Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2024, 11:36
Behavioral task
behavioral1
Sample
JaffaCakes118_e0e070257a35489ffda572153d15870c3cc6918a3ee713e465f19c2624c662d5.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_e0e070257a35489ffda572153d15870c3cc6918a3ee713e465f19c2624c662d5.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_e0e070257a35489ffda572153d15870c3cc6918a3ee713e465f19c2624c662d5.exe
-
Size
1.3MB
-
MD5
6ca2b55a98af0e706208da5bd499ba70
-
SHA1
ab5dbb5073ed6f7f16fba35786e969d42d7fd2f4
-
SHA256
e0e070257a35489ffda572153d15870c3cc6918a3ee713e465f19c2624c662d5
-
SHA512
804ffb03b884ebdc8d165621cff9b8823773c0843d5f5665c6dd5f6f23f46d96123ca5e5a6565999c9933ac0d44e45c23e855e34259fd2188a96522ace87d4a5
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 4844 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 4844 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3568 4844 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4968 4844 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3952 4844 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4500 4844 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4232 4844 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5116 4844 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 4844 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 220 4844 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 628 4844 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 4844 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 860 4844 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4296 4844 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4436 4844 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4168 4844 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 4844 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 4844 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 4844 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4428 4844 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4084 4844 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1416 4844 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3460 4844 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4420 4844 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 4844 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3432 4844 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4004 4844 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4780 4844 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3388 4844 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3596 4844 schtasks.exe 88 -
resource yara_rule behavioral2/files/0x0007000000023c9c-10.dat dcrat behavioral2/memory/3060-13-0x0000000000680000-0x0000000000790000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3532 powershell.exe 2932 powershell.exe 1076 powershell.exe 5028 powershell.exe 944 powershell.exe 4952 powershell.exe 2944 powershell.exe 4148 powershell.exe 2400 powershell.exe 3400 powershell.exe 4700 powershell.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation JaffaCakes118_e0e070257a35489ffda572153d15870c3cc6918a3ee713e465f19c2624c662d5.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe -
Executes dropped EXE 14 IoCs
pid Process 3060 DllCommonsvc.exe 2176 RuntimeBroker.exe 3332 RuntimeBroker.exe 3056 RuntimeBroker.exe 4220 RuntimeBroker.exe 736 RuntimeBroker.exe 4204 RuntimeBroker.exe 1184 RuntimeBroker.exe 1996 RuntimeBroker.exe 3548 RuntimeBroker.exe 1196 RuntimeBroker.exe 3224 RuntimeBroker.exe 4784 RuntimeBroker.exe 5008 RuntimeBroker.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 21 raw.githubusercontent.com 34 raw.githubusercontent.com 47 raw.githubusercontent.com 48 raw.githubusercontent.com 55 raw.githubusercontent.com 57 raw.githubusercontent.com 15 raw.githubusercontent.com 42 raw.githubusercontent.com 43 raw.githubusercontent.com 49 raw.githubusercontent.com 54 raw.githubusercontent.com 56 raw.githubusercontent.com 16 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Photo Viewer\uk-UA\dllhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\uk-UA\5940a34987c991 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\886983d96e3d3e DllCommonsvc.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\servicing\ja-JP\csrss.exe DllCommonsvc.exe File created C:\Windows\Microsoft.NET\authman\fontdrvhost.exe DllCommonsvc.exe File created C:\Windows\Microsoft.NET\authman\5b884080fd4f94 DllCommonsvc.exe File created C:\Windows\Offline Web Pages\OfficeClickToRun.exe DllCommonsvc.exe File created C:\Windows\Offline Web Pages\e6c9b481da804f DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_e0e070257a35489ffda572153d15870c3cc6918a3ee713e465f19c2624c662d5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings JaffaCakes118_e0e070257a35489ffda572153d15870c3cc6918a3ee713e465f19c2624c662d5.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings RuntimeBroker.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2244 schtasks.exe 4428 schtasks.exe 4780 schtasks.exe 3056 schtasks.exe 5116 schtasks.exe 2136 schtasks.exe 3460 schtasks.exe 3568 schtasks.exe 220 schtasks.exe 4436 schtasks.exe 2548 schtasks.exe 1920 schtasks.exe 3388 schtasks.exe 4500 schtasks.exe 3432 schtasks.exe 2720 schtasks.exe 1416 schtasks.exe 628 schtasks.exe 4968 schtasks.exe 4296 schtasks.exe 1992 schtasks.exe 4168 schtasks.exe 4004 schtasks.exe 3952 schtasks.exe 1584 schtasks.exe 860 schtasks.exe 4084 schtasks.exe 4420 schtasks.exe 3596 schtasks.exe 4232 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 944 powershell.exe 944 powershell.exe 2932 powershell.exe 2932 powershell.exe 2400 powershell.exe 2400 powershell.exe 1076 powershell.exe 1076 powershell.exe 3532 powershell.exe 3532 powershell.exe 4952 powershell.exe 4952 powershell.exe 5028 powershell.exe 5028 powershell.exe 4700 powershell.exe 3400 powershell.exe 3400 powershell.exe 4700 powershell.exe 4148 powershell.exe 4148 powershell.exe 2944 powershell.exe 2944 powershell.exe 944 powershell.exe 4952 powershell.exe 2176 RuntimeBroker.exe 2176 RuntimeBroker.exe 4148 powershell.exe 4700 powershell.exe 2932 powershell.exe 2400 powershell.exe 3532 powershell.exe 3400 powershell.exe 1076 powershell.exe 5028 powershell.exe 2944 powershell.exe 3332 RuntimeBroker.exe 3056 RuntimeBroker.exe 4220 RuntimeBroker.exe 736 RuntimeBroker.exe 4204 RuntimeBroker.exe 1184 RuntimeBroker.exe 1996 RuntimeBroker.exe 3548 RuntimeBroker.exe 1196 RuntimeBroker.exe 3224 RuntimeBroker.exe 4784 RuntimeBroker.exe 5008 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 3060 DllCommonsvc.exe Token: SeDebugPrivilege 944 powershell.exe Token: SeDebugPrivilege 2932 powershell.exe Token: SeDebugPrivilege 4952 powershell.exe Token: SeDebugPrivilege 2400 powershell.exe Token: SeDebugPrivilege 5028 powershell.exe Token: SeDebugPrivilege 1076 powershell.exe Token: SeDebugPrivilege 4148 powershell.exe Token: SeDebugPrivilege 3400 powershell.exe Token: SeDebugPrivilege 2944 powershell.exe Token: SeDebugPrivilege 3532 powershell.exe Token: SeDebugPrivilege 2176 RuntimeBroker.exe Token: SeDebugPrivilege 4700 powershell.exe Token: SeDebugPrivilege 3332 RuntimeBroker.exe Token: SeDebugPrivilege 3056 RuntimeBroker.exe Token: SeDebugPrivilege 4220 RuntimeBroker.exe Token: SeDebugPrivilege 736 RuntimeBroker.exe Token: SeDebugPrivilege 4204 RuntimeBroker.exe Token: SeDebugPrivilege 1184 RuntimeBroker.exe Token: SeDebugPrivilege 1996 RuntimeBroker.exe Token: SeDebugPrivilege 3548 RuntimeBroker.exe Token: SeDebugPrivilege 1196 RuntimeBroker.exe Token: SeDebugPrivilege 3224 RuntimeBroker.exe Token: SeDebugPrivilege 4784 RuntimeBroker.exe Token: SeDebugPrivilege 5008 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1236 wrote to memory of 452 1236 JaffaCakes118_e0e070257a35489ffda572153d15870c3cc6918a3ee713e465f19c2624c662d5.exe 83 PID 1236 wrote to memory of 452 1236 JaffaCakes118_e0e070257a35489ffda572153d15870c3cc6918a3ee713e465f19c2624c662d5.exe 83 PID 1236 wrote to memory of 452 1236 JaffaCakes118_e0e070257a35489ffda572153d15870c3cc6918a3ee713e465f19c2624c662d5.exe 83 PID 452 wrote to memory of 216 452 WScript.exe 85 PID 452 wrote to memory of 216 452 WScript.exe 85 PID 452 wrote to memory of 216 452 WScript.exe 85 PID 216 wrote to memory of 3060 216 cmd.exe 87 PID 216 wrote to memory of 3060 216 cmd.exe 87 PID 3060 wrote to memory of 3400 3060 DllCommonsvc.exe 120 PID 3060 wrote to memory of 3400 3060 DllCommonsvc.exe 120 PID 3060 wrote to memory of 5028 3060 DllCommonsvc.exe 121 PID 3060 wrote to memory of 5028 3060 DllCommonsvc.exe 121 PID 3060 wrote to memory of 4700 3060 DllCommonsvc.exe 122 PID 3060 wrote to memory of 4700 3060 DllCommonsvc.exe 122 PID 3060 wrote to memory of 944 3060 DllCommonsvc.exe 123 PID 3060 wrote to memory of 944 3060 DllCommonsvc.exe 123 PID 3060 wrote to memory of 4952 3060 DllCommonsvc.exe 124 PID 3060 wrote to memory of 4952 3060 DllCommonsvc.exe 124 PID 3060 wrote to memory of 3532 3060 DllCommonsvc.exe 125 PID 3060 wrote to memory of 3532 3060 DllCommonsvc.exe 125 PID 3060 wrote to memory of 2932 3060 DllCommonsvc.exe 126 PID 3060 wrote to memory of 2932 3060 DllCommonsvc.exe 126 PID 3060 wrote to memory of 2944 3060 DllCommonsvc.exe 127 PID 3060 wrote to memory of 2944 3060 DllCommonsvc.exe 127 PID 3060 wrote to memory of 1076 3060 DllCommonsvc.exe 128 PID 3060 wrote to memory of 1076 3060 DllCommonsvc.exe 128 PID 3060 wrote to memory of 4148 3060 DllCommonsvc.exe 129 PID 3060 wrote to memory of 4148 3060 DllCommonsvc.exe 129 PID 3060 wrote to memory of 2400 3060 DllCommonsvc.exe 130 PID 3060 wrote to memory of 2400 3060 DllCommonsvc.exe 130 PID 3060 wrote to memory of 2176 3060 DllCommonsvc.exe 141 PID 3060 wrote to memory of 2176 3060 DllCommonsvc.exe 141 PID 2176 wrote to memory of 2996 2176 RuntimeBroker.exe 144 PID 2176 wrote to memory of 2996 2176 RuntimeBroker.exe 144 PID 2996 wrote to memory of 2384 2996 cmd.exe 146 PID 2996 wrote to memory of 2384 2996 cmd.exe 146 PID 2996 wrote to memory of 3332 2996 cmd.exe 153 PID 2996 wrote to memory of 3332 2996 cmd.exe 153 PID 3332 wrote to memory of 4316 3332 RuntimeBroker.exe 159 PID 3332 wrote to memory of 4316 3332 RuntimeBroker.exe 159 PID 4316 wrote to memory of 4276 4316 cmd.exe 162 PID 4316 wrote to memory of 4276 4316 cmd.exe 162 PID 4316 wrote to memory of 3056 4316 cmd.exe 164 PID 4316 wrote to memory of 3056 4316 cmd.exe 164 PID 3056 wrote to memory of 1480 3056 RuntimeBroker.exe 168 PID 3056 wrote to memory of 1480 3056 RuntimeBroker.exe 168 PID 1480 wrote to memory of 3432 1480 cmd.exe 170 PID 1480 wrote to memory of 3432 1480 cmd.exe 170 PID 1480 wrote to memory of 4220 1480 cmd.exe 173 PID 1480 wrote to memory of 4220 1480 cmd.exe 173 PID 4220 wrote to memory of 440 4220 RuntimeBroker.exe 175 PID 4220 wrote to memory of 440 4220 RuntimeBroker.exe 175 PID 440 wrote to memory of 908 440 cmd.exe 177 PID 440 wrote to memory of 908 440 cmd.exe 177 PID 440 wrote to memory of 736 440 cmd.exe 179 PID 440 wrote to memory of 736 440 cmd.exe 179 PID 736 wrote to memory of 4256 736 RuntimeBroker.exe 181 PID 736 wrote to memory of 4256 736 RuntimeBroker.exe 181 PID 4256 wrote to memory of 1444 4256 cmd.exe 183 PID 4256 wrote to memory of 1444 4256 cmd.exe 183 PID 4256 wrote to memory of 4204 4256 cmd.exe 185 PID 4256 wrote to memory of 4204 4256 cmd.exe 185 PID 4204 wrote to memory of 1288 4204 RuntimeBroker.exe 188 PID 4204 wrote to memory of 1288 4204 RuntimeBroker.exe 188 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e0e070257a35489ffda572153d15870c3cc6918a3ee713e465f19c2624c662d5.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e0e070257a35489ffda572153d15870c3cc6918a3ee713e465f19c2624c662d5.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:216 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\authman\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sysmon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\TextInputHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\OfficeClickToRun.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
-
C:\providercommon\RuntimeBroker.exe"C:\providercommon\RuntimeBroker.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2384
-
-
C:\providercommon\RuntimeBroker.exe"C:\providercommon\RuntimeBroker.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUc4JDtx8N.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:4276
-
-
C:\providercommon\RuntimeBroker.exe"C:\providercommon\RuntimeBroker.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:3432
-
-
C:\providercommon\RuntimeBroker.exe"C:\providercommon\RuntimeBroker.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:908
-
-
C:\providercommon\RuntimeBroker.exe"C:\providercommon\RuntimeBroker.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1444
-
-
C:\providercommon\RuntimeBroker.exe"C:\providercommon\RuntimeBroker.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8xeM6k5O3T.bat"16⤵PID:1288
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:5084
-
-
C:\providercommon\RuntimeBroker.exe"C:\providercommon\RuntimeBroker.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jI650TZYhJ.bat"18⤵PID:332
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:548
-
-
C:\providercommon\RuntimeBroker.exe"C:\providercommon\RuntimeBroker.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat"20⤵PID:3584
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:4356
-
-
C:\providercommon\RuntimeBroker.exe"C:\providercommon\RuntimeBroker.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3548 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rHhDMS4c5i.bat"22⤵PID:3100
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1456
-
-
C:\providercommon\RuntimeBroker.exe"C:\providercommon\RuntimeBroker.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lLU0orPlEL.bat"24⤵PID:2732
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1508
-
-
C:\providercommon\RuntimeBroker.exe"C:\providercommon\RuntimeBroker.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3224 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jI650TZYhJ.bat"26⤵PID:536
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:5084
-
-
C:\providercommon\RuntimeBroker.exe"C:\providercommon\RuntimeBroker.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4784 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat"28⤵PID:5028
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:2080
-
-
C:\providercommon\RuntimeBroker.exe"C:\providercommon\RuntimeBroker.exe"29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5008
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\Microsoft.NET\authman\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\authman\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\Microsoft.NET\authman\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\providercommon\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Start Menu\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Windows\Offline Web Pages\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Windows\Offline Web Pages\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
200B
MD5456e89adacb09d397c494fd6e4523d40
SHA1db4ff8b5d96ab6a2c06d4dac1cb778dcf7925f11
SHA256e5136dc3deafd33db6d1ee307894d3c0791ade1f78c8a6e977f53083cf8c3659
SHA512b87f515c3233889be59b4612f899ac7ddf64e37470460c4ac703f39a33cbdfbd2bbf053cddea3ae605b92f6c3488f7de98613f9cf5da60e3c17af786ac4a0b9e
-
Filesize
200B
MD529a4f89f9cd8065f7c8075efc15f9203
SHA16e5e1f0631c6b7e153b0af9098f41c3a7b8dbeee
SHA2562a957c95f5af401f587c5c4b9ad2e34da148b44656ae9de5ea50cf56f29690af
SHA512a8777ad70f8b4309cea5f5e0e3f643e886630b6d7e0dd0661b43278cf2e402dae9cc647a3c93d4d3832e3753d1d40066580f01e817aea7f722cb8ddb7cf41135
-
Filesize
200B
MD51fb9fb5d9e04798129c4ac7b7023003a
SHA1234db8cd2679669e3ca653d530a2c1e7071cb3fd
SHA25657638069bed683f2601da47d99fbed4c112aaffdcc7427d9c36fb730c8113dfb
SHA5123726fa9ebfe78396fb2eab5034d270b4f97544d8c21335433d5a28762e796b6cc581f0ebcacb226a1a996d5c6d663225c14b729f86cd58cef58e34d49f02bb42
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
200B
MD586af58d84f8f7c5a7b5e744ab3d883fb
SHA16bb3d3e5bfc938fea5872707da3f211eb7d08374
SHA25645473dd8c7b975c53f9e3dc99ea4ff9e701edb8b651b90386cdb4f6ca0c6f15c
SHA51250bc5f5d8d679f47923f622050fc327e1d46421b74c1950374379df9eb41203722af1a71d16eb6280199e012c0ae9b37af340952bbbf615bc002f731e45070b3
-
Filesize
200B
MD596a71830c86bd95a8366f51a2157da8a
SHA1596bcc7e4adcfa592339ecd1042a566021b4ab61
SHA25616a792f7531879b64e13c085cdfc8e1215c676651da676db1966c12ae4716e49
SHA512ebd3bd1282653a7350e2de2b618b5b59241afc520363df5a169783cff15cb4f0ab267fc400ee9ab390740a28dab1ecfffa2da16b699235a00e24392d085470f4
-
Filesize
200B
MD57d19fd6d23000999c88e1686b584f769
SHA16225caff0376ca750cc9e14432ebab2316b3d730
SHA2561371f0685ccee9c82f6b9d395a4aa049212d5d26c8914b901a4c2f5123924e95
SHA512d953f3307d21b9d4517c82d0080774069f0290ec84308a7cb498acdf07bc0100625ff757db8942809e81d3f57caaff148bb44b566b3f2bef559ad2bf5f54f615
-
Filesize
200B
MD5dfcffd74446ba4c141145e64c2ad2540
SHA1a90214ceb5266c00ce616d6d821c17773015db7c
SHA256f14dcbb52d161200456ce21e649a55f362ed1727fbbe046b4c96283fde5acc86
SHA512df838dce46033ed78c6efaaca324d734851b948631d92609828a3d138f2493c3306b313a99f8a21ca0caa8a7f5cff6b3482aa4b53f455f25650f6c195d14327f
-
Filesize
200B
MD5f7b142287c47897acc06afeb7a229a12
SHA1ec661ff6749e68779c420a2ecef857345417246f
SHA2569d4b307776ed2346aa312e2c6e60a2d7cc46d60a3ae6411714c6bbc0a3e8d359
SHA5125f4fea0ddb9c5abf039ba127373e23b748f32a41fcbe560f332386049e02824d37dc2168259e17321e6440a731219ff8c2a3014dbeb4609aa7040cb5fa2e97d9
-
Filesize
200B
MD53d318800b60dec471989577711351bca
SHA119fbae324a7d4e7f6f0f37034f431f61e4881b7b
SHA256fec8662055356a56a5c39ca065a50221d1ac3e0de87757bc2d5917f13e203b01
SHA512fed0997780f7777c4022ced98e37394cc8375dd081861bf18c0053bae702b5218c8c43f3c8151fc385a6d2cc517de46a9dff5337e45612f89bfa631a3b73db70
-
Filesize
200B
MD53f7a76fed125ea5d62db90f5b7c2c74b
SHA16dc8ec58ce2f20eff4b2bbfc79e44c53c0c8e698
SHA256b524ab1ec789857e159d8c1890df4c88ac337c5f811c59427beff93141fc69a3
SHA51275325b29620f0cc669e0faa229a18ab54e5ca9b3ce3fa1fcfb3fb4043283cfec919fb15b06a2f8432a0fd22127b051f5c8e2b57b8f2edfe569e468493d30bb6c
-
Filesize
200B
MD5b58b5f6569977d597dfa13882bf8323b
SHA1cb648c66692d2e75b0176de6fde79e5896d04d36
SHA2569d8f1552ee2d7a09a1be2b07a994dd1552fccece8f62961dd2f7e77b9f86676c
SHA5129a67d7045b4399d929ccfbab9d7a5be842b699de24cad757aaa5815387599eef9f50a664769386e217fdace0b6af7a200be495708f15206e0414bafc93231fc1
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478