Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 21:09
Behavioral task
behavioral1
Sample
JaffaCakes118_a8c5972745832b6843e1a50ae0665859c16ed679fc89307014dc35a63384c97a.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_a8c5972745832b6843e1a50ae0665859c16ed679fc89307014dc35a63384c97a.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_a8c5972745832b6843e1a50ae0665859c16ed679fc89307014dc35a63384c97a.exe
-
Size
1.3MB
-
MD5
18ca4c65731ca7b7f3916c005f66f08c
-
SHA1
121325821c5d8d6304fe63d2829bfee005a88268
-
SHA256
a8c5972745832b6843e1a50ae0665859c16ed679fc89307014dc35a63384c97a
-
SHA512
1b24644c9d1b9161a539fe411dcdfe4d1905a6d6c19b9b85b8980c9e34316664c58fb78d85dbb3a36c78c3fc1bff596dae3c5ced3fe53b6425c3292b09ed737c
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4068 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4924 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4536 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1800 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 956 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1180 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1108 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4944 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4532 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3436 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4232 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3432 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5024 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4996 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3248 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4700 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3280 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1356 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3720 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4180 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 528 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3608 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3708 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5072 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4136 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4576 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3864 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3192 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3612 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 964 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4740 4656 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3496 4656 schtasks.exe 87 -
resource yara_rule behavioral2/files/0x000a000000023b86-10.dat dcrat behavioral2/memory/2480-13-0x0000000000940000-0x0000000000A50000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4708 powershell.exe 212 powershell.exe 2944 powershell.exe 3288 powershell.exe 1552 powershell.exe 3064 powershell.exe 4268 powershell.exe 604 powershell.exe 60 powershell.exe 1624 powershell.exe 536 powershell.exe 3508 powershell.exe 1496 powershell.exe 4036 powershell.exe 1912 powershell.exe 5112 powershell.exe 3988 powershell.exe 3052 powershell.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation JaffaCakes118_a8c5972745832b6843e1a50ae0665859c16ed679fc89307014dc35a63384c97a.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe -
Executes dropped EXE 14 IoCs
pid Process 2480 DllCommonsvc.exe 2972 RuntimeBroker.exe 5920 RuntimeBroker.exe 5188 RuntimeBroker.exe 4476 RuntimeBroker.exe 624 RuntimeBroker.exe 4072 RuntimeBroker.exe 4376 RuntimeBroker.exe 5088 RuntimeBroker.exe 4356 RuntimeBroker.exe 4268 RuntimeBroker.exe 3724 RuntimeBroker.exe 5664 RuntimeBroker.exe 4500 RuntimeBroker.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 18 raw.githubusercontent.com 38 raw.githubusercontent.com 39 raw.githubusercontent.com 43 raw.githubusercontent.com 44 raw.githubusercontent.com 45 raw.githubusercontent.com 52 raw.githubusercontent.com 17 raw.githubusercontent.com 55 raw.githubusercontent.com 56 raw.githubusercontent.com 53 raw.githubusercontent.com 54 raw.githubusercontent.com 33 raw.githubusercontent.com -
Drops file in Program Files directory 17 IoCs
description ioc Process File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\f3b6ecef712a24 DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\38384e6a620884 DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\ja-JP\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files\Microsoft Office 15\ClientX64\121e5b5079f7c0 DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\RuntimeBroker.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\spoolsv.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\Oracle\ea1d8f6d871115 DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\SearchApp.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\5b884080fd4f94 DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\9e8d7a4ca61bd9 DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\Oracle\upfc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\ja-JP\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\fontdrvhost.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Common Files\fontdrvhost.exe DllCommonsvc.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\BitLockerDiscoveryVolumeContents\088424020bedd6 DllCommonsvc.exe File created C:\Windows\ServiceState\EventLog\upfc.exe DllCommonsvc.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\conhost.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_a8c5972745832b6843e1a50ae0665859c16ed679fc89307014dc35a63384c97a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings JaffaCakes118_a8c5972745832b6843e1a50ae0665859c16ed679fc89307014dc35a63384c97a.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings RuntimeBroker.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3708 schtasks.exe 3864 schtasks.exe 4740 schtasks.exe 1628 schtasks.exe 1908 schtasks.exe 2724 schtasks.exe 3248 schtasks.exe 3192 schtasks.exe 1724 schtasks.exe 3496 schtasks.exe 4924 schtasks.exe 1672 schtasks.exe 528 schtasks.exe 5072 schtasks.exe 4068 schtasks.exe 956 schtasks.exe 2736 schtasks.exe 3612 schtasks.exe 4232 schtasks.exe 4996 schtasks.exe 1356 schtasks.exe 4180 schtasks.exe 2036 schtasks.exe 4536 schtasks.exe 1800 schtasks.exe 1460 schtasks.exe 2192 schtasks.exe 1180 schtasks.exe 2348 schtasks.exe 964 schtasks.exe 2516 schtasks.exe 4136 schtasks.exe 2720 schtasks.exe 2324 schtasks.exe 4532 schtasks.exe 3436 schtasks.exe 3720 schtasks.exe 2904 schtasks.exe 1972 schtasks.exe 1584 schtasks.exe 1108 schtasks.exe 5024 schtasks.exe 4700 schtasks.exe 3280 schtasks.exe 3608 schtasks.exe 1588 schtasks.exe 4576 schtasks.exe 4944 schtasks.exe 3432 schtasks.exe 3028 schtasks.exe 2280 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2480 DllCommonsvc.exe 2480 DllCommonsvc.exe 2480 DllCommonsvc.exe 2480 DllCommonsvc.exe 2480 DllCommonsvc.exe 2480 DllCommonsvc.exe 2480 DllCommonsvc.exe 2480 DllCommonsvc.exe 2480 DllCommonsvc.exe 2480 DllCommonsvc.exe 2480 DllCommonsvc.exe 2480 DllCommonsvc.exe 2480 DllCommonsvc.exe 5112 powershell.exe 5112 powershell.exe 3988 powershell.exe 3988 powershell.exe 4708 powershell.exe 4708 powershell.exe 1912 powershell.exe 1912 powershell.exe 60 powershell.exe 60 powershell.exe 3508 powershell.exe 3508 powershell.exe 212 powershell.exe 212 powershell.exe 4036 powershell.exe 4036 powershell.exe 1552 powershell.exe 1552 powershell.exe 1624 powershell.exe 1624 powershell.exe 2944 powershell.exe 2944 powershell.exe 3288 powershell.exe 3288 powershell.exe 4268 powershell.exe 4268 powershell.exe 536 powershell.exe 536 powershell.exe 1496 powershell.exe 1496 powershell.exe 3064 powershell.exe 3064 powershell.exe 604 powershell.exe 604 powershell.exe 2972 RuntimeBroker.exe 2972 RuntimeBroker.exe 3052 powershell.exe 3052 powershell.exe 60 powershell.exe 4708 powershell.exe 4036 powershell.exe 3288 powershell.exe 2944 powershell.exe 5112 powershell.exe 5112 powershell.exe 3988 powershell.exe 3988 powershell.exe 4268 powershell.exe 1912 powershell.exe 212 powershell.exe 1496 powershell.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeDebugPrivilege 2480 DllCommonsvc.exe Token: SeDebugPrivilege 5112 powershell.exe Token: SeDebugPrivilege 3988 powershell.exe Token: SeDebugPrivilege 4708 powershell.exe Token: SeDebugPrivilege 4036 powershell.exe Token: SeDebugPrivilege 1912 powershell.exe Token: SeDebugPrivilege 3288 powershell.exe Token: SeDebugPrivilege 2972 RuntimeBroker.exe Token: SeDebugPrivilege 604 powershell.exe Token: SeDebugPrivilege 3052 powershell.exe Token: SeDebugPrivilege 60 powershell.exe Token: SeDebugPrivilege 212 powershell.exe Token: SeDebugPrivilege 3508 powershell.exe Token: SeDebugPrivilege 1552 powershell.exe Token: SeDebugPrivilege 1624 powershell.exe Token: SeDebugPrivilege 2944 powershell.exe Token: SeDebugPrivilege 4268 powershell.exe Token: SeDebugPrivilege 536 powershell.exe Token: SeDebugPrivilege 1496 powershell.exe Token: SeDebugPrivilege 3064 powershell.exe Token: SeDebugPrivilege 5920 RuntimeBroker.exe Token: SeDebugPrivilege 5188 RuntimeBroker.exe Token: SeDebugPrivilege 4476 RuntimeBroker.exe Token: SeDebugPrivilege 624 RuntimeBroker.exe Token: SeDebugPrivilege 4072 RuntimeBroker.exe Token: SeDebugPrivilege 4376 RuntimeBroker.exe Token: SeDebugPrivilege 5088 RuntimeBroker.exe Token: SeDebugPrivilege 4356 RuntimeBroker.exe Token: SeDebugPrivilege 4268 RuntimeBroker.exe Token: SeDebugPrivilege 3724 RuntimeBroker.exe Token: SeDebugPrivilege 5664 RuntimeBroker.exe Token: SeDebugPrivilege 4500 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4408 wrote to memory of 3724 4408 JaffaCakes118_a8c5972745832b6843e1a50ae0665859c16ed679fc89307014dc35a63384c97a.exe 83 PID 4408 wrote to memory of 3724 4408 JaffaCakes118_a8c5972745832b6843e1a50ae0665859c16ed679fc89307014dc35a63384c97a.exe 83 PID 4408 wrote to memory of 3724 4408 JaffaCakes118_a8c5972745832b6843e1a50ae0665859c16ed679fc89307014dc35a63384c97a.exe 83 PID 3724 wrote to memory of 1680 3724 WScript.exe 84 PID 3724 wrote to memory of 1680 3724 WScript.exe 84 PID 3724 wrote to memory of 1680 3724 WScript.exe 84 PID 1680 wrote to memory of 2480 1680 cmd.exe 86 PID 1680 wrote to memory of 2480 1680 cmd.exe 86 PID 2480 wrote to memory of 1552 2480 DllCommonsvc.exe 139 PID 2480 wrote to memory of 1552 2480 DllCommonsvc.exe 139 PID 2480 wrote to memory of 536 2480 DllCommonsvc.exe 140 PID 2480 wrote to memory of 536 2480 DllCommonsvc.exe 140 PID 2480 wrote to memory of 4036 2480 DllCommonsvc.exe 141 PID 2480 wrote to memory of 4036 2480 DllCommonsvc.exe 141 PID 2480 wrote to memory of 3064 2480 DllCommonsvc.exe 142 PID 2480 wrote to memory of 3064 2480 DllCommonsvc.exe 142 PID 2480 wrote to memory of 3508 2480 DllCommonsvc.exe 143 PID 2480 wrote to memory of 3508 2480 DllCommonsvc.exe 143 PID 2480 wrote to memory of 1912 2480 DllCommonsvc.exe 144 PID 2480 wrote to memory of 1912 2480 DllCommonsvc.exe 144 PID 2480 wrote to memory of 5112 2480 DllCommonsvc.exe 145 PID 2480 wrote to memory of 5112 2480 DllCommonsvc.exe 145 PID 2480 wrote to memory of 3988 2480 DllCommonsvc.exe 146 PID 2480 wrote to memory of 3988 2480 DllCommonsvc.exe 146 PID 2480 wrote to memory of 4708 2480 DllCommonsvc.exe 147 PID 2480 wrote to memory of 4708 2480 DllCommonsvc.exe 147 PID 2480 wrote to memory of 4268 2480 DllCommonsvc.exe 148 PID 2480 wrote to memory of 4268 2480 DllCommonsvc.exe 148 PID 2480 wrote to memory of 1496 2480 DllCommonsvc.exe 149 PID 2480 wrote to memory of 1496 2480 DllCommonsvc.exe 149 PID 2480 wrote to memory of 604 2480 DllCommonsvc.exe 150 PID 2480 wrote to memory of 604 2480 DllCommonsvc.exe 150 PID 2480 wrote to memory of 3052 2480 DllCommonsvc.exe 151 PID 2480 wrote to memory of 3052 2480 DllCommonsvc.exe 151 PID 2480 wrote to memory of 212 2480 DllCommonsvc.exe 152 PID 2480 wrote to memory of 212 2480 DllCommonsvc.exe 152 PID 2480 wrote to memory of 60 2480 DllCommonsvc.exe 153 PID 2480 wrote to memory of 60 2480 DllCommonsvc.exe 153 PID 2480 wrote to memory of 1624 2480 DllCommonsvc.exe 154 PID 2480 wrote to memory of 1624 2480 DllCommonsvc.exe 154 PID 2480 wrote to memory of 2944 2480 DllCommonsvc.exe 155 PID 2480 wrote to memory of 2944 2480 DllCommonsvc.exe 155 PID 2480 wrote to memory of 3288 2480 DllCommonsvc.exe 156 PID 2480 wrote to memory of 3288 2480 DllCommonsvc.exe 156 PID 2480 wrote to memory of 2972 2480 DllCommonsvc.exe 174 PID 2480 wrote to memory of 2972 2480 DllCommonsvc.exe 174 PID 2972 wrote to memory of 5628 2972 RuntimeBroker.exe 180 PID 2972 wrote to memory of 5628 2972 RuntimeBroker.exe 180 PID 5628 wrote to memory of 5688 5628 cmd.exe 182 PID 5628 wrote to memory of 5688 5628 cmd.exe 182 PID 5628 wrote to memory of 5920 5628 cmd.exe 185 PID 5628 wrote to memory of 5920 5628 cmd.exe 185 PID 5920 wrote to memory of 6136 5920 RuntimeBroker.exe 187 PID 5920 wrote to memory of 6136 5920 RuntimeBroker.exe 187 PID 6136 wrote to memory of 808 6136 cmd.exe 189 PID 6136 wrote to memory of 808 6136 cmd.exe 189 PID 6136 wrote to memory of 5188 6136 cmd.exe 191 PID 6136 wrote to memory of 5188 6136 cmd.exe 191 PID 5188 wrote to memory of 2736 5188 RuntimeBroker.exe 192 PID 5188 wrote to memory of 2736 5188 RuntimeBroker.exe 192 PID 2736 wrote to memory of 1160 2736 cmd.exe 194 PID 2736 wrote to memory of 1160 2736 cmd.exe 194 PID 2736 wrote to memory of 4476 2736 cmd.exe 195 PID 2736 wrote to memory of 4476 2736 cmd.exe 195 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a8c5972745832b6843e1a50ae0665859c16ed679fc89307014dc35a63384c97a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a8c5972745832b6843e1a50ae0665859c16ed679fc89307014dc35a63384c97a.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\TextInputHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Registry.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\SearchApp.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Oracle\upfc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\SearchApp.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\ja-JP\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:60
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3288
-
-
C:\Recovery\WindowsRE\RuntimeBroker.exe"C:\Recovery\WindowsRE\RuntimeBroker.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFXOGCU6Cq.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:5628 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:5688
-
-
C:\Recovery\WindowsRE\RuntimeBroker.exe"C:\Recovery\WindowsRE\RuntimeBroker.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5920 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vlZZCFJNsh.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:6136 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:808
-
-
C:\Recovery\WindowsRE\RuntimeBroker.exe"C:\Recovery\WindowsRE\RuntimeBroker.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5188 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n6bUdMbtqP.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1160
-
-
C:\Recovery\WindowsRE\RuntimeBroker.exe"C:\Recovery\WindowsRE\RuntimeBroker.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4476 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFXOGCU6Cq.bat"12⤵PID:2420
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:5244
-
-
C:\Recovery\WindowsRE\RuntimeBroker.exe"C:\Recovery\WindowsRE\RuntimeBroker.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:624 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EVfp7xrD4G.bat"14⤵PID:508
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:3472
-
-
C:\Recovery\WindowsRE\RuntimeBroker.exe"C:\Recovery\WindowsRE\RuntimeBroker.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4072 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat"16⤵PID:4408
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:4328
-
-
C:\Recovery\WindowsRE\RuntimeBroker.exe"C:\Recovery\WindowsRE\RuntimeBroker.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4376 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\or7X1gMNi7.bat"18⤵PID:632
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:672
-
-
C:\Recovery\WindowsRE\RuntimeBroker.exe"C:\Recovery\WindowsRE\RuntimeBroker.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5088 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dCyIaH4v8D.bat"20⤵PID:4432
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2304
-
-
C:\Recovery\WindowsRE\RuntimeBroker.exe"C:\Recovery\WindowsRE\RuntimeBroker.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4356 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x1DfgQ9qXa.bat"22⤵PID:4288
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1728
-
-
C:\Recovery\WindowsRE\RuntimeBroker.exe"C:\Recovery\WindowsRE\RuntimeBroker.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4268 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SQTB2Yz9K3.bat"24⤵PID:2284
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:5572
-
-
C:\Recovery\WindowsRE\RuntimeBroker.exe"C:\Recovery\WindowsRE\RuntimeBroker.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3724 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat"26⤵PID:5900
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:3036
-
-
C:\Recovery\WindowsRE\RuntimeBroker.exe"C:\Recovery\WindowsRE\RuntimeBroker.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5664 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i32OxRBhll.bat"28⤵PID:5964
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:4720
-
-
C:\Recovery\WindowsRE\RuntimeBroker.exe"C:\Recovery\WindowsRE\RuntimeBroker.exe"29⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4500
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\providercommon\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\providercommon\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\providercommon\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\providercommon\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Oracle\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Oracle\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD528d4235aa2e6d782751f980ceb6e5021
SHA1f5d82d56acd642b9fc4b963f684fd6b78f25a140
SHA2568c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638
SHA512dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
204B
MD5063fb9df2d806af3676897fa93d27412
SHA1aec97196e70da7c11076b8a1d6cb6fd2f9f59199
SHA256789cf50c283ffb818aef3a215fa9ebd661dd98a5715bf00ae0579be14aa07205
SHA51284f8b4fedb1ba7d57e77b844aaddae2eabc974115c614129873513bb91a3192a5544dd04913a204ccc98b3837e8c261dc4a51e89d338a8462f6bbd82ecefbfd9
-
Filesize
204B
MD5030ea9c34d85e25d1fd775a8f80f85da
SHA1c89bd181abf486dd0e9c50ad5703369d2dd8cfc3
SHA2564412cbe1a29206bab4bafc2a58d903ec2feb4aff2536ecca209a455a60ee981d
SHA512435ba9e61a65540140f6ae0bf4ebd89cbdf6e9f8b09aca1929f1d0c55b0848bebd08ad4640e0ba4c00ae4e1cf174de9d0634fcf37a0ec2693d2805b6db60dbdc
-
Filesize
204B
MD55e391dba66dabb421bc6cc7537f3cc6d
SHA1426811181c1dbfb8ebee7c831288c03fc744a237
SHA256561b39d7618eb5d0e421509ded8910dc3200ba486780758db61816b022a9dc19
SHA51286bae3d51f297687e35c69e83450759216992cc65b821b0ea294bb47edf9a898eefb1229de92c71e8822ae6c15ae1ab89d7bdf23946058c05ae368adfd853fbc
-
Filesize
204B
MD593808156e0066513ae76b02a8d270cd2
SHA1e0c17a18620623048c188941c2bee4407300311d
SHA25659f072518e0a0539c8e1748563f6afdf2eb746946627789b3aeaee43ba29d05c
SHA512bbd4f54468d95d4c863fc227079f7cd15291247ea9c793826d87151ad823bf00022d2a96a3ab510baeba69d1290bc5d2103736f742ffaa7720d1e165a2620c31
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
204B
MD5c69ff4e3b3528affe05066accdf7a8a9
SHA1723709af247000c28b01abcc89ec02286bf3b120
SHA256b42766cedfac6181db7879ff37f3c35e17129b16d42a1ad80cce2e5ab3b7a8f3
SHA51289e34949f397994c33747716a36b5622cb00b18a26814180cf09e8876a93288ec937dbc2eb9dba0ddfdd10bedb657c81aa70d012bfe0d945e979e5966f5f7bd3
-
Filesize
204B
MD58ed973942486c5f97d7125dfbf644ec8
SHA1836dd3414228b4f0e52c6cf3026f241e317f7a94
SHA256fe6e9ed76ac20894748cd881094e67b1ca65987fc275c4246fcd3249a64e673b
SHA512832527ec81f667ca50533d9d99844ceb8a43c9ee66e27aed6b44f34e98200ea82470764c0623737072bcb24d05b659759e0de360f91e2ac3441d51582e089ba8
-
Filesize
204B
MD5ee1c32146992892a12025eff9079510d
SHA16c07710bbc0ffaa241fb4f26caceb52ec910aca9
SHA256e9bd4caa59d6f808cf129514e66c97812766ba7a348756204b6040f3081ebb62
SHA512a9b8694eb6431ec3e9c9552e834536abe05e6bb84db786696fd48fcb744882dc23eb7d5d616e8e09a4acfc32c2c7525be3abf5736d5dffdeae012e59a4ad218f
-
Filesize
204B
MD5c49940836b143279c28564f33177f1d4
SHA1d8ceb1117c4dd7c4b2aa39060cb3c9d4488ffbcd
SHA2564c88f42b1fa15b8b13420c35d947ae6307ee667749c7015e0d71e260e67809ad
SHA51200ec88c8249468423ed989d83e279da226729f88383937b9fb874b9ec5996048ec5ad0e3eb20259933ffdc3b97f4e994ed9e28e36a2249eda2d798c7d902d1ed
-
Filesize
204B
MD56170f223b91a8fae491a088fe680536d
SHA1490567516561caecb53abb9d7f06c20bd0cb5110
SHA25671dfc09ae51a7c3702056acf185a92ba70879e5057b4998ec4036a6c581e39d6
SHA51281039d787df646cff2908a313951542017b4f9d944a3f00fdbb108c4bc221328a2e3b614d2109d43c55c5c017348e7c28a12b5357b22b9f5ecaaa80c4130b225
-
Filesize
204B
MD5679ddfdee9668277b5121e63782d7ed2
SHA19f4d23db031dfa70c8f01501e7b7ab9d5b990403
SHA256c7ff2da58a5b0dd638425ffae958f8e01dbd571b6f1531669d0bd27bfa17028a
SHA51272d837597a6d0e9b7d3b70dbeabc11f0b9e147281416e1862f0fa364f64bbd0562938edcaa503893a513f45e3061cab3c0eb9a20167191ce697aae2af07d15de
-
Filesize
204B
MD54f73280023f533f452bea5842528dd73
SHA1f7133d6c3df7d7487dfd575eb130cb61fabd6934
SHA2566bb15df5ce1ca5a030421c22bb70e3cb012704d89252068a8c12b120ddf9366a
SHA5121d8e24cfff28a4c594d7efd0b9889516294540b026bd6531f31ab31f187177d5820b0f8ae0b4c4f13453b4b9f792a3100436f74874affec0ec73ddf0de0c9fe1
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478