Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 19:01
Behavioral task
behavioral1
Sample
JaffaCakes118_5e3d224eaacd3dc4249cbc75f7e795b0332c8cb328515963413483a85a19f953.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_5e3d224eaacd3dc4249cbc75f7e795b0332c8cb328515963413483a85a19f953.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_5e3d224eaacd3dc4249cbc75f7e795b0332c8cb328515963413483a85a19f953.exe
-
Size
1.3MB
-
MD5
e646f9464557838393e0637065e0c1fa
-
SHA1
09eacb5b59064dd42b3e241959fa55a9ad2f2f90
-
SHA256
5e3d224eaacd3dc4249cbc75f7e795b0332c8cb328515963413483a85a19f953
-
SHA512
a597866b73f46dbcc0f34880d2e0f96cac19c482d0fa3cc14a49bd3344feadb0db3dc30ec55a574790c495ad23292399b8077f1dfa1d290f6f3472a8b8118620
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 60 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3532 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3700 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3236 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1068 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3640 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3920 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4260 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4964 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4960 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3172 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 760 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4716 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4900 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4792 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4848 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4364 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5012 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4432 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4592 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5076 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4712 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4528 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3744 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4536 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3824 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4592 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 396 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 764 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3284 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4384 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4688 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4576 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4128 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 884 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 628 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4220 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3996 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3472 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3584 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3516 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4748 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5076 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4864 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 1524 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4432 1524 schtasks.exe 88 -
resource yara_rule behavioral2/files/0x0007000000023cab-9.dat dcrat behavioral2/memory/5092-13-0x0000000000910000-0x0000000000A20000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 23 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1484 powershell.exe 1568 powershell.exe 4676 powershell.exe 3028 powershell.exe 3272 powershell.exe 2072 powershell.exe 3408 powershell.exe 952 powershell.exe 2324 powershell.exe 3312 powershell.exe 4064 powershell.exe 4312 powershell.exe 772 powershell.exe 2780 powershell.exe 2848 powershell.exe 5020 powershell.exe 5080 powershell.exe 3748 powershell.exe 1892 powershell.exe 3532 powershell.exe 4648 powershell.exe 3224 powershell.exe 4560 powershell.exe -
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation JaffaCakes118_5e3d224eaacd3dc4249cbc75f7e795b0332c8cb328515963413483a85a19f953.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation explorer.exe -
Executes dropped EXE 15 IoCs
pid Process 5092 DllCommonsvc.exe 3700 DllCommonsvc.exe 3200 DllCommonsvc.exe 4712 explorer.exe 3240 explorer.exe 3224 explorer.exe 4180 explorer.exe 3876 explorer.exe 3648 explorer.exe 4208 explorer.exe 4444 explorer.exe 4384 explorer.exe 4432 explorer.exe 3996 explorer.exe 4252 explorer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 51 raw.githubusercontent.com 52 raw.githubusercontent.com 53 raw.githubusercontent.com 31 raw.githubusercontent.com 37 raw.githubusercontent.com 38 raw.githubusercontent.com 39 raw.githubusercontent.com 42 raw.githubusercontent.com 55 raw.githubusercontent.com 34 raw.githubusercontent.com 43 raw.githubusercontent.com 45 raw.githubusercontent.com 54 raw.githubusercontent.com -
Drops file in Program Files directory 16 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\System\121e5b5079f7c0 DllCommonsvc.exe File created C:\Program Files\Internet Explorer\it-IT\spoolsv.exe DllCommonsvc.exe File created C:\Program Files\Internet Explorer\it-IT\f3b6ecef712a24 DllCommonsvc.exe File created C:\Program Files\Windows Mail\ea9f0e6c9e2dcd DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\System\sysmon.exe DllCommonsvc.exe File created C:\Program Files\Uninstall Information\OfficeClickToRun.exe DllCommonsvc.exe File created C:\Program Files\Uninstall Information\e6c9b481da804f DllCommonsvc.exe File created C:\Program Files\Windows Security\RuntimeBroker.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\5b884080fd4f94 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\Media Renderer\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\OfficeClickToRun.exe DllCommonsvc.exe File created C:\Program Files\Windows Mail\taskhostw.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\Media Renderer\lsass.exe DllCommonsvc.exe File created C:\Program Files\Windows Security\9e8d7a4ca61bd9 DllCommonsvc.exe -
Drops file in Windows directory 15 IoCs
description ioc Process File created C:\Windows\tracing\Registry.exe DllCommonsvc.exe File created C:\Windows\apppatch\RuntimeBroker.exe DllCommonsvc.exe File created C:\Windows\Downloaded Program Files\SppExtComObj.exe DllCommonsvc.exe File created C:\Windows\debug\unsecapp.exe DllCommonsvc.exe File created C:\Windows\Microsoft.NET\Framework\v1.0.3705\69ddcba757bf72 DllCommonsvc.exe File created C:\Windows\tracing\ee2ad38f3d4382 DllCommonsvc.exe File created C:\Windows\Downloaded Program Files\e1ef82546f0b02 DllCommonsvc.exe File created C:\Windows\Media\Festival\1f93f77a7f4778 DllCommonsvc.exe File created C:\Windows\Downloaded Program Files\5b884080fd4f94 DllCommonsvc.exe File created C:\Windows\debug\29c1c3cc0f7685 DllCommonsvc.exe File created C:\Windows\Microsoft.NET\Framework\v1.0.3705\smss.exe DllCommonsvc.exe File opened for modification C:\Windows\tracing\Registry.exe DllCommonsvc.exe File created C:\Windows\apppatch\9e8d7a4ca61bd9 DllCommonsvc.exe File created C:\Windows\Media\Festival\MoUsoCoreWorker.exe DllCommonsvc.exe File created C:\Windows\Downloaded Program Files\fontdrvhost.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5e3d224eaacd3dc4249cbc75f7e795b0332c8cb328515963413483a85a19f953.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 16 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings JaffaCakes118_5e3d224eaacd3dc4249cbc75f7e795b0332c8cb328515963413483a85a19f953.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings explorer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 60 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4964 schtasks.exe 4688 schtasks.exe 3284 schtasks.exe 4432 schtasks.exe 3532 schtasks.exe 1848 schtasks.exe 2076 schtasks.exe 3048 schtasks.exe 4384 schtasks.exe 2728 schtasks.exe 396 schtasks.exe 3920 schtasks.exe 4536 schtasks.exe 4792 schtasks.exe 4432 schtasks.exe 4128 schtasks.exe 4220 schtasks.exe 3640 schtasks.exe 4260 schtasks.exe 3172 schtasks.exe 4900 schtasks.exe 4592 schtasks.exe 5076 schtasks.exe 3048 schtasks.exe 4712 schtasks.exe 2864 schtasks.exe 628 schtasks.exe 3996 schtasks.exe 2444 schtasks.exe 2800 schtasks.exe 4748 schtasks.exe 1644 schtasks.exe 2436 schtasks.exe 4364 schtasks.exe 2560 schtasks.exe 5076 schtasks.exe 764 schtasks.exe 3516 schtasks.exe 4848 schtasks.exe 3824 schtasks.exe 4576 schtasks.exe 3472 schtasks.exe 3700 schtasks.exe 2772 schtasks.exe 4960 schtasks.exe 5012 schtasks.exe 2952 schtasks.exe 4864 schtasks.exe 3236 schtasks.exe 4716 schtasks.exe 2296 schtasks.exe 3584 schtasks.exe 3048 schtasks.exe 1068 schtasks.exe 4528 schtasks.exe 3744 schtasks.exe 2728 schtasks.exe 760 schtasks.exe 4592 schtasks.exe 884 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5092 DllCommonsvc.exe 5092 DllCommonsvc.exe 5092 DllCommonsvc.exe 5092 DllCommonsvc.exe 4312 powershell.exe 4312 powershell.exe 4560 powershell.exe 4560 powershell.exe 3224 powershell.exe 3224 powershell.exe 3408 powershell.exe 3408 powershell.exe 3312 powershell.exe 3312 powershell.exe 4648 powershell.exe 4648 powershell.exe 4064 powershell.exe 4064 powershell.exe 2072 powershell.exe 2072 powershell.exe 4676 powershell.exe 4676 powershell.exe 2072 powershell.exe 2848 powershell.exe 2848 powershell.exe 4312 powershell.exe 4560 powershell.exe 3224 powershell.exe 3408 powershell.exe 3312 powershell.exe 4648 powershell.exe 4064 powershell.exe 4676 powershell.exe 2848 powershell.exe 3700 DllCommonsvc.exe 3748 powershell.exe 5020 powershell.exe 3748 powershell.exe 3028 powershell.exe 5020 powershell.exe 3028 powershell.exe 3200 DllCommonsvc.exe 3200 DllCommonsvc.exe 3200 DllCommonsvc.exe 3272 powershell.exe 3272 powershell.exe 2324 powershell.exe 2324 powershell.exe 1892 powershell.exe 1892 powershell.exe 5080 powershell.exe 5080 powershell.exe 772 powershell.exe 772 powershell.exe 1484 powershell.exe 1484 powershell.exe 2324 powershell.exe 3532 powershell.exe 3532 powershell.exe 952 powershell.exe 952 powershell.exe 2780 powershell.exe 2780 powershell.exe 1568 powershell.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
description pid Process Token: SeDebugPrivilege 5092 DllCommonsvc.exe Token: SeDebugPrivilege 4312 powershell.exe Token: SeDebugPrivilege 4560 powershell.exe Token: SeDebugPrivilege 3224 powershell.exe Token: SeDebugPrivilege 3408 powershell.exe Token: SeDebugPrivilege 2072 powershell.exe Token: SeDebugPrivilege 3312 powershell.exe Token: SeDebugPrivilege 4648 powershell.exe Token: SeDebugPrivilege 4064 powershell.exe Token: SeDebugPrivilege 4676 powershell.exe Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 3700 DllCommonsvc.exe Token: SeDebugPrivilege 3748 powershell.exe Token: SeDebugPrivilege 5020 powershell.exe Token: SeDebugPrivilege 3028 powershell.exe Token: SeDebugPrivilege 3200 DllCommonsvc.exe Token: SeDebugPrivilege 2324 powershell.exe Token: SeDebugPrivilege 3272 powershell.exe Token: SeDebugPrivilege 1892 powershell.exe Token: SeDebugPrivilege 5080 powershell.exe Token: SeDebugPrivilege 772 powershell.exe Token: SeDebugPrivilege 1484 powershell.exe Token: SeDebugPrivilege 2780 powershell.exe Token: SeDebugPrivilege 3532 powershell.exe Token: SeDebugPrivilege 952 powershell.exe Token: SeDebugPrivilege 1568 powershell.exe Token: SeDebugPrivilege 4712 explorer.exe Token: SeDebugPrivilege 3240 explorer.exe Token: SeDebugPrivilege 3224 explorer.exe Token: SeDebugPrivilege 4180 explorer.exe Token: SeDebugPrivilege 3876 explorer.exe Token: SeDebugPrivilege 3648 explorer.exe Token: SeDebugPrivilege 4208 explorer.exe Token: SeDebugPrivilege 4444 explorer.exe Token: SeDebugPrivilege 4384 explorer.exe Token: SeDebugPrivilege 4432 explorer.exe Token: SeDebugPrivilege 3996 explorer.exe Token: SeDebugPrivilege 4252 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3156 wrote to memory of 1424 3156 JaffaCakes118_5e3d224eaacd3dc4249cbc75f7e795b0332c8cb328515963413483a85a19f953.exe 83 PID 3156 wrote to memory of 1424 3156 JaffaCakes118_5e3d224eaacd3dc4249cbc75f7e795b0332c8cb328515963413483a85a19f953.exe 83 PID 3156 wrote to memory of 1424 3156 JaffaCakes118_5e3d224eaacd3dc4249cbc75f7e795b0332c8cb328515963413483a85a19f953.exe 83 PID 1424 wrote to memory of 1892 1424 WScript.exe 85 PID 1424 wrote to memory of 1892 1424 WScript.exe 85 PID 1424 wrote to memory of 1892 1424 WScript.exe 85 PID 1892 wrote to memory of 5092 1892 cmd.exe 87 PID 1892 wrote to memory of 5092 1892 cmd.exe 87 PID 5092 wrote to memory of 2848 5092 DllCommonsvc.exe 117 PID 5092 wrote to memory of 2848 5092 DllCommonsvc.exe 117 PID 5092 wrote to memory of 3312 5092 DllCommonsvc.exe 118 PID 5092 wrote to memory of 3312 5092 DllCommonsvc.exe 118 PID 5092 wrote to memory of 4560 5092 DllCommonsvc.exe 119 PID 5092 wrote to memory of 4560 5092 DllCommonsvc.exe 119 PID 5092 wrote to memory of 4064 5092 DllCommonsvc.exe 120 PID 5092 wrote to memory of 4064 5092 DllCommonsvc.exe 120 PID 5092 wrote to memory of 3224 5092 DllCommonsvc.exe 121 PID 5092 wrote to memory of 3224 5092 DllCommonsvc.exe 121 PID 5092 wrote to memory of 3408 5092 DllCommonsvc.exe 122 PID 5092 wrote to memory of 3408 5092 DllCommonsvc.exe 122 PID 5092 wrote to memory of 2072 5092 DllCommonsvc.exe 123 PID 5092 wrote to memory of 2072 5092 DllCommonsvc.exe 123 PID 5092 wrote to memory of 4312 5092 DllCommonsvc.exe 125 PID 5092 wrote to memory of 4312 5092 DllCommonsvc.exe 125 PID 5092 wrote to memory of 4676 5092 DllCommonsvc.exe 126 PID 5092 wrote to memory of 4676 5092 DllCommonsvc.exe 126 PID 5092 wrote to memory of 4648 5092 DllCommonsvc.exe 128 PID 5092 wrote to memory of 4648 5092 DllCommonsvc.exe 128 PID 5092 wrote to memory of 3396 5092 DllCommonsvc.exe 137 PID 5092 wrote to memory of 3396 5092 DllCommonsvc.exe 137 PID 3396 wrote to memory of 3572 3396 cmd.exe 139 PID 3396 wrote to memory of 3572 3396 cmd.exe 139 PID 3396 wrote to memory of 3700 3396 cmd.exe 145 PID 3396 wrote to memory of 3700 3396 cmd.exe 145 PID 3700 wrote to memory of 5020 3700 DllCommonsvc.exe 152 PID 3700 wrote to memory of 5020 3700 DllCommonsvc.exe 152 PID 3700 wrote to memory of 3748 3700 DllCommonsvc.exe 153 PID 3700 wrote to memory of 3748 3700 DllCommonsvc.exe 153 PID 3700 wrote to memory of 3028 3700 DllCommonsvc.exe 154 PID 3700 wrote to memory of 3028 3700 DllCommonsvc.exe 154 PID 3700 wrote to memory of 1104 3700 DllCommonsvc.exe 158 PID 3700 wrote to memory of 1104 3700 DllCommonsvc.exe 158 PID 1104 wrote to memory of 1820 1104 cmd.exe 160 PID 1104 wrote to memory of 1820 1104 cmd.exe 160 PID 1104 wrote to memory of 3200 1104 cmd.exe 168 PID 1104 wrote to memory of 3200 1104 cmd.exe 168 PID 3200 wrote to memory of 3272 3200 DllCommonsvc.exe 196 PID 3200 wrote to memory of 3272 3200 DllCommonsvc.exe 196 PID 3200 wrote to memory of 1892 3200 DllCommonsvc.exe 197 PID 3200 wrote to memory of 1892 3200 DllCommonsvc.exe 197 PID 3200 wrote to memory of 1484 3200 DllCommonsvc.exe 198 PID 3200 wrote to memory of 1484 3200 DllCommonsvc.exe 198 PID 3200 wrote to memory of 1568 3200 DllCommonsvc.exe 199 PID 3200 wrote to memory of 1568 3200 DllCommonsvc.exe 199 PID 3200 wrote to memory of 952 3200 DllCommonsvc.exe 200 PID 3200 wrote to memory of 952 3200 DllCommonsvc.exe 200 PID 3200 wrote to memory of 5080 3200 DllCommonsvc.exe 201 PID 3200 wrote to memory of 5080 3200 DllCommonsvc.exe 201 PID 3200 wrote to memory of 2324 3200 DllCommonsvc.exe 202 PID 3200 wrote to memory of 2324 3200 DllCommonsvc.exe 202 PID 3200 wrote to memory of 772 3200 DllCommonsvc.exe 203 PID 3200 wrote to memory of 772 3200 DllCommonsvc.exe 203 PID 3200 wrote to memory of 2780 3200 DllCommonsvc.exe 204 PID 3200 wrote to memory of 2780 3200 DllCommonsvc.exe 204 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e3d224eaacd3dc4249cbc75f7e795b0332c8cb328515963413483a85a19f953.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e3d224eaacd3dc4249cbc75f7e795b0332c8cb328515963413483a85a19f953.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\StartMenuExperienceHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3312
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\S-1-5-21-2045521122-590294423-3465680274-1000\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\sysmon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\it-IT\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\taskhostw.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v1.0.3705\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4312
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\OfficeClickToRun.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4648
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\d4BMqdaTkg.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:3572
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Media Renderer\lsass.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cvnmccp5MD.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1820
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\Registry.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\apppatch\RuntimeBroker.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\SppExtComObj.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\TextInputHost.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Festival\MoUsoCoreWorker.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\fontdrvhost.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\unsecapp.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3532
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yuKuU8VKrE.bat"9⤵PID:2708
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1048
-
-
C:\providercommon\explorer.exe"C:\providercommon\explorer.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4712 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f70LHM7oRz.bat"11⤵PID:3432
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2324
-
-
C:\providercommon\explorer.exe"C:\providercommon\explorer.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3240 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat"13⤵PID:2372
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:4044
-
-
C:\providercommon\explorer.exe"C:\providercommon\explorer.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3224 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat"15⤵PID:592
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:4352
-
-
C:\providercommon\explorer.exe"C:\providercommon\explorer.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4180 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat"17⤵PID:228
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:4328
-
-
C:\providercommon\explorer.exe"C:\providercommon\explorer.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3876 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qtVTp5BaF9.bat"19⤵PID:1404
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:3836
-
-
C:\providercommon\explorer.exe"C:\providercommon\explorer.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3648 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vlZZCFJNsh.bat"21⤵PID:4524
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2000
-
-
C:\providercommon\explorer.exe"C:\providercommon\explorer.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4208 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat"23⤵PID:644
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2332
-
-
C:\providercommon\explorer.exe"C:\providercommon\explorer.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4444 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat"25⤵PID:3504
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2952
-
-
C:\providercommon\explorer.exe"C:\providercommon\explorer.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4384 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u02VouYs0z.bat"27⤵PID:4328
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:2276
-
-
C:\providercommon\explorer.exe"C:\providercommon\explorer.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FaowIOOII5.bat"29⤵PID:2436
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:230⤵PID:4080
-
-
C:\providercommon\explorer.exe"C:\providercommon\explorer.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3996 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KYEunsIO9t.bat"31⤵PID:1592
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:232⤵PID:2068
-
-
C:\providercommon\explorer.exe"C:\providercommon\explorer.exe"32⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4252 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WOs9W2tFAs.bat"33⤵PID:960
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:234⤵PID:3020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Recent\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\Recent\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Recent\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\S-1-5-21-2045521122-590294423-3465680274-1000\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\S-1-5-21-2045521122-590294423-3465680274-1000\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\S-1-5-21-2045521122-590294423-3465680274-1000\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\System\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\System\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\it-IT\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\it-IT\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\Microsoft.NET\Framework\v1.0.3705\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework\v1.0.3705\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\Framework\v1.0.3705\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Security\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\tracing\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\apppatch\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\apppatch\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\apppatch\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Windows\Downloaded Program Files\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Windows\Downloaded Program Files\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\providercommon\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Festival\MoUsoCoreWorker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Windows\Media\Festival\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\Festival\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\Downloaded Program Files\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Windows\debug\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\debug\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Windows\debug\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA5128a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD56c47b3f4e68eebd47e9332eebfd2dd4e
SHA167f0b143336d7db7b281ed3de5e877fa87261834
SHA2568c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c
SHA5120acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca
-
Filesize
944B
MD596e3b86880fedd5afc001d108732a3e5
SHA18fc17b39d744a9590a6d5897012da5e6757439a3
SHA256c3077e4cadb4ed246c02abe55aa6cf832fee4c2546b7addb7d22cd1c7c8c1294
SHA512909b1968f7204fa7029109b02232d8cc5438f6b4dc7c9044e4e47c59fcee538199b13029e36592b12ed573d48a308dd4822d2ced4129ab08d4111897e02be55d
-
Filesize
944B
MD5d8cb3e9459807e35f02130fad3f9860d
SHA15af7f32cb8a30e850892b15e9164030a041f4bd6
SHA2562b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68
SHA512045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184
-
Filesize
944B
MD536c0eb4cc9fdffc5d2d368d7231ad514
SHA1ce52fda315ce5c60a0af506f87edb0c2b3fdebcc
SHA256f6efe796606c4be6422dfd070d8c8e1bcda5852520633e3ef071541ff29f359b
SHA5124ad7de3b286152386c4cfecb07d004d9ee3976c4e397d6a13b1ddee6524c4cb78b1c4bc9c2f984f321082f6ed6da2a2cd93f9954fd378b46f24fbf19bd15fb54
-
Filesize
944B
MD5a1008cfb29cdc25b4180c736ec404335
SHA139760fbcc8c1a64e856e98d61ce194d39b727438
SHA2560eb4209b0f8c0dce02580b4d3ec5692d33be08b1a61858aad0413116afc95558
SHA51200c2cde1601217c28fd71c2daefb21c7fcfeeee7e6badcd1b7f353f4e6df7817f5c4665148a1468b10ea31547642b999e3db5914d6e5f0cb1123243fd9ef213f
-
Filesize
944B
MD59405862a3b15dc34824f6a0e5f077f4f
SHA1bbe0000e06be94fa61d6e223fb38b1289908723d
SHA2560a0869426bca171c080316948a4638a7152018ea5e07de97b2d51e0d90905210
SHA512fc7ae988b81dec5b13ae9878350cd9d063538bfb2bc14f099087836ed54cd77a36bc7c4276fa075a80a3cd20e7620fa2ba5a8b5b7bf98698b10752749187148d
-
Filesize
944B
MD5d3716b82c5009c75652c2c932d402f5d
SHA10e24eac9215e30354c17dc6160f33d388b9ad0d6
SHA256b3911ffe77953188bed116540c479628120a2ca207c67b48d201cd1a0f415489
SHA51229955e69b15cece9f0b1cc85b217371d4504abbb4bccd9cf41e52af271be4ce87bc974ae7ee8a86c490c2c68b3159210191a62f423ffead5ecc7f8b6211f5d4e
-
Filesize
944B
MD5815f9e54d2e55a6cd87a044f75fdba0c
SHA19e2c91b5d015a2f96539227ed0a5d83cf26f6c08
SHA256ec7d07723ca9c032e3662c0a316318065854ed4dc54106a5214278cbd148e75f
SHA5129198d94b9d3ef35693881e3dc3e1c7f4b42d98f23a27f58cec67309628504de6940f0ac58bff1de2923b9d1b2dd11be82ea98bad9419d2e22f610df01c7401a3
-
Filesize
195B
MD591003506f428bbce669e679fac9224c2
SHA174c8fcc16467ed41c4b1af00d9dd89910b070f04
SHA256a4dd567fe8f95a97bd50290cb29dbd7ceefa7029190216c8babf0883243530e6
SHA512b3f2ee3fe5503277476e9a90fe1a4d07bf1f624c039d64fc34628688e4f00c9fb273248fc1aa3166503fdacd0c44a450dbf7abb33d7d4d3e8d83541b63e3d48a
-
Filesize
195B
MD5f64620d3c6725f2bf92c827148e7889a
SHA17410b478c4a41800223ad9c90862bacbc8b31b65
SHA256c1b3d73c43f6c7d7044adff3851e3d629d9d155645ddfc3fcb93403fd200634d
SHA512b4170660395e65d99ea4a9841acb15e1c4ff12bb3926051883aa56bb5cdbc12e106f00e03a14d31b0d191f4857a69470e0233ea233b0d3c814b0ed07663b0e48
-
Filesize
195B
MD5494ef306a3be791652a6f5f5ae5c94e0
SHA1fd992d0f92a6a6af5cda4b75f2e3152b10f9bf77
SHA2568717ca13577d62e6c9cfca792941e068cfe0cf82dfc01f7063896399dc0cc9cd
SHA512625b764c75a7a832f271b5e18086413460627c55ab3d3b3837d02b3525d118dea0a1cf18dd9a92801e2b5bed20344f1af9f247663d8d5c0eee9db96b9e7079f4
-
Filesize
195B
MD52911f99ff1930ff43eabc89fd89e9514
SHA1068eefc8f610ec7249b06f296c778bacfbc0b34f
SHA256c2be2a2bf5104c41ae54ad19fe1b45cae251cdd952ec9b804c6c52208fb5112f
SHA512a8cee25b15aa3e088cf3822ee1cf25bc225c6ee8602a61c4d7b375430559be73726851d59f52a8121e3ebe0f783e76a0c7039c1224055e54799658ac01df5fdc
-
Filesize
195B
MD592a4a10a407bd65ba22620bd5dbefaae
SHA162db79988063c4a87d425ee72171062dec4c891d
SHA256975e41a43f76d9bf890ab44a4efc1dfca84f4e3e3a58ceec435e4b3f73f15b4b
SHA512a3dd00f352f65f15d435988b1db4dbae7a40b708e747d2ede58be97d206e4b05daa36e9a48cfae645adecec01683e2dd5c72e6818e66d69c4781604ae201ec10
-
Filesize
195B
MD57a9c34f4ccfcb6832afba5980074cb0d
SHA17f2ac91d12c9afa43331de0d6a66c70614eaee46
SHA2565730b73b6de516873f84c9a55f14b733922e2b19b3dafc63012aa5f873df1a9b
SHA5124aa22ba40c36651172c6864b0cbec2e6cd7167f12127a703b9ce8400c28c2246be46c130d7e105f24b22fb26521ac382b65091c832518382ec18e87728162c73
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
199B
MD507550014598ebd2cdbb25656086bae7a
SHA12e3c7232aeabcc65acd697b06d5a0d9db4644549
SHA25653bdf1670f963dfff8aa80ae84081cdf1cf02cf4d16c88562b3a6374bed558cc
SHA512ec1df21d0b1a409bd1ca7f08ad23ec9a4f00ab18dc02d26487dd117981250fac44790ebc19103fff37d0915fe21bf1aa892539912c3bcb6a0b8e37b70600d3ba
-
Filesize
199B
MD5dc87e40ef9ac59452cb7a471711f4518
SHA1778096e904d7393dc9104814c65a4a44da8d5eff
SHA256ded4818ff17a7328f955b19faa5ac0fba44b876482304f64ebc4302924041374
SHA512b320d429e90aaf5b5a56640975088f34edb1d686e745ab7fdc6a3ed73a98a481f9d9fbb60202aa7503152323c4082ad95aac1bd0fb84b339700572c61ae98e02
-
Filesize
195B
MD52ce7666b0791ac84c2ce72751fcf86db
SHA15cf41899518f4cf6b4ae8924ca74c6ad887271ca
SHA2565ee4b0f81832bbae1ba6be1325814ff662eb4c0c9b4e571f3a6d748fbf36f8b4
SHA5126add40e5db02f2b52a52080ccfa53af9ab20caae4c80e204e569607c2d6ac6094e4de4909bafef6a3926b155a07b1a0b55d1bd74d303c4f6fb780e9722cde387
-
Filesize
195B
MD5ef31bb6dc1a96dd95b61a29741c8fff0
SHA143679e5f36ae94b7cfb864a32e2f57e039a7b7fa
SHA2564228c5356b0c324435a146700348af99bea86135a7bdaae57f3d678fbdfb5c6c
SHA5121938ed3f8c7937f867c538b86a34adc674b6c7a3917d091b40d6380952e575f3e7e2a9b55d81d4bd29aaaa5ec7d37aaf0bb5d917f37e2e7b07bbc26d3e778e4a
-
Filesize
195B
MD5a22ac509d36ebecb3be2a9a5a437ea98
SHA1214cb10eb3baac036787b52bd5aed5aa68215a31
SHA256843a29a3ad486303dc6d02e531bc17dd80fb85b210dbdaa147220ef7295e876d
SHA5128f6159d544efea200106442756e3828f1d045d7ef086036ec669d35fecb87e3553ea10b0a2788ba8443beec058df7268d3ceaa541ea33ac0a1066c45094bfba0
-
Filesize
195B
MD5a8946f3dcbb4871a9cac26e2a2387dc4
SHA160b0b9c027ba3c3e7a86172b34dc04aa7dfc747e
SHA2567af1914baf2ec95d701966e6a8b9fe0b086434233d4169dc213eca26fdb43e4e
SHA512a67414d1256349cec784ced970a1149cd35dbfba9937ed6905f51a73c29c2a40cf7be2444e27db7de44b25aef37da99222257b6f9afa009e0decc8cbc4700af7
-
Filesize
195B
MD55896d856fecf3278172db0de10e32859
SHA18cfb36d7a57a0acd487990814db34094b3ad8e76
SHA256a1af1be20c7da4c5cc0f4333f2bd7e68910baa5907e37d182744686f109c312c
SHA5129045909baf43d634c2fb42bb08b915c78745faaae86adb0f619a102dcf6530cc1def00f945d19bcbaf44bb96756d93ede1e2a9853e9d67a749c90b2d18488594
-
Filesize
195B
MD5470d86277ea30032f15f8fefab70a52f
SHA1de22fdd353d64186222e523b8cc7b272c5359a68
SHA256744ca59da3b18bf576079c9acdcae2eed96b2cd7089f20830e7e57133e83d665
SHA5129b804527532f235ca5288c22ccf4f74469935062ea512f8c63e458d2f1cc055959638eb24fe7cfb2506fb0d7cc2bd0ce3767a8a1733c482f21fd38d0615be4e9
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478