Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 02:42
Behavioral task
behavioral1
Sample
JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe
-
Size
1.3MB
-
MD5
a464e647ff6b07cc2267b54f37d4383d
-
SHA1
6e8f4613024fe40a4b2744ecf9e6a463453bde17
-
SHA256
536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081
-
SHA512
776214dfea3a52a213c4a82d13fd1c3141c0132554df30c54024e7a9b9e41eb8d5e1edda4b89dba16b5f1a8587c6648f37a5129430aed4281b7aba04bed726c0
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4720 4520 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4008 4520 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4040 4520 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 4520 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4612 4520 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4620 4520 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1256 4520 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4580 4520 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 4520 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1264 4520 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5040 4520 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 4520 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 4520 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5012 4520 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 4520 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4316 4520 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 408 4520 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1444 4520 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4708 4520 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4856 4520 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4020 4520 schtasks.exe 89 -
resource yara_rule behavioral2/files/0x0008000000023c4f-9.dat dcrat behavioral2/memory/3200-13-0x0000000000F30000-0x0000000001040000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3988 powershell.exe 4168 powershell.exe 4552 powershell.exe 4896 powershell.exe 336 powershell.exe 2084 powershell.exe 2500 powershell.exe 1580 powershell.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation dllhost.exe -
Executes dropped EXE 14 IoCs
pid Process 3200 DllCommonsvc.exe 5068 dllhost.exe 3176 dllhost.exe 2564 dllhost.exe 4920 dllhost.exe 3260 dllhost.exe 4912 dllhost.exe 4164 dllhost.exe 4624 dllhost.exe 4612 dllhost.exe 3932 dllhost.exe 4908 dllhost.exe 3504 dllhost.exe 1932 dllhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 45 raw.githubusercontent.com 54 raw.githubusercontent.com 55 raw.githubusercontent.com 56 raw.githubusercontent.com 58 raw.githubusercontent.com 40 raw.githubusercontent.com 21 raw.githubusercontent.com 38 raw.githubusercontent.com 41 raw.githubusercontent.com 46 raw.githubusercontent.com 47 raw.githubusercontent.com 57 raw.githubusercontent.com 20 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Windows Mail\winlogon.exe DllCommonsvc.exe File created C:\Program Files\Windows Mail\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files\Windows NT\TableTextService\en-US\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files\Windows NT\TableTextService\en-US\a76d7bf15d8370 DllCommonsvc.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\servicing\fr-FR\sihost.exe DllCommonsvc.exe File created C:\Windows\Migration\WTR\explorer.exe DllCommonsvc.exe File created C:\Windows\Migration\WTR\7a0fd90576e088 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5040 schtasks.exe 408 schtasks.exe 1444 schtasks.exe 1256 schtasks.exe 2260 schtasks.exe 4856 schtasks.exe 2832 schtasks.exe 4316 schtasks.exe 4040 schtasks.exe 4612 schtasks.exe 4580 schtasks.exe 2448 schtasks.exe 4708 schtasks.exe 4720 schtasks.exe 4008 schtasks.exe 1784 schtasks.exe 5012 schtasks.exe 2436 schtasks.exe 4020 schtasks.exe 4620 schtasks.exe 1264 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 3200 DllCommonsvc.exe 3200 DllCommonsvc.exe 3200 DllCommonsvc.exe 3200 DllCommonsvc.exe 3200 DllCommonsvc.exe 3988 powershell.exe 4896 powershell.exe 4896 powershell.exe 4168 powershell.exe 4168 powershell.exe 4552 powershell.exe 4552 powershell.exe 336 powershell.exe 336 powershell.exe 2084 powershell.exe 2084 powershell.exe 1580 powershell.exe 1580 powershell.exe 2500 powershell.exe 2500 powershell.exe 4896 powershell.exe 3988 powershell.exe 3988 powershell.exe 4168 powershell.exe 4552 powershell.exe 336 powershell.exe 2084 powershell.exe 1580 powershell.exe 2500 powershell.exe 5068 dllhost.exe 3176 dllhost.exe 2564 dllhost.exe 4920 dllhost.exe 3260 dllhost.exe 4912 dllhost.exe 4164 dllhost.exe 4624 dllhost.exe 4612 dllhost.exe 3932 dllhost.exe 4908 dllhost.exe 3504 dllhost.exe 1932 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 3200 DllCommonsvc.exe Token: SeDebugPrivilege 3988 powershell.exe Token: SeDebugPrivilege 4896 powershell.exe Token: SeDebugPrivilege 4168 powershell.exe Token: SeDebugPrivilege 4552 powershell.exe Token: SeDebugPrivilege 2084 powershell.exe Token: SeDebugPrivilege 336 powershell.exe Token: SeDebugPrivilege 1580 powershell.exe Token: SeDebugPrivilege 2500 powershell.exe Token: SeDebugPrivilege 5068 dllhost.exe Token: SeDebugPrivilege 3176 dllhost.exe Token: SeDebugPrivilege 2564 dllhost.exe Token: SeDebugPrivilege 4920 dllhost.exe Token: SeDebugPrivilege 3260 dllhost.exe Token: SeDebugPrivilege 4912 dllhost.exe Token: SeDebugPrivilege 4164 dllhost.exe Token: SeDebugPrivilege 4624 dllhost.exe Token: SeDebugPrivilege 4612 dllhost.exe Token: SeDebugPrivilege 3932 dllhost.exe Token: SeDebugPrivilege 4908 dllhost.exe Token: SeDebugPrivilege 3504 dllhost.exe Token: SeDebugPrivilege 1932 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 372 wrote to memory of 1180 372 JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe 84 PID 372 wrote to memory of 1180 372 JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe 84 PID 372 wrote to memory of 1180 372 JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe 84 PID 1180 wrote to memory of 1868 1180 WScript.exe 86 PID 1180 wrote to memory of 1868 1180 WScript.exe 86 PID 1180 wrote to memory of 1868 1180 WScript.exe 86 PID 1868 wrote to memory of 3200 1868 cmd.exe 88 PID 1868 wrote to memory of 3200 1868 cmd.exe 88 PID 3200 wrote to memory of 2500 3200 DllCommonsvc.exe 112 PID 3200 wrote to memory of 2500 3200 DllCommonsvc.exe 112 PID 3200 wrote to memory of 1580 3200 DllCommonsvc.exe 113 PID 3200 wrote to memory of 1580 3200 DllCommonsvc.exe 113 PID 3200 wrote to memory of 3988 3200 DllCommonsvc.exe 114 PID 3200 wrote to memory of 3988 3200 DllCommonsvc.exe 114 PID 3200 wrote to memory of 4168 3200 DllCommonsvc.exe 115 PID 3200 wrote to memory of 4168 3200 DllCommonsvc.exe 115 PID 3200 wrote to memory of 4552 3200 DllCommonsvc.exe 116 PID 3200 wrote to memory of 4552 3200 DllCommonsvc.exe 116 PID 3200 wrote to memory of 4896 3200 DllCommonsvc.exe 117 PID 3200 wrote to memory of 4896 3200 DllCommonsvc.exe 117 PID 3200 wrote to memory of 336 3200 DllCommonsvc.exe 118 PID 3200 wrote to memory of 336 3200 DllCommonsvc.exe 118 PID 3200 wrote to memory of 2084 3200 DllCommonsvc.exe 119 PID 3200 wrote to memory of 2084 3200 DllCommonsvc.exe 119 PID 3200 wrote to memory of 2588 3200 DllCommonsvc.exe 128 PID 3200 wrote to memory of 2588 3200 DllCommonsvc.exe 128 PID 2588 wrote to memory of 208 2588 cmd.exe 130 PID 2588 wrote to memory of 208 2588 cmd.exe 130 PID 2588 wrote to memory of 5068 2588 cmd.exe 131 PID 2588 wrote to memory of 5068 2588 cmd.exe 131 PID 5068 wrote to memory of 3724 5068 dllhost.exe 144 PID 5068 wrote to memory of 3724 5068 dllhost.exe 144 PID 3724 wrote to memory of 3192 3724 cmd.exe 146 PID 3724 wrote to memory of 3192 3724 cmd.exe 146 PID 3724 wrote to memory of 3176 3724 cmd.exe 148 PID 3724 wrote to memory of 3176 3724 cmd.exe 148 PID 3176 wrote to memory of 3720 3176 dllhost.exe 153 PID 3176 wrote to memory of 3720 3176 dllhost.exe 153 PID 3720 wrote to memory of 4384 3720 cmd.exe 155 PID 3720 wrote to memory of 4384 3720 cmd.exe 155 PID 3720 wrote to memory of 2564 3720 cmd.exe 157 PID 3720 wrote to memory of 2564 3720 cmd.exe 157 PID 2564 wrote to memory of 380 2564 dllhost.exe 159 PID 2564 wrote to memory of 380 2564 dllhost.exe 159 PID 380 wrote to memory of 3868 380 cmd.exe 161 PID 380 wrote to memory of 3868 380 cmd.exe 161 PID 380 wrote to memory of 4920 380 cmd.exe 163 PID 380 wrote to memory of 4920 380 cmd.exe 163 PID 4920 wrote to memory of 2616 4920 dllhost.exe 165 PID 4920 wrote to memory of 2616 4920 dllhost.exe 165 PID 2616 wrote to memory of 1820 2616 cmd.exe 167 PID 2616 wrote to memory of 1820 2616 cmd.exe 167 PID 2616 wrote to memory of 3260 2616 cmd.exe 170 PID 2616 wrote to memory of 3260 2616 cmd.exe 170 PID 3260 wrote to memory of 5080 3260 dllhost.exe 172 PID 3260 wrote to memory of 5080 3260 dllhost.exe 172 PID 5080 wrote to memory of 5040 5080 cmd.exe 174 PID 5080 wrote to memory of 5040 5080 cmd.exe 174 PID 5080 wrote to memory of 4912 5080 cmd.exe 176 PID 5080 wrote to memory of 4912 5080 cmd.exe 176 PID 4912 wrote to memory of 712 4912 dllhost.exe 178 PID 4912 wrote to memory of 712 4912 dllhost.exe 178 PID 712 wrote to memory of 4004 712 cmd.exe 180 PID 712 wrote to memory of 4004 712 cmd.exe 180 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\en-US\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OfficeClickToRun.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rRelPrOQ0o.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:208
-
-
C:\Users\Default\Templates\dllhost.exe"C:\Users\Default\Templates\dllhost.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:3192
-
-
C:\Users\Default\Templates\dllhost.exe"C:\Users\Default\Templates\dllhost.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cwtcXGf4Cf.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:4384
-
-
C:\Users\Default\Templates\dllhost.exe"C:\Users\Default\Templates\dllhost.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3fa1oyizme.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:3868
-
-
C:\Users\Default\Templates\dllhost.exe"C:\Users\Default\Templates\dllhost.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1820
-
-
C:\Users\Default\Templates\dllhost.exe"C:\Users\Default\Templates\dllhost.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V9nTU0UPEK.bat"15⤵
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:5040
-
-
C:\Users\Default\Templates\dllhost.exe"C:\Users\Default\Templates\dllhost.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat"17⤵
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:4004
-
-
C:\Users\Default\Templates\dllhost.exe"C:\Users\Default\Templates\dllhost.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4164 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat"19⤵PID:1896
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:3876
-
-
C:\Users\Default\Templates\dllhost.exe"C:\Users\Default\Templates\dllhost.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4624 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kvUluF99a5.bat"21⤵PID:680
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2868
-
-
C:\Users\Default\Templates\dllhost.exe"C:\Users\Default\Templates\dllhost.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4612 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P6ENo64DAh.bat"23⤵PID:2468
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:3200
-
-
C:\Users\Default\Templates\dllhost.exe"C:\Users\Default\Templates\dllhost.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3932 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IJ9EkrtYDM.bat"25⤵PID:932
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:3084
-
-
C:\Users\Default\Templates\dllhost.exe"C:\Users\Default\Templates\dllhost.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4908 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Lxx1rvPQX.bat"27⤵PID:1172
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:4504
-
-
C:\Users\Default\Templates\dllhost.exe"C:\Users\Default\Templates\dllhost.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3504 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U4eMIZxK0W.bat"29⤵PID:2908
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:230⤵PID:2548
-
-
C:\Users\Default\Templates\dllhost.exe"C:\Users\Default\Templates\dllhost.exe"30⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\providercommon\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Public\AccountPictures\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Templates\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\providercommon\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4020
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
203B
MD523c326c2c0db53b8fb0c7b8fe18c7f9c
SHA1aeffbd0dd6ea568ad5319d9f547304af13a690a6
SHA2561d61d69c4ff728bbd56d4ee94b99402e6d755c05b159c9518e84d55c3985e910
SHA512ee30d49b731883bc5343adfe99aace2849f3604c6aff027afd7589fc4f4d5b19fa50b570a7292622a4e0eed3428198c4399d4979933c46cf73897d19fb508dc4
-
Filesize
203B
MD51a8e9574bfda525d93b3260e97407d70
SHA1a58e58ccffeba8f88a9a8c6cac450e196cff6d5b
SHA2565748fdf7dd231fc7895a496f8b3f365fa4f236c963a17d1691207fd3a27e54ae
SHA512cfc8d178004b2d24acc780dab4625095f6de5a106762d28375148d327899d82eeb10d1d2564138ec0a89a51018587ed3b3cf942d88c1eea021aa6fe5f9ac1c0a
-
Filesize
203B
MD5d033c2f43a0efb1c44cc366cf9f03b0d
SHA12020afe3c0a3a54111d3cef37b6d9bb0aaff2e22
SHA25615138275917d8880b3ec0c3c571c55b1199f2adcd5e586f01b52590b1a2a2a39
SHA51216ceca6f486145042aa3708cbf0b7d769bc60ee9cf0a12f2b14026231b8f6c47937ce2baa2a8df59cac9d35d49d22cd271e769b6d288d0996173a748f9e78ffe
-
Filesize
203B
MD56ca2ca1e2af61131b83db4e369b6945b
SHA17f5facb181c00beb980b5887c60f81ff29f11020
SHA2560cdcf9e78a7631c42b2fce0a7055c0aafd14a17d12efa283fcaa7c6c0330f729
SHA5126b0dd7bb124097694e612eb78a9db1b4e05cb20627aa93985be2e1180de0cd312721589dba7c91bb8920b8beaee492316deaf1159f9ac9fc7ac786f199283863
-
Filesize
203B
MD58efd4b10f29d1be8e669e1fd23ecd035
SHA15b39743567696b5b8b544f1b120238829fc17053
SHA2562fb42a26e5c261b7f02bd87bfc59bf29ed9d8121f8a04353752cd12c7289b187
SHA51245716e24a528a2e7caca6e0684c3938d9c3f2215bf27b8d429c12d21fc0496c00be94329efa4f506a4e27d18bb58e5f70873173bb7d8189ea3ee3a39eb187c42
-
Filesize
203B
MD5233ad05784cafc215b68ad795b050617
SHA19677fb0d3fca1f6202a43b09613646b569699795
SHA256043d21ca0cc1c257d0eb537b9bf0603f480fc16c0ecfa383ab2db993e59b4b60
SHA51269957232470121ade4a41cd4f84e8c5fb2a8befe8add71487ef443b06d3b6a5cdbd622755392b0a2c75ffb516b865b78a9e567dcdda5789eafd396195be5b041
-
Filesize
203B
MD5e991c685e775b82001387226134de6bc
SHA147b536854c07dbcb9a96d8da80d7aac587f71853
SHA2569360f433945e4576aee83f03cf7d400271143d7f27c82c13cb8e74a64820beb6
SHA5127ad4c729af8143bb594b057c862c030b3fb512a6067ed48dfc8b2e6e9e5ee73d488f2bc00a64175283d4f43bb9e27911b7b71597fee5b8ed836a0861303281b1
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
203B
MD534ddac05785415f8c7c45905677834b2
SHA12ce5004df72ca067087415eec8f8c803553a7fd2
SHA2565834a12cfd51d53e38a6bf1f54e777e9a6e0617e7a4a2e45a78630611f1fb0cd
SHA51241ef52f650475dca54bd85cfb7fd941f2f375d71f5911e5ec44cb7bb7f79acc08a9f3ad0add5ed139740466e3bc56656794d3e9c36a60d15eaf3d72cba463c54
-
Filesize
203B
MD5d4e9143f6c96cd2d64239af27d232ffb
SHA1f2078e876016242fe3f92783f636a966b87bef0e
SHA2561ace10b58d8662fbccb6d957d0b07cdf30f3e791c3cc7e0af96727d124ed3a3c
SHA5129f41749b6ca63fa22b91679f67d78a41ab920d0ceb79ac76fb396aa93816937ee4bb548b4406ab1bc91ef7d42368a763e18441750b2cfc88bf4f1745046a00d3
-
Filesize
203B
MD57c67246fa20c82aa6c9b023145f9ed78
SHA1427ae8753002c554c5a2a38b659af4c257c3a4f0
SHA256780ccc17e7c637dcd1eaca6d92df744b8ed13a7c8cc38b388ff40a6f07004c9e
SHA51227b851daf19801461aebff57b56320119153dd60316e7e22d4573d17dd985195a0162d8846e168f2e9c474541379fc7a54053a00dffb99be4ee7af98f7d1e5a6
-
Filesize
203B
MD5505880badceb77dca85da47145aa0937
SHA1930666b30b229f4231558d78b8eec26912764a43
SHA256a8a7e5d80ae34d6780ff2fad3bfe47198884bef91205008b92c8a528db7915a2
SHA51260fec1dcdf7073d861c2df08b1a3c5dbd76763d7bbe98ee31e439def358b7bef28d34334164c5518c13a43c35d656f60fbcb2d8cf8dbc6bab953fc140c18e3f3
-
Filesize
203B
MD53bbe3393b65a530ffb08752ed82cf4e6
SHA194cb010e3893eee041d5da43e5fc4e70eeeb33d3
SHA256bcfd1f4abe78c803fc1b804f549c74d996f8462a09700fb7237bf446f98b8ee8
SHA512fc3a6a0cac7cb6e6948c10fd0f541d131549d7091dba525a36998e1bf1c42f6e8b022a4aa4ae0f98e8a671f348e2c264d042f029a9ec42ea7c978e57b38431b3
-
Filesize
203B
MD54b9cebdc4032bc13c3ad8fa6650a7d7b
SHA10b9cbc7102ae0978b3d1d01ce0be958da3a6a1e3
SHA25625eaa4f35b72988fdd190fd76ebc611bbb2d9f5221c2db195d0352a9621a3fc0
SHA5121b2d7829b4fdf89d9c7da023b6eaf990719f833555e627f8bac9821d22d189710657d7183232cb3f5989340e3647bbabe41e378a514d9078b7020f9506803747
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478