Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 20:46
Behavioral task
behavioral1
Sample
JaffaCakes118_2d38e2d2b3e13da39dfbeed8612fe37747722846b0d75495dbfaf73a7eb75e3a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_2d38e2d2b3e13da39dfbeed8612fe37747722846b0d75495dbfaf73a7eb75e3a.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_2d38e2d2b3e13da39dfbeed8612fe37747722846b0d75495dbfaf73a7eb75e3a.exe
-
Size
1.3MB
-
MD5
32615ad6080d8fe652230bb4c70496a7
-
SHA1
5dd7ca55e4d479aa054309f78225262ed35cc1d3
-
SHA256
2d38e2d2b3e13da39dfbeed8612fe37747722846b0d75495dbfaf73a7eb75e3a
-
SHA512
e8e79f81e355354d1cef17cf101fe2d815cb0b0147ef9cbb573d8cbf3fb1d847ffcbf7735d8a5b5bbc1379727de1cd72454ef45d87f9c9605a65beb2b90ce8e4
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4464 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4860 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 404 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 804 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 920 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5044 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 792 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 468 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2460 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3628 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4444 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2304 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3164 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4916 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4032 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3252 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1208 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3328 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3500 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1072 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 428 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4612 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3748 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3156 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4576 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3820 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3336 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4472 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4868 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4060 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4240 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4040 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3996 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4768 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3588 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1340 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5080 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 224 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3592 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3300 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4316 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4424 3964 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 860 3964 schtasks.exe 88 -
resource yara_rule behavioral2/files/0x000a000000023b78-10.dat dcrat behavioral2/memory/2068-13-0x00000000001D0000-0x00000000002E0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 640 powershell.exe 3280 powershell.exe 544 powershell.exe 8 powershell.exe 940 powershell.exe 3040 powershell.exe 3600 powershell.exe 1648 powershell.exe 2528 powershell.exe 2916 powershell.exe 3804 powershell.exe 784 powershell.exe 4064 powershell.exe 4524 powershell.exe 4328 powershell.exe 4460 powershell.exe 4104 powershell.exe 220 powershell.exe 208 powershell.exe 3760 powershell.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation JaffaCakes118_2d38e2d2b3e13da39dfbeed8612fe37747722846b0d75495dbfaf73a7eb75e3a.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation conhost.exe -
Executes dropped EXE 15 IoCs
pid Process 2068 DllCommonsvc.exe 4728 conhost.exe 4920 conhost.exe 5240 conhost.exe 644 conhost.exe 5480 conhost.exe 1904 conhost.exe 1708 conhost.exe 5608 conhost.exe 2068 conhost.exe 4988 conhost.exe 4408 conhost.exe 2644 conhost.exe 4156 conhost.exe 4280 conhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
flow ioc 52 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 28 raw.githubusercontent.com 39 raw.githubusercontent.com 50 raw.githubusercontent.com 51 raw.githubusercontent.com 15 raw.githubusercontent.com 40 raw.githubusercontent.com 43 raw.githubusercontent.com 54 raw.githubusercontent.com 44 raw.githubusercontent.com 45 raw.githubusercontent.com 53 raw.githubusercontent.com -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\22eafd247d37c3 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\fr-FR\unsecapp.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\fr-FR\29c1c3cc0f7685 DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\lua\meta\RuntimeBroker.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\lua\meta\9e8d7a4ca61bd9 DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\TextInputHost.exe DllCommonsvc.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\Globalization\ICU\e1ef82546f0b02 DllCommonsvc.exe File created C:\Windows\PolicyDefinitions\de-DE\SearchApp.exe DllCommonsvc.exe File created C:\Windows\PolicyDefinitions\de-DE\38384e6a620884 DllCommonsvc.exe File created C:\Windows\tracing\StartMenuExperienceHost.exe DllCommonsvc.exe File created C:\Windows\tracing\55b276f4edf653 DllCommonsvc.exe File created C:\Windows\apppatch\de-DE\wininit.exe DllCommonsvc.exe File opened for modification C:\Windows\apppatch\de-DE\wininit.exe DllCommonsvc.exe File created C:\Windows\Globalization\ICU\SppExtComObj.exe DllCommonsvc.exe File created C:\Windows\Registration\CRMLog\ee2ad38f3d4382 DllCommonsvc.exe File created C:\Windows\apppatch\de-DE\56085415360792 DllCommonsvc.exe File created C:\Windows\Registration\CRMLog\Registry.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_2d38e2d2b3e13da39dfbeed8612fe37747722846b0d75495dbfaf73a7eb75e3a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings JaffaCakes118_2d38e2d2b3e13da39dfbeed8612fe37747722846b0d75495dbfaf73a7eb75e3a.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings conhost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3628 schtasks.exe 1072 schtasks.exe 1860 schtasks.exe 2480 schtasks.exe 1968 schtasks.exe 3592 schtasks.exe 4860 schtasks.exe 404 schtasks.exe 4464 schtasks.exe 1208 schtasks.exe 4240 schtasks.exe 2716 schtasks.exe 224 schtasks.exe 428 schtasks.exe 860 schtasks.exe 4032 schtasks.exe 4472 schtasks.exe 1340 schtasks.exe 1784 schtasks.exe 3748 schtasks.exe 2872 schtasks.exe 1544 schtasks.exe 2000 schtasks.exe 792 schtasks.exe 2460 schtasks.exe 3336 schtasks.exe 4444 schtasks.exe 3156 schtasks.exe 3820 schtasks.exe 2656 schtasks.exe 4316 schtasks.exe 4916 schtasks.exe 3252 schtasks.exe 4612 schtasks.exe 4040 schtasks.exe 468 schtasks.exe 2304 schtasks.exe 4576 schtasks.exe 2924 schtasks.exe 4768 schtasks.exe 4424 schtasks.exe 5080 schtasks.exe 2416 schtasks.exe 2888 schtasks.exe 3328 schtasks.exe 3500 schtasks.exe 3996 schtasks.exe 1552 schtasks.exe 2332 schtasks.exe 804 schtasks.exe 3164 schtasks.exe 3300 schtasks.exe 4868 schtasks.exe 4060 schtasks.exe 920 schtasks.exe 5044 schtasks.exe 3588 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2068 DllCommonsvc.exe 2068 DllCommonsvc.exe 2068 DllCommonsvc.exe 2068 DllCommonsvc.exe 2068 DllCommonsvc.exe 2068 DllCommonsvc.exe 2068 DllCommonsvc.exe 2068 DllCommonsvc.exe 2068 DllCommonsvc.exe 2068 DllCommonsvc.exe 2068 DllCommonsvc.exe 2068 DllCommonsvc.exe 2068 DllCommonsvc.exe 2068 DllCommonsvc.exe 2068 DllCommonsvc.exe 2068 DllCommonsvc.exe 2068 DllCommonsvc.exe 2068 DllCommonsvc.exe 2068 DllCommonsvc.exe 2068 DllCommonsvc.exe 2068 DllCommonsvc.exe 2068 DllCommonsvc.exe 2068 DllCommonsvc.exe 2068 DllCommonsvc.exe 2068 DllCommonsvc.exe 2068 DllCommonsvc.exe 220 powershell.exe 220 powershell.exe 4460 powershell.exe 4460 powershell.exe 4328 powershell.exe 4328 powershell.exe 8 powershell.exe 8 powershell.exe 3804 powershell.exe 3804 powershell.exe 208 powershell.exe 208 powershell.exe 2916 powershell.exe 2916 powershell.exe 3760 powershell.exe 3760 powershell.exe 2528 powershell.exe 2528 powershell.exe 784 powershell.exe 784 powershell.exe 4064 powershell.exe 4064 powershell.exe 4104 powershell.exe 3280 powershell.exe 4104 powershell.exe 3280 powershell.exe 544 powershell.exe 544 powershell.exe 940 powershell.exe 940 powershell.exe 4524 powershell.exe 4524 powershell.exe 640 powershell.exe 640 powershell.exe 3600 powershell.exe 3600 powershell.exe 3040 powershell.exe 3040 powershell.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2068 DllCommonsvc.exe Token: SeDebugPrivilege 220 powershell.exe Token: SeDebugPrivilege 4460 powershell.exe Token: SeDebugPrivilege 4328 powershell.exe Token: SeDebugPrivilege 8 powershell.exe Token: SeDebugPrivilege 3804 powershell.exe Token: SeDebugPrivilege 208 powershell.exe Token: SeDebugPrivilege 2916 powershell.exe Token: SeDebugPrivilege 3760 powershell.exe Token: SeDebugPrivilege 2528 powershell.exe Token: SeDebugPrivilege 784 powershell.exe Token: SeDebugPrivilege 3040 powershell.exe Token: SeDebugPrivilege 4064 powershell.exe Token: SeDebugPrivilege 544 powershell.exe Token: SeDebugPrivilege 4104 powershell.exe Token: SeDebugPrivilege 3280 powershell.exe Token: SeDebugPrivilege 940 powershell.exe Token: SeDebugPrivilege 4524 powershell.exe Token: SeDebugPrivilege 640 powershell.exe Token: SeDebugPrivilege 3600 powershell.exe Token: SeDebugPrivilege 4728 conhost.exe Token: SeDebugPrivilege 1648 powershell.exe Token: SeDebugPrivilege 4920 conhost.exe Token: SeDebugPrivilege 5240 conhost.exe Token: SeDebugPrivilege 644 conhost.exe Token: SeDebugPrivilege 5480 conhost.exe Token: SeDebugPrivilege 1904 conhost.exe Token: SeDebugPrivilege 1708 conhost.exe Token: SeDebugPrivilege 5608 conhost.exe Token: SeDebugPrivilege 2068 conhost.exe Token: SeDebugPrivilege 4988 conhost.exe Token: SeDebugPrivilege 4408 conhost.exe Token: SeDebugPrivilege 2644 conhost.exe Token: SeDebugPrivilege 4156 conhost.exe Token: SeDebugPrivilege 4280 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1196 wrote to memory of 3636 1196 JaffaCakes118_2d38e2d2b3e13da39dfbeed8612fe37747722846b0d75495dbfaf73a7eb75e3a.exe 83 PID 1196 wrote to memory of 3636 1196 JaffaCakes118_2d38e2d2b3e13da39dfbeed8612fe37747722846b0d75495dbfaf73a7eb75e3a.exe 83 PID 1196 wrote to memory of 3636 1196 JaffaCakes118_2d38e2d2b3e13da39dfbeed8612fe37747722846b0d75495dbfaf73a7eb75e3a.exe 83 PID 3636 wrote to memory of 3284 3636 WScript.exe 85 PID 3636 wrote to memory of 3284 3636 WScript.exe 85 PID 3636 wrote to memory of 3284 3636 WScript.exe 85 PID 3284 wrote to memory of 2068 3284 cmd.exe 87 PID 3284 wrote to memory of 2068 3284 cmd.exe 87 PID 2068 wrote to memory of 1648 2068 DllCommonsvc.exe 147 PID 2068 wrote to memory of 1648 2068 DllCommonsvc.exe 147 PID 2068 wrote to memory of 4328 2068 DllCommonsvc.exe 148 PID 2068 wrote to memory of 4328 2068 DllCommonsvc.exe 148 PID 2068 wrote to memory of 640 2068 DllCommonsvc.exe 149 PID 2068 wrote to memory of 640 2068 DllCommonsvc.exe 149 PID 2068 wrote to memory of 4460 2068 DllCommonsvc.exe 150 PID 2068 wrote to memory of 4460 2068 DllCommonsvc.exe 150 PID 2068 wrote to memory of 3280 2068 DllCommonsvc.exe 151 PID 2068 wrote to memory of 3280 2068 DllCommonsvc.exe 151 PID 2068 wrote to memory of 4104 2068 DllCommonsvc.exe 152 PID 2068 wrote to memory of 4104 2068 DllCommonsvc.exe 152 PID 2068 wrote to memory of 220 2068 DllCommonsvc.exe 153 PID 2068 wrote to memory of 220 2068 DllCommonsvc.exe 153 PID 2068 wrote to memory of 208 2068 DllCommonsvc.exe 154 PID 2068 wrote to memory of 208 2068 DllCommonsvc.exe 154 PID 2068 wrote to memory of 2528 2068 DllCommonsvc.exe 155 PID 2068 wrote to memory of 2528 2068 DllCommonsvc.exe 155 PID 2068 wrote to memory of 3040 2068 DllCommonsvc.exe 156 PID 2068 wrote to memory of 3040 2068 DllCommonsvc.exe 156 PID 2068 wrote to memory of 544 2068 DllCommonsvc.exe 157 PID 2068 wrote to memory of 544 2068 DllCommonsvc.exe 157 PID 2068 wrote to memory of 3600 2068 DllCommonsvc.exe 158 PID 2068 wrote to memory of 3600 2068 DllCommonsvc.exe 158 PID 2068 wrote to memory of 4524 2068 DllCommonsvc.exe 159 PID 2068 wrote to memory of 4524 2068 DllCommonsvc.exe 159 PID 2068 wrote to memory of 4064 2068 DllCommonsvc.exe 160 PID 2068 wrote to memory of 4064 2068 DllCommonsvc.exe 160 PID 2068 wrote to memory of 784 2068 DllCommonsvc.exe 161 PID 2068 wrote to memory of 784 2068 DllCommonsvc.exe 161 PID 2068 wrote to memory of 940 2068 DllCommonsvc.exe 162 PID 2068 wrote to memory of 940 2068 DllCommonsvc.exe 162 PID 2068 wrote to memory of 8 2068 DllCommonsvc.exe 164 PID 2068 wrote to memory of 8 2068 DllCommonsvc.exe 164 PID 2068 wrote to memory of 3804 2068 DllCommonsvc.exe 165 PID 2068 wrote to memory of 3804 2068 DllCommonsvc.exe 165 PID 2068 wrote to memory of 3760 2068 DllCommonsvc.exe 166 PID 2068 wrote to memory of 3760 2068 DllCommonsvc.exe 166 PID 2068 wrote to memory of 2916 2068 DllCommonsvc.exe 167 PID 2068 wrote to memory of 2916 2068 DllCommonsvc.exe 167 PID 2068 wrote to memory of 4728 2068 DllCommonsvc.exe 186 PID 2068 wrote to memory of 4728 2068 DllCommonsvc.exe 186 PID 4728 wrote to memory of 5772 4728 conhost.exe 191 PID 4728 wrote to memory of 5772 4728 conhost.exe 191 PID 5772 wrote to memory of 5828 5772 cmd.exe 193 PID 5772 wrote to memory of 5828 5772 cmd.exe 193 PID 5772 wrote to memory of 4920 5772 cmd.exe 200 PID 5772 wrote to memory of 4920 5772 cmd.exe 200 PID 4920 wrote to memory of 5432 4920 conhost.exe 204 PID 4920 wrote to memory of 5432 4920 conhost.exe 204 PID 5432 wrote to memory of 4272 5432 cmd.exe 206 PID 5432 wrote to memory of 4272 5432 cmd.exe 206 PID 5432 wrote to memory of 5240 5432 cmd.exe 209 PID 5432 wrote to memory of 5240 5432 cmd.exe 209 PID 5240 wrote to memory of 3324 5240 conhost.exe 213 PID 5240 wrote to memory of 3324 5240 conhost.exe 213 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2d38e2d2b3e13da39dfbeed8612fe37747722846b0d75495dbfaf73a7eb75e3a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2d38e2d2b3e13da39dfbeed8612fe37747722846b0d75495dbfaf73a7eb75e3a.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\apppatch\de-DE\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\upfc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3280
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\regid.1991-06.com.microsoft\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4104
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\ICU\SppExtComObj.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\de-DE\SearchApp.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\fr-FR\unsecapp.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\meta\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\StartMenuExperienceHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\Registry.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\sysmon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\taskhostw.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\TextInputHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
C:\providercommon\conhost.exe"C:\providercommon\conhost.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:5772 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:5828
-
-
C:\providercommon\conhost.exe"C:\providercommon\conhost.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hD3D8PLBZ9.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:5432 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:4272
-
-
C:\providercommon\conhost.exe"C:\providercommon\conhost.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5240 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\syYKg8QxNI.bat"10⤵PID:3324
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:5176
-
-
C:\providercommon\conhost.exe"C:\providercommon\conhost.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:644 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uuaNNDTqg5.bat"12⤵PID:2916
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:5236
-
-
C:\providercommon\conhost.exe"C:\providercommon\conhost.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5480 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KmPq9HzxB6.bat"14⤵PID:4324
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:5252
-
-
C:\providercommon\conhost.exe"C:\providercommon\conhost.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\syYKg8QxNI.bat"16⤵PID:5548
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:4964
-
-
C:\providercommon\conhost.exe"C:\providercommon\conhost.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1708 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DegeIw2hse.bat"18⤵PID:5576
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:5404
-
-
C:\providercommon\conhost.exe"C:\providercommon\conhost.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5608 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZES4mQr7Bk.bat"20⤵PID:2460
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:5960
-
-
C:\providercommon\conhost.exe"C:\providercommon\conhost.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2068 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Asmf6CRzTu.bat"22⤵PID:2508
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:3240
-
-
C:\providercommon\conhost.exe"C:\providercommon\conhost.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4988 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9ncYvmuuF5.bat"24⤵PID:2760
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:3504
-
-
C:\providercommon\conhost.exe"C:\providercommon\conhost.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4408 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWW2tbEWSD.bat"26⤵PID:1104
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:5268
-
-
C:\providercommon\conhost.exe"C:\providercommon\conhost.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2644 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat"28⤵PID:2428
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:5504
-
-
C:\providercommon\conhost.exe"C:\providercommon\conhost.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4156 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YUw1O57cI2.bat"30⤵PID:4624
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:1552
-
-
C:\providercommon\conhost.exe"C:\providercommon\conhost.exe"31⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4280
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\apppatch\de-DE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\apppatch\de-DE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\apppatch\de-DE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\providercommon\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Windows\Globalization\ICU\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Globalization\ICU\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Windows\Globalization\ICU\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\de-DE\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\de-DE\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\de-DE\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\providercommon\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\lua\meta\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\meta\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\lua\meta\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\tracing\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Windows\tracing\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\CRMLog\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\CRMLog\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Users\Default\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Users\Default\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Favorites\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\Favorites\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Favorites\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD53a5e1f1efff867a822c6a57ee928dd66
SHA1b017854d8a1deb05f1447e9dd6002902fb66bf6b
SHA2568222fe869b025493591ca2ffbabe089c2e682449e77b754fc864ba62d64ee957
SHA51225fc0fd6a71595c44efe34d281c4bc4924ac82f76b9f697497d0019fa2c8e0cadf58f92ae4272f00b1ef1e97dfd93bd740a9e7f7d9dc93cb1cadbde5f93d1782
-
Filesize
194B
MD599e90a1852133a50a8984ba7b84e2345
SHA13fdebb1db25ddfd6148301d18e31e6f4cea50534
SHA2568b5f01f1732ffc241541673e5d79bbde8f519e6a93f5d58e8de9abf41037a26b
SHA5128008b57cf7c461597ad4464d7f144a657306a3f7d5befef7945487884bf0f5f3282eeeb57f173a2a9ddb2b6cf9f9cfb718e94eaf75b1ffbe130ff08deb2fdfd3
-
Filesize
194B
MD5e854418447b4d9e257620bc4d2192c9a
SHA1e94e00e2e1538144af1e5baafc98cfb81960b7b0
SHA2564272d30e49f9aeacb12bcc5990efd4a640d180382504eda8b961d7948f772214
SHA51283ac56ac544ded01f88ddafd80db485791435c39fa2d76a25b38c94b77ba14efbb671141aa3da36727f9c5eb3148759db4199a492cc575586525c0427d839e64
-
Filesize
194B
MD5350d173f198ab0649e29f7fe8ec93173
SHA17cb0b07fb4315e9e4c31c42234ff5b8bee8cfa75
SHA256b3fd66c64223cdd022941c8b39dde586bea084846bdefeb2e4f1628f30116eaf
SHA512e30eed5460ac1f19f667fc5c0e037733d594a9cc3aede7702b4b0d3ca97dc177f6f6b0ca5c9d1a9dbf260e99abfe64891591a4904445d430405d04f73c6017c5
-
Filesize
194B
MD513c14d9df83dd7d0b667c09b4fbc7351
SHA141ce2b208ce7da6cc582d6bbad80a4986af22a80
SHA256050601c8ae6867a268c6b29033942a9462e0fe0644c9b92a2b60d7836817ea7c
SHA5125e2f04317b6b6230cc9dfeb837c8fc1eac7a4de31ac98e80b3cba739649a83a56ff634934d7ae6fca4ab981b2e38e5f003c0c5f18a6fc169e46c3e249cc627ab
-
Filesize
194B
MD5e3cd914c84cebb65a3dd55443c07e93a
SHA1f963d835a87fd1716174bfbf2cb0bc9133929a16
SHA2563e6ebcd3e81c720a24e640a5081e70c130c28b2facab414381049cccde8ddd97
SHA512eb2dff3e9a8e63ef69c46e9af36eaaa4951fd1130f38554c01f7098b8e11b7f45e4306b9bae704c9c46ddb7cf07561b00383bd31c45e4954646853e84709a6d5
-
Filesize
194B
MD53ff667d812b157b0a5fe498cbd6417c8
SHA1a6bbdda735d82975dc8b33f1211dcc424b2ef7db
SHA2562c226635895fd3b6a28a618b42bde7677a700b903e0a0705dfed2b66be2a17a9
SHA51255b846f5d7148cb417497a49251ad3faaec04c5a7b42b271b806d820d8fd41c8b331c7270c61c6820dca17a389d5abc4ce5037f52cf38ff2bb82da0c367fdaf4
-
Filesize
194B
MD5bdb0f939ae648190bf12d7c5251a8d9a
SHA117e7db49a4b02991f7cd2ae534dc714fc4be213c
SHA256d9ae5d560f8df7b63433810ba08616870a6939bf9a14b72fcc657fd59e591d36
SHA512e6fe2ecd0413e51f18e08104b0520fba335880024e43e27f4269ef7a7e2cfeddb0b74a41ba0001f31adc75bb1bca810fb6a5605cbb54a4f5fb54aaf9ec078606
-
Filesize
194B
MD5215fb1ec73533f32ab67e40ebbab951c
SHA13dfabac1aa7b6a119fe1edfb9d2adbeaf1cd5d66
SHA256fa96d900a89c0c49cb32bf506b4c88c08e474335eb6d6c3dab19079f9d62146e
SHA512253254cabe4c78a3a8a05bababb5f80b836517471d19bae2bb7b6ca2eb539f28b243a044d99ae5432defb753834e4617de6be1c7c451b0a702fd22112bef808c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
194B
MD5c4531b46ae820d7605042612c269421c
SHA1007849b96252a593aa7ba4b4e564f0014ccd988b
SHA256ac4e36227c6889f12b02271880ffd182be8f61b940e8216314acfd252833d2ec
SHA51204297ef367463545003474b53270451132733083a40cc9bc7932b2f4ca8bcb11c1948d63d84fea9ae4a2c50cffd4dbdbdf6584f46787a131afd5a3dac015b7bf
-
Filesize
194B
MD57a2469ca251674581fda8dfec305d80f
SHA1bca28e3bd03b75949dad28c59db6690aaf5f5a99
SHA2568344eb66c2810bbf261637e46652d0e653fc4642146e174b31aa7f2e4087bc12
SHA5128d291711e2078835935cec2d58a48e193ca3b627c87a6eb28028abdfc2b2485e6f3bbdc9425f3922fcfd8fec4fef5de32c2b1622627514f453cd4cd0e6e1ef4e
-
Filesize
194B
MD52d67fe18d8bb285294788b0cf172812b
SHA1bf6000373cacf9f22fb4bd97a8078c08cd108b7b
SHA2562cf6db670d04d4567a124ff8014364707dd52739ad46a8bc3e3272c4303c6623
SHA51284b710d33d215ef084aa0cdf834deb969ca389939c71e84858652e0a951700c95e5467ccd5d7ce97f47929fdd9b269d5ec05b2345f4de40746cae27e8b3514ee
-
Filesize
194B
MD5e012665d556ae1c8dfe520d8da37162c
SHA1c1d6b66d3fa47e11f4b7664fb65ae9d4a7de5150
SHA256dc99d91dd5d583e34727e6c6675798e9faa548aff46cde82f22ef067510cb65b
SHA5124c0b540b7482ea096a1556e7b75e9f6639f0656813080342790c277ae58264fb332f40d9784ee56ddc1fd999515ea271afec00a7f118932669e1921a7ca01df2
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478