Analysis
-
max time kernel
145s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 00:43
Behavioral task
behavioral1
Sample
JaffaCakes118_5ff0fdf8aff7bcb0c15d0d9f28026aedc2cf3e4fbb9b37d1532bfde84eb0d0fc.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_5ff0fdf8aff7bcb0c15d0d9f28026aedc2cf3e4fbb9b37d1532bfde84eb0d0fc.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_5ff0fdf8aff7bcb0c15d0d9f28026aedc2cf3e4fbb9b37d1532bfde84eb0d0fc.exe
-
Size
1.3MB
-
MD5
4f01f846774d6aa86f007ff35694f359
-
SHA1
6fa86a12ba02f5d89cbdeee0f3ec57ba4828c1a4
-
SHA256
5ff0fdf8aff7bcb0c15d0d9f28026aedc2cf3e4fbb9b37d1532bfde84eb0d0fc
-
SHA512
6d0ae358fda729f153be34d4c9580ad1115a05a1a16eca679f878b95351ad4b98c1bb7552f4a0006eb08b91b3d751a0b6f173827645369313e67199eb7ad1ba4
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 928 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1056 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1088 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1452 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 280 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1252 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1124 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 292 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1864 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 612 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 988 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1372 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1304 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 856 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2856 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000019605-12.dat dcrat behavioral1/memory/3060-13-0x0000000000370000-0x0000000000480000-memory.dmp dcrat behavioral1/memory/892-68-0x0000000000910000-0x0000000000A20000-memory.dmp dcrat behavioral1/memory/2472-211-0x0000000000180000-0x0000000000290000-memory.dmp dcrat behavioral1/memory/388-272-0x0000000000B80000-0x0000000000C90000-memory.dmp dcrat behavioral1/memory/1144-332-0x00000000011A0000-0x00000000012B0000-memory.dmp dcrat behavioral1/memory/908-392-0x0000000000260000-0x0000000000370000-memory.dmp dcrat behavioral1/memory/1592-453-0x0000000001270000-0x0000000001380000-memory.dmp dcrat behavioral1/memory/2964-690-0x00000000012C0000-0x00000000013D0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2700 powershell.exe 928 powershell.exe 628 powershell.exe 2768 powershell.exe 2440 powershell.exe 2340 powershell.exe 2872 powershell.exe 2728 powershell.exe 2232 powershell.exe 940 powershell.exe 2408 powershell.exe 1824 powershell.exe 2888 powershell.exe 2668 powershell.exe 1948 powershell.exe 2024 powershell.exe 2904 powershell.exe 1624 powershell.exe 2868 powershell.exe 2892 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 3060 DllCommonsvc.exe 892 services.exe 2472 services.exe 388 services.exe 1144 services.exe 908 services.exe 1592 services.exe 1912 services.exe 1564 services.exe 1528 services.exe 2964 services.exe 1180 services.exe -
Loads dropped DLL 2 IoCs
pid Process 2928 cmd.exe 2928 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 29 raw.githubusercontent.com 33 raw.githubusercontent.com 36 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 19 raw.githubusercontent.com 26 raw.githubusercontent.com 39 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 16 raw.githubusercontent.com 23 raw.githubusercontent.com -
Drops file in Program Files directory 9 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\conhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\audiodg.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\27d1bcfc3c54e0 DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\conhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\088424020bedd6 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\42af1c969fbb7b DllCommonsvc.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Media\Afternoon\taskhost.exe DllCommonsvc.exe File created C:\Windows\Media\Afternoon\b75386f1303e64 DllCommonsvc.exe File created C:\Windows\winsxs\amd64_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_eb806fad92a5e1bd\dwm.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5ff0fdf8aff7bcb0c15d0d9f28026aedc2cf3e4fbb9b37d1532bfde84eb0d0fc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2420 schtasks.exe 2828 schtasks.exe 3036 schtasks.exe 2436 schtasks.exe 2720 schtasks.exe 1648 schtasks.exe 1604 schtasks.exe 1976 schtasks.exe 2784 schtasks.exe 1840 schtasks.exe 1124 schtasks.exe 2040 schtasks.exe 2276 schtasks.exe 2080 schtasks.exe 1708 schtasks.exe 2328 schtasks.exe 1544 schtasks.exe 1372 schtasks.exe 2076 schtasks.exe 2920 schtasks.exe 2116 schtasks.exe 1952 schtasks.exe 1304 schtasks.exe 1696 schtasks.exe 1588 schtasks.exe 2576 schtasks.exe 2200 schtasks.exe 2972 schtasks.exe 2700 schtasks.exe 2672 schtasks.exe 1056 schtasks.exe 1088 schtasks.exe 2244 schtasks.exe 1452 schtasks.exe 2896 schtasks.exe 2444 schtasks.exe 2184 schtasks.exe 612 schtasks.exe 2336 schtasks.exe 1144 schtasks.exe 280 schtasks.exe 1252 schtasks.exe 2552 schtasks.exe 2108 schtasks.exe 2216 schtasks.exe 988 schtasks.exe 2764 schtasks.exe 928 schtasks.exe 2128 schtasks.exe 856 schtasks.exe 1916 schtasks.exe 2440 schtasks.exe 2996 schtasks.exe 292 schtasks.exe 1864 schtasks.exe 2056 schtasks.exe 1912 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 2340 powershell.exe 892 services.exe 928 powershell.exe 2700 powershell.exe 2868 powershell.exe 2668 powershell.exe 2768 powershell.exe 1824 powershell.exe 2232 powershell.exe 2728 powershell.exe 2440 powershell.exe 2904 powershell.exe 1624 powershell.exe 940 powershell.exe 628 powershell.exe 1948 powershell.exe 2024 powershell.exe 2872 powershell.exe 2888 powershell.exe 2892 powershell.exe 2408 powershell.exe 2472 services.exe 388 services.exe 1144 services.exe 908 services.exe 1592 services.exe 1912 services.exe 1564 services.exe 1528 services.exe 2964 services.exe 1180 services.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeDebugPrivilege 3060 DllCommonsvc.exe Token: SeDebugPrivilege 2340 powershell.exe Token: SeDebugPrivilege 892 services.exe Token: SeDebugPrivilege 928 powershell.exe Token: SeDebugPrivilege 2700 powershell.exe Token: SeDebugPrivilege 2868 powershell.exe Token: SeDebugPrivilege 2668 powershell.exe Token: SeDebugPrivilege 2768 powershell.exe Token: SeDebugPrivilege 1824 powershell.exe Token: SeDebugPrivilege 2232 powershell.exe Token: SeDebugPrivilege 2728 powershell.exe Token: SeDebugPrivilege 2440 powershell.exe Token: SeDebugPrivilege 2904 powershell.exe Token: SeDebugPrivilege 1624 powershell.exe Token: SeDebugPrivilege 940 powershell.exe Token: SeDebugPrivilege 628 powershell.exe Token: SeDebugPrivilege 1948 powershell.exe Token: SeDebugPrivilege 2024 powershell.exe Token: SeDebugPrivilege 2872 powershell.exe Token: SeDebugPrivilege 2888 powershell.exe Token: SeDebugPrivilege 2892 powershell.exe Token: SeDebugPrivilege 2408 powershell.exe Token: SeDebugPrivilege 2472 services.exe Token: SeDebugPrivilege 388 services.exe Token: SeDebugPrivilege 1144 services.exe Token: SeDebugPrivilege 908 services.exe Token: SeDebugPrivilege 1592 services.exe Token: SeDebugPrivilege 1912 services.exe Token: SeDebugPrivilege 1564 services.exe Token: SeDebugPrivilege 1528 services.exe Token: SeDebugPrivilege 2964 services.exe Token: SeDebugPrivilege 1180 services.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2308 wrote to memory of 2980 2308 JaffaCakes118_5ff0fdf8aff7bcb0c15d0d9f28026aedc2cf3e4fbb9b37d1532bfde84eb0d0fc.exe 30 PID 2308 wrote to memory of 2980 2308 JaffaCakes118_5ff0fdf8aff7bcb0c15d0d9f28026aedc2cf3e4fbb9b37d1532bfde84eb0d0fc.exe 30 PID 2308 wrote to memory of 2980 2308 JaffaCakes118_5ff0fdf8aff7bcb0c15d0d9f28026aedc2cf3e4fbb9b37d1532bfde84eb0d0fc.exe 30 PID 2308 wrote to memory of 2980 2308 JaffaCakes118_5ff0fdf8aff7bcb0c15d0d9f28026aedc2cf3e4fbb9b37d1532bfde84eb0d0fc.exe 30 PID 2980 wrote to memory of 2928 2980 WScript.exe 31 PID 2980 wrote to memory of 2928 2980 WScript.exe 31 PID 2980 wrote to memory of 2928 2980 WScript.exe 31 PID 2980 wrote to memory of 2928 2980 WScript.exe 31 PID 2928 wrote to memory of 3060 2928 cmd.exe 33 PID 2928 wrote to memory of 3060 2928 cmd.exe 33 PID 2928 wrote to memory of 3060 2928 cmd.exe 33 PID 2928 wrote to memory of 3060 2928 cmd.exe 33 PID 3060 wrote to memory of 2728 3060 DllCommonsvc.exe 92 PID 3060 wrote to memory of 2728 3060 DllCommonsvc.exe 92 PID 3060 wrote to memory of 2728 3060 DllCommonsvc.exe 92 PID 3060 wrote to memory of 1948 3060 DllCommonsvc.exe 93 PID 3060 wrote to memory of 1948 3060 DllCommonsvc.exe 93 PID 3060 wrote to memory of 1948 3060 DllCommonsvc.exe 93 PID 3060 wrote to memory of 2232 3060 DllCommonsvc.exe 94 PID 3060 wrote to memory of 2232 3060 DllCommonsvc.exe 94 PID 3060 wrote to memory of 2232 3060 DllCommonsvc.exe 94 PID 3060 wrote to memory of 940 3060 DllCommonsvc.exe 95 PID 3060 wrote to memory of 940 3060 DllCommonsvc.exe 95 PID 3060 wrote to memory of 940 3060 DllCommonsvc.exe 95 PID 3060 wrote to memory of 2024 3060 DllCommonsvc.exe 96 PID 3060 wrote to memory of 2024 3060 DllCommonsvc.exe 96 PID 3060 wrote to memory of 2024 3060 DllCommonsvc.exe 96 PID 3060 wrote to memory of 2340 3060 DllCommonsvc.exe 97 PID 3060 wrote to memory of 2340 3060 DllCommonsvc.exe 97 PID 3060 wrote to memory of 2340 3060 DllCommonsvc.exe 97 PID 3060 wrote to memory of 2904 3060 DllCommonsvc.exe 98 PID 3060 wrote to memory of 2904 3060 DllCommonsvc.exe 98 PID 3060 wrote to memory of 2904 3060 DllCommonsvc.exe 98 PID 3060 wrote to memory of 2700 3060 DllCommonsvc.exe 99 PID 3060 wrote to memory of 2700 3060 DllCommonsvc.exe 99 PID 3060 wrote to memory of 2700 3060 DllCommonsvc.exe 99 PID 3060 wrote to memory of 2408 3060 DllCommonsvc.exe 100 PID 3060 wrote to memory of 2408 3060 DllCommonsvc.exe 100 PID 3060 wrote to memory of 2408 3060 DllCommonsvc.exe 100 PID 3060 wrote to memory of 1624 3060 DllCommonsvc.exe 101 PID 3060 wrote to memory of 1624 3060 DllCommonsvc.exe 101 PID 3060 wrote to memory of 1624 3060 DllCommonsvc.exe 101 PID 3060 wrote to memory of 928 3060 DllCommonsvc.exe 103 PID 3060 wrote to memory of 928 3060 DllCommonsvc.exe 103 PID 3060 wrote to memory of 928 3060 DllCommonsvc.exe 103 PID 3060 wrote to memory of 1824 3060 DllCommonsvc.exe 104 PID 3060 wrote to memory of 1824 3060 DllCommonsvc.exe 104 PID 3060 wrote to memory of 1824 3060 DllCommonsvc.exe 104 PID 3060 wrote to memory of 2768 3060 DllCommonsvc.exe 105 PID 3060 wrote to memory of 2768 3060 DllCommonsvc.exe 105 PID 3060 wrote to memory of 2768 3060 DllCommonsvc.exe 105 PID 3060 wrote to memory of 2868 3060 DllCommonsvc.exe 106 PID 3060 wrote to memory of 2868 3060 DllCommonsvc.exe 106 PID 3060 wrote to memory of 2868 3060 DllCommonsvc.exe 106 PID 3060 wrote to memory of 2888 3060 DllCommonsvc.exe 108 PID 3060 wrote to memory of 2888 3060 DllCommonsvc.exe 108 PID 3060 wrote to memory of 2888 3060 DllCommonsvc.exe 108 PID 3060 wrote to memory of 2892 3060 DllCommonsvc.exe 109 PID 3060 wrote to memory of 2892 3060 DllCommonsvc.exe 109 PID 3060 wrote to memory of 2892 3060 DllCommonsvc.exe 109 PID 3060 wrote to memory of 2668 3060 DllCommonsvc.exe 110 PID 3060 wrote to memory of 2668 3060 DllCommonsvc.exe 110 PID 3060 wrote to memory of 2668 3060 DllCommonsvc.exe 110 PID 3060 wrote to memory of 2440 3060 DllCommonsvc.exe 111 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ff0fdf8aff7bcb0c15d0d9f28026aedc2cf3e4fbb9b37d1532bfde84eb0d0fc.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ff0fdf8aff7bcb0c15d0d9f28026aedc2cf3e4fbb9b37d1532bfde84eb0d0fc.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Afternoon\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\LocalLow\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
C:\providercommon\services.exe"C:\providercommon\services.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:892 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7kLsQlNPpi.bat"6⤵PID:1596
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1720
-
-
C:\providercommon\services.exe"C:\providercommon\services.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat"8⤵PID:2244
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1648
-
-
C:\providercommon\services.exe"C:\providercommon\services.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:388 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qX4ufk0Q6M.bat"10⤵PID:2368
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2984
-
-
C:\providercommon\services.exe"C:\providercommon\services.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat"12⤵PID:2480
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:892
-
-
C:\providercommon\services.exe"C:\providercommon\services.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat"14⤵PID:496
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2404
-
-
C:\providercommon\services.exe"C:\providercommon\services.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hANH4lx1y1.bat"16⤵PID:2948
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1440
-
-
C:\providercommon\services.exe"C:\providercommon\services.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xm2kK1SIVO.bat"18⤵PID:2228
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:936
-
-
C:\providercommon\services.exe"C:\providercommon\services.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat"20⤵PID:2852
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:348
-
-
C:\providercommon\services.exe"C:\providercommon\services.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat"22⤵PID:1980
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1772
-
-
C:\providercommon\services.exe"C:\providercommon\services.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat"24⤵PID:2132
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2264
-
-
C:\providercommon\services.exe"C:\providercommon\services.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1180 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat"26⤵PID:568
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:2336
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\providercommon\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\Afternoon\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Media\Afternoon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\Media\Afternoon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\providercommon\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Documents\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Documents\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Documents\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\providercommon\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\LocalLow\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\AppData\LocalLow\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\LocalLow\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD512aa2b4bba699528ebbba3916ce36910
SHA1c3b05db7d9cdf39c51ab255f9449cada64eb9c58
SHA256cb5b565ee0adaf5718a84beca0090ada4b24e282b207980ea583e2b128bbf85e
SHA512603602a1b95c025a1f9f374e2e5608510a4f7658dafd45842e676786930724a21928f5fdaf66825d4b635feec3d51ee1f42123b1d11a640e958a567fb1a4a800
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD542b4d26ef6e4239ab0d459e92e949e7f
SHA124edb1e8c1359c8b3dbb609b168b4d8f301fb642
SHA256cd7386a7d7a93b3a7f92a81dacc811ee349e2b53d4e95672557a80ce48aacf38
SHA5124930592c8c11fd629464185a30cf6c34dedaad018b248cbd8b8bf9cfc5484785465db96eb9e146e8080732acd7b4461a95af8a5ad497719c7ff69c5eaa8019c7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ecc7eb15867a3be572fa42a60acf47b5
SHA16a41913dfcf35db71f1665baf6538aea7a9fa730
SHA2560d6d1f9814548d4ad7ba472eddfc785939cde9624cc1b8f2560f2ed606e0c02d
SHA5129c32973553e8e574506c25af12e50597dbc8e5d55532096644b73df72efb4afc0c0e1e66c27cfa1b8a9dfee876a859a174f28d94b0fc438b21de6b1c27f11dc3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD596fa856948214f104aede73d20a90997
SHA10cd9bdcd3ffd1bdc0c135dceec8f6a919ccd8de3
SHA256d75f8ca0ad66f891b2f9a476e9c1ca2985a69a58031dce03645d5f6226e311db
SHA5121c45b9cd43b34a644460c81825b9e8ddbb8fb6433533179cc61ba2bb704f68b87cede1510d4165a8449e85faa3ad471ed0f6a96a85a1513ab4ab46f58620b24e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a4130a1457a4f3ffa0030386fc6cf749
SHA1c7814dae35ff1218ef644eaa662f86616a1cbafc
SHA256433b4d4cd634388e977a939f1733bf10c9830063d26e178048332caad268cb36
SHA512c4702ce9f2a41f2671db0b85cc6afbe062aac30bad6b737bd13ec59fbc3f4eac3a3d937cf1eb286c42a726368b50fe47c75dae188ccba53dbbbae65c08067970
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5be16c823fffad9f12b0834e6d5dac598
SHA1ff6cc374b793f19a44419773f2e375d4622ac29b
SHA2567c2082ffae489a73fd1154eb499ac3e91e76f55be2c2af301dee4d4f80d946db
SHA51209307e9a699c8eb6328476f28f3bc90e117c81b656915529073d5e2efeda83800e1f412b3663c597e7ded5e3cfa6e9a6aebd3610112d62f909579f2209379469
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5af1a85d09e41f6925d650afbdcfc49eb
SHA1098d7d0880ae9759d0556ac4c7f1737651244aef
SHA2560dc21d24e4af1d932a0d4d89637da89fc2149acac23743aaca10f5369133e01b
SHA512eb4ef388d3cb3a1e5089cc1ce25fadaf8f9b30de1d1e5b87d4044e0de333ef7277f98f476a48469b6fa2efd2316a3c045b7941cc4da4a7d29e966876e8eb121f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f1cf57fad184cd718622f5405cf75d54
SHA1457d4b6ec9421a78530147146122bf12c6234f90
SHA256cb0f53155f75fad7365ff7b7cdaf7c2f1c39b901108661919b6e139dbe35db5f
SHA512825874c7b0bb48bbe7bbac69c8a45cf12cb3fd3aa06d9bc2261b211004712b44e03261034e7ff0c4b1acb6b6190fa0df63a8a32604496361b4be82a837d56f7f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD524da8cf31bfcf8953aa4f7e6a50a12fb
SHA1b6bdfbd46e6e2f2d9c180ac96c0f0d81f5419cb3
SHA256c84d71b68d2acc6ec84ddd2ed0b85b5aed6239a853475fef6f0bb7ee77add4ed
SHA5123614f418684cc458b476de884a8e292ddbc3734f8f0fee7ab334d7b22393bde12927b6a5292334aee36490de9ca6daeadced5f81b3b29426530422f1aa86c3ae
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57b3abaf2397277ba275462512db616d9
SHA1cdac5777b9f92a568b21f727988aeacc0523ecfc
SHA256d2231e85e068fe0e7400830fa0bd701ef6a9b8c91cc2fe8aea373f6822a7da7d
SHA512bad86a486c3e92ee6b0c19e4a0044728188be0b02cca49cb904b1b9cd531e27c10c8c830e9b01dc38bbec75608b6a7bcd455212971d0ff2b96a3dab0e76701d6
-
Filesize
195B
MD5e21795607c71ee3e6fab67c749b5caac
SHA173050344eb1ff312c10fed8d19067d60e5c933dd
SHA256bd84143a74db844027206e196d9471e07de34cfb23c34a175c8eacd28d294d44
SHA5127922dc0720d6ce8c9b8d92987c7ef4616705f0e4ba94aab40f08f1f4692b0b5f97e9747e855dc1d33e837e3db8310fb1088d4c452baf82b64a2d0475ca95ae62
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
195B
MD5e63a8eebe3f178d24741315786921c06
SHA1a204ad10dd849a3554145ef8d6420b8d3c4f9e3f
SHA2565b6f494bd15290ace9db045823c0cc6a0a69a51e521c21992646ba42fcf397b5
SHA5126f8b552cbce81718a52fd95f8b23f8ea8da5f13d6fdf4e5e7ce82243cb3f85b3c3d60f9244d4b0f5fe55fa6bde0fd02216b17f05520222f7b1d7e73b98c40b8b
-
Filesize
195B
MD50a86ce1fa8e746ebc0442f78d881a19d
SHA19d86866c62c1d45f5addb9e66f70b5af452b9805
SHA25655e35a699f02bb90f37ca8f14aa301cbd61b7e2d551eb016a957991e980d9a34
SHA5123a4ee4c3f83e852268fb0c256fd5bbed51cb8a7be59b3187f0bcc1748f4535b7791d1b0dc38213f3c4d892391f24271b8345c14cffa9682cbfdee72abcd8635c
-
Filesize
195B
MD5355ef4445044557241ea5be6ed26600c
SHA11e5e249d262d43494ceeeb48ed83e9d9cb41cf50
SHA25682f893782d9c8ccea9a882bdbe6d0548d25da333a52659c444d4de25a4429fd7
SHA512ef9c01766f4c9859404d1cd27eac2020b3043b8be279a907d7ebd44084354e168cb7044fed414b4f6de0f12db41505ef0ce283762da16d72855b56d7ba805b61
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
195B
MD5d6ff321239518688a948a75d4cb731a1
SHA187a9fb93398669c82e20af16689a4d95d69d5dd5
SHA2567fbe67782bdc55c660685696b159f627447089fdf224a4b10b5e9b02e5867b41
SHA512a38bfe9e2b2d4c29ab93ad52e50f71c514d9b42cf63223a0a2755521d21f390a7b97da70d583f993966c7c901f3c26d12da8e87b1b194486293c56bb3835e871
-
Filesize
195B
MD571ac6e9f0c0b49b58506570adce631b4
SHA10267d302aa7d18b8664ac8d5e7b8ed17ebf57fe2
SHA256051051b902a1be0aa3c9c13b2a2e517c03ad7e6e396ea4d1a1b0cee22edba369
SHA512236ec3bc14e984334cf7f393b4722b610db87a2f20865bef1981d61c7fc23c9a319c8ec2a95c61e64733c00f251369f863f260b8b29fec190ef34b90c969864c
-
Filesize
195B
MD57072b719f56d223b58d3b6acb824f9e1
SHA17215f58036cb5e6841719132f13522617a1a5aeb
SHA256f46a65229f5952c1eb2ee92f24f6c807776dc1e1c43190887682fcd85d829c5d
SHA512a61ad8a4d7e9fa9d8c694d98d30b016969f90d6c5b9c4baa7c4498ac83ee575a5696f3418008b831ce9a24301be8c72098a9c86fc9b1e6f5b7adc2bbb93a98c3
-
Filesize
195B
MD5e8a79ac06daa66921fd93f823507163e
SHA135cf0d2f785d414677d986e6121c0c3f753013e9
SHA256355bb01b2144422084671255a295f87421ea196da992758d3df50d533346cff7
SHA512b2ffa77014dc8a9f284fbd93c199d9ddcc7bb179827fb284e18d565dba35e250688b6d2dd559b6179e74a229d877968880f50cf31ee4b4f648caa9b22ddaab80
-
Filesize
195B
MD53d6bcbbc8f23afc7358c57c5ccd5e2a6
SHA1c7445c2058be82daede403d2aa617ff18bf7b656
SHA25622e6e457767a92aca1b128ee3846a69c7f8faae2f5bd18a9f325149bcfb18d16
SHA5120b2795720061bdca2fb5988276e883bab69420b7dee4b1c4e8b40e4ec9441158d4c6d07a6978f44fe2273791de7db9e8f4b5bb062e46ded6d77a5bb89e80bf8b
-
Filesize
195B
MD520a82613cc4183e1c5d6e05ae9d4061f
SHA1abbfec9548602d113a2f805b68f55f43dec738eb
SHA256e00dcf16168af8a8575d1857b0296d2d970e5021356e167395d36a82d4219c2f
SHA512c937a8cb00099d33a97e50370ebb8a5a97a521494aafd9b6b3cb29cb0036361c8c44bcd137ca0853492a1f6eaf832ee47014df07fa534945c4b3fb638de3a8a2
-
Filesize
195B
MD537a92251c9c8874bdbab641a3683d367
SHA198212d87fe75f41ac16951ce5d259275b6d7a0bf
SHA2569183176c40e1561c404fd121333f186e95df761f8c2da3454603bbb556fd5ff7
SHA512eb7692efa22b81036a31ba86b42188bb3852e63204cafa27d12fd121dbff711606631f85dd26f058b70c9a6c026af2e605ec83b2b3fe4ba8fdd5ec764286e509
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ce5894560dbf027ad75601a7551f9025
SHA1ec1cd8b6757256eee0dc30eeacd759ce6168547b
SHA2566ec555c5ee9896e7e5ab1f587ae6ca904a163c6aaf425ebc0fba76063ac9500a
SHA512793a1ac5b766e321bf41ccfded8f25281070b2c3f5bc20d8b5314f24b1a3f27df89a5597fc88ef2d93760095160b455182a641e04540d264f7b43b0abfcae268
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478