Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 21:08
Behavioral task
behavioral1
Sample
JaffaCakes118_5e8eb37cc096268975d3849ebe2aa475cc8620b3b5e08bd6582a24da758f40bd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_5e8eb37cc096268975d3849ebe2aa475cc8620b3b5e08bd6582a24da758f40bd.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_5e8eb37cc096268975d3849ebe2aa475cc8620b3b5e08bd6582a24da758f40bd.exe
-
Size
1.3MB
-
MD5
5c92ccdf6b284f1677d622b85ba6bf65
-
SHA1
821929a0b3aea12b2ca60487254712d10f97e5d2
-
SHA256
5e8eb37cc096268975d3849ebe2aa475cc8620b3b5e08bd6582a24da758f40bd
-
SHA512
f036d0df48334dbe3920661eab4898158083820c79cb3722a0d7b1d5475a1120965ac26e82b287c5efda6303dbe13c0a68f380b84b1ad80b28253a981b669002
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 532 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3352 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3228 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 796 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3356 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3612 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4544 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1336 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3960 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2220 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4200 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3616 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4560 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3316 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5112 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3340 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3744 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1140 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3988 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3228 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3780 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1132 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 796 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3356 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5048 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4544 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1336 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2220 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4200 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3616 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4920 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1444 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4740 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3188 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 384 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3668 1748 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4784 1748 schtasks.exe 86 -
resource yara_rule behavioral2/files/0x0007000000023cb5-10.dat dcrat behavioral2/memory/3764-13-0x0000000000880000-0x0000000000990000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1236 powershell.exe 4376 powershell.exe 4836 powershell.exe 2256 powershell.exe 4644 powershell.exe 2508 powershell.exe 3576 powershell.exe 904 powershell.exe 3716 powershell.exe 2064 powershell.exe 928 powershell.exe 3480 powershell.exe 4728 powershell.exe 4664 powershell.exe 436 powershell.exe 4732 powershell.exe 4696 powershell.exe 3172 powershell.exe 3748 powershell.exe -
Checks computer location settings 2 TTPs 18 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation JaffaCakes118_5e8eb37cc096268975d3849ebe2aa475cc8620b3b5e08bd6582a24da758f40bd.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe -
Executes dropped EXE 16 IoCs
pid Process 3764 DllCommonsvc.exe 3484 DllCommonsvc.exe 5104 DllCommonsvc.exe 3356 DllCommonsvc.exe 1600 DllCommonsvc.exe 4320 DllCommonsvc.exe 1140 DllCommonsvc.exe 1908 DllCommonsvc.exe 640 DllCommonsvc.exe 2180 DllCommonsvc.exe 1712 DllCommonsvc.exe 4984 DllCommonsvc.exe 1804 DllCommonsvc.exe 3316 DllCommonsvc.exe 3056 DllCommonsvc.exe 2428 DllCommonsvc.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs
flow ioc 21 raw.githubusercontent.com 45 raw.githubusercontent.com 48 raw.githubusercontent.com 53 raw.githubusercontent.com 55 raw.githubusercontent.com 57 raw.githubusercontent.com 34 raw.githubusercontent.com 46 raw.githubusercontent.com 40 raw.githubusercontent.com 41 raw.githubusercontent.com 47 raw.githubusercontent.com 56 raw.githubusercontent.com 58 raw.githubusercontent.com 59 raw.githubusercontent.com 22 raw.githubusercontent.com -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files (x86)\Windows NT\sppsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\dotnet\e6c9b481da804f DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\WaaSMedicAgent.exe DllCommonsvc.exe File opened for modification C:\Program Files\Internet Explorer\it-IT\TextInputHost.exe DllCommonsvc.exe File created C:\Program Files\Internet Explorer\it-IT\22eafd247d37c3 DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\c82b8037eab33d DllCommonsvc.exe File created C:\Program Files\Internet Explorer\it-IT\TextInputHost.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Windows NT\sppsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\WindowsPowerShell\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files\dotnet\OfficeClickToRun.exe DllCommonsvc.exe File created C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\WinSxS\amd64_microsoft-windows-m..agnostics.resources_31bf3856ad364e35_10.0.19041.1_nb-no_9dd550efd804b7ee\services.exe DllCommonsvc.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-font-fms.resources_31bf3856ad364e35_10.0.19041.1_zh-cn_17fc160c8d2ab6f2\System.exe DllCommonsvc.exe File created C:\Windows\tracing\StartMenuExperienceHost.exe DllCommonsvc.exe File created C:\Windows\tracing\55b276f4edf653 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5e8eb37cc096268975d3849ebe2aa475cc8620b3b5e08bd6582a24da758f40bd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 16 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings JaffaCakes118_5e8eb37cc096268975d3849ebe2aa475cc8620b3b5e08bd6582a24da758f40bd.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings DllCommonsvc.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 532 schtasks.exe 3356 schtasks.exe 3988 schtasks.exe 3780 schtasks.exe 1152 schtasks.exe 1540 schtasks.exe 3352 schtasks.exe 2916 schtasks.exe 1336 schtasks.exe 2220 schtasks.exe 3340 schtasks.exe 1140 schtasks.exe 3228 schtasks.exe 1588 schtasks.exe 796 schtasks.exe 1336 schtasks.exe 4200 schtasks.exe 1600 schtasks.exe 4560 schtasks.exe 2580 schtasks.exe 1724 schtasks.exe 1544 schtasks.exe 1680 schtasks.exe 384 schtasks.exe 2380 schtasks.exe 796 schtasks.exe 3612 schtasks.exe 3960 schtasks.exe 2244 schtasks.exe 3228 schtasks.exe 4544 schtasks.exe 4200 schtasks.exe 3616 schtasks.exe 3316 schtasks.exe 5112 schtasks.exe 5048 schtasks.exe 4740 schtasks.exe 2880 schtasks.exe 3744 schtasks.exe 1132 schtasks.exe 4544 schtasks.exe 2220 schtasks.exe 1584 schtasks.exe 2260 schtasks.exe 3188 schtasks.exe 4784 schtasks.exe 3356 schtasks.exe 3616 schtasks.exe 4920 schtasks.exe 1444 schtasks.exe 3668 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3764 DllCommonsvc.exe 3764 DllCommonsvc.exe 3764 DllCommonsvc.exe 3764 DllCommonsvc.exe 3764 DllCommonsvc.exe 3764 DllCommonsvc.exe 3764 DllCommonsvc.exe 3764 DllCommonsvc.exe 3764 DllCommonsvc.exe 3764 DllCommonsvc.exe 3764 DllCommonsvc.exe 2064 powershell.exe 1236 powershell.exe 4732 powershell.exe 4836 powershell.exe 928 powershell.exe 436 powershell.exe 2064 powershell.exe 4732 powershell.exe 1236 powershell.exe 928 powershell.exe 4836 powershell.exe 436 powershell.exe 3484 DllCommonsvc.exe 3484 DllCommonsvc.exe 3484 DllCommonsvc.exe 3484 DllCommonsvc.exe 3484 DllCommonsvc.exe 3484 DllCommonsvc.exe 3484 DllCommonsvc.exe 3484 DllCommonsvc.exe 3484 DllCommonsvc.exe 3484 DllCommonsvc.exe 3484 DllCommonsvc.exe 3484 DllCommonsvc.exe 3484 DllCommonsvc.exe 3716 powershell.exe 3716 powershell.exe 2256 powershell.exe 2256 powershell.exe 3172 powershell.exe 3172 powershell.exe 3748 powershell.exe 3748 powershell.exe 3576 powershell.exe 3576 powershell.exe 2508 powershell.exe 2508 powershell.exe 4644 powershell.exe 4644 powershell.exe 904 powershell.exe 904 powershell.exe 3480 powershell.exe 3480 powershell.exe 4728 powershell.exe 4728 powershell.exe 4376 powershell.exe 4376 powershell.exe 4696 powershell.exe 4696 powershell.exe 4664 powershell.exe 4664 powershell.exe 3172 powershell.exe 4376 powershell.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 3764 DllCommonsvc.exe Token: SeDebugPrivilege 2064 powershell.exe Token: SeDebugPrivilege 1236 powershell.exe Token: SeDebugPrivilege 4732 powershell.exe Token: SeDebugPrivilege 928 powershell.exe Token: SeDebugPrivilege 4836 powershell.exe Token: SeDebugPrivilege 436 powershell.exe Token: SeDebugPrivilege 3484 DllCommonsvc.exe Token: SeDebugPrivilege 3716 powershell.exe Token: SeDebugPrivilege 2256 powershell.exe Token: SeDebugPrivilege 3172 powershell.exe Token: SeDebugPrivilege 3748 powershell.exe Token: SeDebugPrivilege 3576 powershell.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeDebugPrivilege 904 powershell.exe Token: SeDebugPrivilege 4644 powershell.exe Token: SeDebugPrivilege 4376 powershell.exe Token: SeDebugPrivilege 3480 powershell.exe Token: SeDebugPrivilege 4728 powershell.exe Token: SeDebugPrivilege 5104 DllCommonsvc.exe Token: SeDebugPrivilege 4696 powershell.exe Token: SeDebugPrivilege 4664 powershell.exe Token: SeDebugPrivilege 3356 DllCommonsvc.exe Token: SeDebugPrivilege 1600 DllCommonsvc.exe Token: SeDebugPrivilege 4320 DllCommonsvc.exe Token: SeDebugPrivilege 1140 DllCommonsvc.exe Token: SeDebugPrivilege 1908 DllCommonsvc.exe Token: SeDebugPrivilege 640 DllCommonsvc.exe Token: SeDebugPrivilege 2180 DllCommonsvc.exe Token: SeDebugPrivilege 1712 DllCommonsvc.exe Token: SeDebugPrivilege 4984 DllCommonsvc.exe Token: SeDebugPrivilege 1804 DllCommonsvc.exe Token: SeDebugPrivilege 3316 DllCommonsvc.exe Token: SeDebugPrivilege 3056 DllCommonsvc.exe Token: SeDebugPrivilege 2428 DllCommonsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 468 wrote to memory of 5088 468 JaffaCakes118_5e8eb37cc096268975d3849ebe2aa475cc8620b3b5e08bd6582a24da758f40bd.exe 82 PID 468 wrote to memory of 5088 468 JaffaCakes118_5e8eb37cc096268975d3849ebe2aa475cc8620b3b5e08bd6582a24da758f40bd.exe 82 PID 468 wrote to memory of 5088 468 JaffaCakes118_5e8eb37cc096268975d3849ebe2aa475cc8620b3b5e08bd6582a24da758f40bd.exe 82 PID 5088 wrote to memory of 904 5088 WScript.exe 83 PID 5088 wrote to memory of 904 5088 WScript.exe 83 PID 5088 wrote to memory of 904 5088 WScript.exe 83 PID 904 wrote to memory of 3764 904 cmd.exe 85 PID 904 wrote to memory of 3764 904 cmd.exe 85 PID 3764 wrote to memory of 2064 3764 DllCommonsvc.exe 102 PID 3764 wrote to memory of 2064 3764 DllCommonsvc.exe 102 PID 3764 wrote to memory of 4836 3764 DllCommonsvc.exe 103 PID 3764 wrote to memory of 4836 3764 DllCommonsvc.exe 103 PID 3764 wrote to memory of 436 3764 DllCommonsvc.exe 104 PID 3764 wrote to memory of 436 3764 DllCommonsvc.exe 104 PID 3764 wrote to memory of 1236 3764 DllCommonsvc.exe 105 PID 3764 wrote to memory of 1236 3764 DllCommonsvc.exe 105 PID 3764 wrote to memory of 4732 3764 DllCommonsvc.exe 106 PID 3764 wrote to memory of 4732 3764 DllCommonsvc.exe 106 PID 3764 wrote to memory of 928 3764 DllCommonsvc.exe 107 PID 3764 wrote to memory of 928 3764 DllCommonsvc.exe 107 PID 3764 wrote to memory of 4424 3764 DllCommonsvc.exe 113 PID 3764 wrote to memory of 4424 3764 DllCommonsvc.exe 113 PID 4424 wrote to memory of 3648 4424 cmd.exe 116 PID 4424 wrote to memory of 3648 4424 cmd.exe 116 PID 4424 wrote to memory of 3484 4424 cmd.exe 120 PID 4424 wrote to memory of 3484 4424 cmd.exe 120 PID 3484 wrote to memory of 4696 3484 DllCommonsvc.exe 157 PID 3484 wrote to memory of 4696 3484 DllCommonsvc.exe 157 PID 3484 wrote to memory of 2256 3484 DllCommonsvc.exe 158 PID 3484 wrote to memory of 2256 3484 DllCommonsvc.exe 158 PID 3484 wrote to memory of 4644 3484 DllCommonsvc.exe 159 PID 3484 wrote to memory of 4644 3484 DllCommonsvc.exe 159 PID 3484 wrote to memory of 2508 3484 DllCommonsvc.exe 160 PID 3484 wrote to memory of 2508 3484 DllCommonsvc.exe 160 PID 3484 wrote to memory of 3172 3484 DllCommonsvc.exe 161 PID 3484 wrote to memory of 3172 3484 DllCommonsvc.exe 161 PID 3484 wrote to memory of 4376 3484 DllCommonsvc.exe 162 PID 3484 wrote to memory of 4376 3484 DllCommonsvc.exe 162 PID 3484 wrote to memory of 4664 3484 DllCommonsvc.exe 163 PID 3484 wrote to memory of 4664 3484 DllCommonsvc.exe 163 PID 3484 wrote to memory of 4728 3484 DllCommonsvc.exe 164 PID 3484 wrote to memory of 4728 3484 DllCommonsvc.exe 164 PID 3484 wrote to memory of 3716 3484 DllCommonsvc.exe 165 PID 3484 wrote to memory of 3716 3484 DllCommonsvc.exe 165 PID 3484 wrote to memory of 3748 3484 DllCommonsvc.exe 166 PID 3484 wrote to memory of 3748 3484 DllCommonsvc.exe 166 PID 3484 wrote to memory of 3480 3484 DllCommonsvc.exe 167 PID 3484 wrote to memory of 3480 3484 DllCommonsvc.exe 167 PID 3484 wrote to memory of 904 3484 DllCommonsvc.exe 168 PID 3484 wrote to memory of 904 3484 DllCommonsvc.exe 168 PID 3484 wrote to memory of 3576 3484 DllCommonsvc.exe 170 PID 3484 wrote to memory of 3576 3484 DllCommonsvc.exe 170 PID 3484 wrote to memory of 5104 3484 DllCommonsvc.exe 183 PID 3484 wrote to memory of 5104 3484 DllCommonsvc.exe 183 PID 5104 wrote to memory of 3988 5104 DllCommonsvc.exe 187 PID 5104 wrote to memory of 3988 5104 DllCommonsvc.exe 187 PID 3988 wrote to memory of 4040 3988 cmd.exe 189 PID 3988 wrote to memory of 4040 3988 cmd.exe 189 PID 3988 wrote to memory of 3356 3988 cmd.exe 190 PID 3988 wrote to memory of 3356 3988 cmd.exe 190 PID 3356 wrote to memory of 2948 3356 DllCommonsvc.exe 192 PID 3356 wrote to memory of 2948 3356 DllCommonsvc.exe 192 PID 2948 wrote to memory of 1128 2948 cmd.exe 194 PID 2948 wrote to memory of 1128 2948 cmd.exe 194 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e8eb37cc096268975d3849ebe2aa475cc8620b3b5e08bd6582a24da758f40bd.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e8eb37cc096268975d3849ebe2aa475cc8620b3b5e08bd6582a24da758f40bd.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:904 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\it-IT\TextInputHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:436
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhostw.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\My Documents\Registry.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:928
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\br1tpLa245.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:3648
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\sppsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\StartMenuExperienceHost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\OfficeClickToRun.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sysmon.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Videos\RuntimeBroker.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\WaaSMedicAgent.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\upfc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3576
-
-
C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:4040
-
-
C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uxMZkGAiOs.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1128
-
-
C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9j3rBUpSkc.bat"12⤵PID:4220
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:4968
-
-
C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4320 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o09MCfWrWU.bat"14⤵PID:4936
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:4284
-
-
C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1140 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat"16⤵PID:1808
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:4328
-
-
C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1908 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat"18⤵PID:2736
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2324
-
-
C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x4tck5X09i.bat"20⤵PID:2068
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:5104
-
-
C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2180 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat"22⤵PID:2848
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:4568
-
-
C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1712 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YNa8GmLI5m.bat"24⤵PID:3960
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:4492
-
-
C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4984 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat"26⤵PID:5020
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:4032
-
-
C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1804 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat"28⤵PID:2448
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:1448
-
-
C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3316 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat"30⤵PID:652
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:2816
-
-
C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3056 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\00vfQAbtTV.bat"32⤵PID:1344
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:233⤵PID:3448
-
-
C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe"33⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2428 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eKnLpNzAx9.bat"34⤵PID:4960
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:235⤵PID:312
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\it-IT\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\it-IT\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\Default\My Documents\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default\My Documents\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\My Documents\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Windows\tracing\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\tracing\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files\dotnet\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\dotnet\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files\dotnet\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\providercommon\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Videos\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Videos\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\WaaSMedicAgent.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Users\Default\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Users\Default\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA5128a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD53bdf0f0bc4de32a6f32ecb8a32ba5df1
SHA1900c6a905984e5e16f3efe01ce2b2cc725fc64f1
SHA256c893092af552e973c44e0596d1509605a393896a0c1eae64f11456dc956ba40e
SHA512680d8f42fd4cb1fffa52e1f7cc483e8afc79c8f3e25ebfe5324c7c277d88499cc58324313599e307e47ba3ee4004de7554192203413cb061a29170cd9bc889c3
-
Filesize
944B
MD53c625954a51c4bbd8141206b00f6fc0a
SHA14128cb2f9d2984844e303e2e330e448334e5c273
SHA256952515feb4929cfad2435c679a5fad19242e938e8a7c97afebb1f3d996bd3ec4
SHA5123f7c4ea0551de5b6237ca13419413e6e73e85632e9bb09b5354d6310b5969f9c3a2dc27142e75e8572c2c65b2bc7615269fad27dcea2f91c389b6758e2630517
-
Filesize
944B
MD5be95052f298019b83e11336567f385fc
SHA1556e6abda268afaeeec5e1ee65adc01660b70534
SHA256ebc004fe961bed86adc4025cdbe3349699a5a1fc328cc3a37f3ff055e7e82027
SHA512233df172f37f85d34448901057ff19f20792d6e139579a1235165d5f6056a2075c19c85bc9115a6bb74c9c949aebd7bb5391e2ae9f7b1af69e5c4aca3a48cff5
-
Filesize
944B
MD59405862a3b15dc34824f6a0e5f077f4f
SHA1bbe0000e06be94fa61d6e223fb38b1289908723d
SHA2560a0869426bca171c080316948a4638a7152018ea5e07de97b2d51e0d90905210
SHA512fc7ae988b81dec5b13ae9878350cd9d063538bfb2bc14f099087836ed54cd77a36bc7c4276fa075a80a3cd20e7620fa2ba5a8b5b7bf98698b10752749187148d
-
Filesize
944B
MD5fe9b96bc4e29457b2d225a5412322a52
SHA1551e29903e926b5d6c52a8f57cf10475ba790bd0
SHA256e81b9bfd38a5199813d703d5caf75baa6f62847b2b9632302b5d6f10dd6cf997
SHA512ff912526647f6266f37749dfdc3ed5fd37c35042ba481331434168704c827d128c22093ba73d7ad0cecde10365f0978fcd3f3e2af1a1c280cd2e592a62d5fa80
-
Filesize
944B
MD53fd1207fb34732237602c32614f8e7a5
SHA13c17778095da518c209e6854340c140cff556a50
SHA256b89786113f914c4c6c44f0455750d167a760b375dc12c18a52054e71f0d24737
SHA51254e7f41aa11b147d6734d1b2972c11dd6a4703be366dd9b26dbca14a9392205a4f19545c39db9807751468522c9e761fe7009bebf743e3ef852d7b79429ba482
-
Filesize
944B
MD58005014028d9df556f2fe7f3128360a3
SHA18dde6ebf12ce79eba432a8969ece767c1dba81d4
SHA2569fe186d8304132169445fbecc53ee702080f9f8f701e2398516600ab0479c781
SHA5127da99eae8113349b8f63d4a54586c6329165c41cdba0c2726880d4894b3a3b2f8d56a55e4016edc7d883cb8d8267555eb1c44f0e720668a433a92e343238ceed
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
222B
MD5cddce5b11c64922cd5cebd4f40cc4a25
SHA102a5497d95a5b30e3fea6961e8cbce803aec06ef
SHA2561b3f95880dfefdde17d05403c677b23437b35253c08c40135050d5913c844dd2
SHA512de9d1b269e9717f582290a6cee5f31603c9f621a2601e1df968f653639c22b560a0dd77641e412b1b8881188ed56b4d3ad4308f4bbf6e18f2af74b4bd195a160
-
Filesize
222B
MD5e724e2a31b300d7d774d6d2239cbbbb8
SHA1804c7dd28f9ae1f3ad8ecd16ac95ca17b350eefe
SHA2561de6de27fa67d14bbb5428b9aac24133fd0b15fcf33823a9bd9d54740c18252e
SHA512fdd2549fa94f95ceab9d778077adb41a0a594ebf90e8babd8ab109e9121b8de94b8c725596d5433674ad5a0a06ebfdcb1f9be5acc850ed2e4526de1ab02c16db
-
Filesize
222B
MD5fa2f82647455450af82a250f6ec0bce6
SHA1dfdd8db4acc994e5000704bbd526821774bd4228
SHA256960bd937b9edf642417a0460b8d4837c8ffec6c1107e40bef2b881e7b48906fa
SHA5128cfc7b2fa6efa17a8b78a8efd04b883821ba254733e3f4b270a753ca71ec5f921769dd1bd851f55aad90ef6c62eb06ab0fb71894a3a1fed8dd2377d0cf5db42e
-
Filesize
222B
MD5218e822960618e42156dc624ddef139a
SHA18bae9ad41a057feedb627594062b4c38b2625616
SHA256d98bfe4a82a12408b1d9e7691b207d274ffb9291b3ebc5100a0211fdb20df9ad
SHA5122e6c2eefdc9ba1c34c8f82c23a03364d6c92e6f38dd460400e2b7e25a2dda39604919f9d32ca470a1eb1cf8013224eb2bd26c5a4bcfadea396ad955b3cf1e4fd
-
Filesize
222B
MD5c3dc9128d1561e3d196e004a5aa45a1d
SHA1bfec2880e9e637a7de9fe16c2ea6fd91c9c639ad
SHA25617afea897915d139b7577d6c052e7eb895d9dfdcba0000aa7f2620435a3bd519
SHA5122f61bc7038a09298585e999d711f445d33ecc79f4bd4aa556e81404bf2e8cfdf62ab9beefb6ba01aa5ad5eaf4bc4fc11414860f3479438e907334bf36a6eb9ef
-
Filesize
222B
MD5cb9705a667cdf4965836e23861c12384
SHA158c05fd6520bd3867f011a2a1833f9b860925ed4
SHA2560b512a688d60739387c721e56ad8f79cc7f7426e754d5ce11ced2b8e4f8bf69c
SHA51223ff76d3abde15858a9085fd9f5119d1112e0284f10850d1789cfd00f8d79db69fced2dc267f16fc55e1ce4cc03657ca97eaee9bec589bbfe084650d88419731
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
199B
MD5ec68ce85e834540cddaeea95bb71ca2d
SHA19c451fd5061aedaf1c1de2cb98f1735a475d6175
SHA2562b20a7ef347b13cdc03b428bafe9f6cc8fd8ccd6e87ff0c862bfd7ef457df4de
SHA512c57a707eda4cff0394f009311d6c9249205bf7ef268cda42a36e09adb26f9dd052f246a975d0766da9ca211474a78c522e6bd321060e2f57b86ddb465eba31f2
-
Filesize
222B
MD53d4ad8c9c7371f2e6341417202efe664
SHA15fc2f626d4305cc3cd035c2e3d2050b14bd0dfd3
SHA2560236c1740f3dd9dd17f8e2ef3c6d86e0220429666c4cf3bdc3d92d84cc9292ad
SHA512d8b82f24da51e33d645c88e1bc3fc9f9f18ec2ba9541566508cd8424f0892b668362e728a60e3e430ee3240acd50d3170fa4451309a1440a6ab7392c909649da
-
Filesize
222B
MD5c2efba154727e49dbae6c3ef5d953a87
SHA17b2b3aeabbdde23035c09af3ea25c173ff7e88a7
SHA2567a5f8ec148df3eeec930149d65adc85dfaae4ee7fc73445d3cf73c7a44cac1d0
SHA51284b50ce17a92d687c1f0e2940cd85343abcd641c8b24dd6d7cc173ff802ea0db4fac43fc488dd6768b9352a1e9089a5b67a365ff78614a0c4c15646b1b11ce87
-
Filesize
222B
MD53f6daa3d78b47dfcf495077d75389012
SHA18d90d384230fd26f1ff4cfae9acdd9d9952a69e8
SHA2561c8b951c6070665eee73310637a8bdfaabe72938640031a9937892cfee1c0684
SHA51282f6949b2c7434005b894d16bc3a9cb63739a63428e2aa0a9d70e3dfcfd7020abeebeeba5b455319d437c5d8a51670905b9b4a34c00f99ad5edcdc1e6ad38fc6
-
Filesize
222B
MD53a850c65dda4184215d9edd1cdae8ce5
SHA1a18a078ceda51de78ff4aae37b50fd9e6c2a1971
SHA256c6f2dae046c2682ba87b3095988b1152358f7e259711c0378cae6b598cc74863
SHA512d64b101eeb0a631aa8ef4da0a38972f1eddda2c61e3080994c059011f928049e0947cb09cb6d82804d325cd854ba8eb12bf1f0f3b0f6e66eeeb06e3061a1edbe
-
Filesize
222B
MD56a9feba7f0b37e6545abefe5039d977b
SHA1c12f2bd08b078daa85a58dae1ea1ad257e08724b
SHA256f6c0f8d1f255f45f5815c67bd4084e9c401ba0471735b34c8c05cc81ac7d0978
SHA5127af96d86d4a746a184f1a6dabc8592d2e8acc764bf3d13dc5dd2e5e43ee9a503e65a5428c0500fdfe42d1cc43905e275c4979380a8264a32f68d8f757475b1f3
-
Filesize
222B
MD53489348157e39ed1ffdb7d52e43ee788
SHA1a859a8e37482bd05680ffbbf6b865e7d18d63b72
SHA256a879f8cfd173316ff17a2db78d97f02ef7f94e631b7074dff93b3ed02ae785c3
SHA5121a389a1d8f1cc1ba648fb21a328657be4d7577f19c400b0c3668911bf453bc727499742f659ac939c735196b61ce0a0ff3afcf1c310478ea7e3fdf41d6c76690
-
Filesize
222B
MD56b1335d69dddad44603e9d33c86941ee
SHA18a378941100f58e9ab547bd7ae763eaa150141de
SHA2561bd6e9d1ff02bc5ce19e33f9888715399448e4aa4df7b4a70773d8dd8d2565c8
SHA512339aa05597b5fb3effc8a20da71041d6390ac7b13b861dc55e188fd12d9d0d8a19ab1f972b3f83680771effa30d8c8aab411ee5b488d9c8cbeea3ceca41365fa
-
Filesize
222B
MD565316f52be1efced5bc8dc9caddfb6cd
SHA120f27dbb2c446b756bcff816249b57290d6041af
SHA25609c5e2199cabe79fbbcaf71d1fb8e71f7c7d9bd65af86734e947313f61ecd8f0
SHA512d7f31c42f5186a1bfcbeae1ff01efc5be3d0d04f32faf7c6aafb4a67d9585e3cfebbdba5be67aa5178c2911fee04a8de7028a31b873aee9e318c80cb08ad5d52
-
Filesize
716B
MD5e1380c6058b25aada0774c483bb56725
SHA134d44ae592af0ccced86ff1f89c370a1d32c7fd8
SHA256c7bfa9f7ec2b5aa4a83d3453f93c3c53e59487be97b6d28828300fcf4bf9c458
SHA512578d059997797b86b16983ada1b84788ce01c6541ae076af8798d12fb62b387688ed4a5f471edc6bea5b48180c000eca20b9d5ce00de3465c6ca5f57d5a4d09d
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478