6
SHA512cfd082426182d53c554e0eff885f99e8e1dc7f3e59ddb811109256d193b90a4942b6bf7cef6fcc32bc5c81c2ff6220dd13a0d0ec35728743da5f6e6ee14c6f03
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478