Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 00:55
Behavioral task
behavioral1
Sample
JaffaCakes118_b3b23f91f4a2a86aad5574f5b31cc9bfe4b3b86fc650f41bc6c04bfdf625e1ba.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_b3b23f91f4a2a86aad5574f5b31cc9bfe4b3b86fc650f41bc6c04bfdf625e1ba.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_b3b23f91f4a2a86aad5574f5b31cc9bfe4b3b86fc650f41bc6c04bfdf625e1ba.exe
-
Size
1.3MB
-
MD5
fbabc50080a0704849c2fc34da2fd0d5
-
SHA1
4fd7d9e98a5007d9d4aec3856fb1c746af340f89
-
SHA256
b3b23f91f4a2a86aad5574f5b31cc9bfe4b3b86fc650f41bc6c04bfdf625e1ba
-
SHA512
c5014d2f0628314f2743690dcafcdf05d1802285764bc07771131d1fe3dbcfe47618f3f3fafd9a9ea830bb503c98f563d51101bcf870edcf60e4d02d542e2fbc
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2568 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1432 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 348 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 772 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1452 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1772 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1128 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 788 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2264 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 968 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 716 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1556 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1052 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 792 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 568 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 996 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1100 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1608 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 3040 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 3040 schtasks.exe 32 -
resource yara_rule behavioral1/files/0x0008000000016c73-12.dat dcrat behavioral1/memory/2960-13-0x0000000000A70000-0x0000000000B80000-memory.dmp dcrat behavioral1/memory/2772-162-0x00000000001D0000-0x00000000002E0000-memory.dmp dcrat behavioral1/memory/1244-221-0x0000000000E40000-0x0000000000F50000-memory.dmp dcrat behavioral1/memory/2136-281-0x00000000000A0000-0x00000000001B0000-memory.dmp dcrat behavioral1/memory/2104-341-0x00000000013A0000-0x00000000014B0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1656 powershell.exe 2932 powershell.exe 2444 powershell.exe 2580 powershell.exe 2992 powershell.exe 2652 powershell.exe 2760 powershell.exe 2668 powershell.exe 2944 powershell.exe 2880 powershell.exe 2740 powershell.exe 2768 powershell.exe 2820 powershell.exe 2456 powershell.exe 2996 powershell.exe 2620 powershell.exe 2704 powershell.exe 2440 powershell.exe 2576 powershell.exe 2532 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2960 DllCommonsvc.exe 2772 audiodg.exe 1244 audiodg.exe 2136 audiodg.exe 2104 audiodg.exe 2808 audiodg.exe 2508 audiodg.exe 2908 audiodg.exe 2040 audiodg.exe 1156 audiodg.exe 2388 audiodg.exe 2724 audiodg.exe -
Loads dropped DLL 2 IoCs
pid Process 2936 cmd.exe 2936 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 32 raw.githubusercontent.com 36 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 23 raw.githubusercontent.com 26 raw.githubusercontent.com 29 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 15 raw.githubusercontent.com 19 raw.githubusercontent.com -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files (x86)\Uninstall Information\explorer.exe DllCommonsvc.exe File created C:\Program Files\Google\Chrome\smss.exe DllCommonsvc.exe File created C:\Program Files\Google\Chrome\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files (x86)\Uninstall Information\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files (x86)\Google\CrashReports\sppsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Google\CrashReports\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\b75386f1303e64 DllCommonsvc.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\en-US\cmd.exe DllCommonsvc.exe File created C:\Windows\en-US\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Windows\Prefetch\ReadyBoot\spoolsv.exe DllCommonsvc.exe File created C:\Windows\Prefetch\ReadyBoot\f3b6ecef712a24 DllCommonsvc.exe File created C:\Windows\IME\DllCommonsvc.exe DllCommonsvc.exe File created C:\Windows\IME\a76d7bf15d8370 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b3b23f91f4a2a86aad5574f5b31cc9bfe4b3b86fc650f41bc6c04bfdf625e1ba.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1556 schtasks.exe 1608 schtasks.exe 2708 schtasks.exe 2896 schtasks.exe 348 schtasks.exe 2624 schtasks.exe 2524 schtasks.exe 792 schtasks.exe 1740 schtasks.exe 2168 schtasks.exe 2512 schtasks.exe 2972 schtasks.exe 1620 schtasks.exe 716 schtasks.exe 1156 schtasks.exe 1332 schtasks.exe 2468 schtasks.exe 2176 schtasks.exe 2436 schtasks.exe 2648 schtasks.exe 1432 schtasks.exe 2544 schtasks.exe 3024 schtasks.exe 2536 schtasks.exe 2004 schtasks.exe 1772 schtasks.exe 1764 schtasks.exe 2868 schtasks.exe 1596 schtasks.exe 2152 schtasks.exe 2756 schtasks.exe 772 schtasks.exe 2292 schtasks.exe 1500 schtasks.exe 1968 schtasks.exe 1960 schtasks.exe 2832 schtasks.exe 1128 schtasks.exe 1452 schtasks.exe 2264 schtasks.exe 968 schtasks.exe 2204 schtasks.exe 2568 schtasks.exe 2044 schtasks.exe 2844 schtasks.exe 1052 schtasks.exe 568 schtasks.exe 2840 schtasks.exe 2336 schtasks.exe 996 schtasks.exe 1100 schtasks.exe 2412 schtasks.exe 1528 schtasks.exe 2480 schtasks.exe 788 schtasks.exe 2188 schtasks.exe 2316 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
pid Process 2960 DllCommonsvc.exe 2960 DllCommonsvc.exe 2960 DllCommonsvc.exe 2960 DllCommonsvc.exe 2960 DllCommonsvc.exe 2960 DllCommonsvc.exe 2960 DllCommonsvc.exe 2960 DllCommonsvc.exe 2960 DllCommonsvc.exe 2944 powershell.exe 2456 powershell.exe 2768 powershell.exe 2992 powershell.exe 2440 powershell.exe 2580 powershell.exe 2576 powershell.exe 2880 powershell.exe 2668 powershell.exe 2652 powershell.exe 1656 powershell.exe 2620 powershell.exe 2996 powershell.exe 2820 powershell.exe 2740 powershell.exe 2532 powershell.exe 2760 powershell.exe 2444 powershell.exe 2704 powershell.exe 2932 powershell.exe 2772 audiodg.exe 1244 audiodg.exe 2136 audiodg.exe 2104 audiodg.exe 2808 audiodg.exe 2508 audiodg.exe 2908 audiodg.exe 2040 audiodg.exe 1156 audiodg.exe 2388 audiodg.exe 2724 audiodg.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeDebugPrivilege 2960 DllCommonsvc.exe Token: SeDebugPrivilege 2944 powershell.exe Token: SeDebugPrivilege 2456 powershell.exe Token: SeDebugPrivilege 2768 powershell.exe Token: SeDebugPrivilege 2992 powershell.exe Token: SeDebugPrivilege 2440 powershell.exe Token: SeDebugPrivilege 2580 powershell.exe Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 2880 powershell.exe Token: SeDebugPrivilege 2668 powershell.exe Token: SeDebugPrivilege 2652 powershell.exe Token: SeDebugPrivilege 1656 powershell.exe Token: SeDebugPrivilege 2820 powershell.exe Token: SeDebugPrivilege 2620 powershell.exe Token: SeDebugPrivilege 2996 powershell.exe Token: SeDebugPrivilege 2740 powershell.exe Token: SeDebugPrivilege 2532 powershell.exe Token: SeDebugPrivilege 2760 powershell.exe Token: SeDebugPrivilege 2444 powershell.exe Token: SeDebugPrivilege 2704 powershell.exe Token: SeDebugPrivilege 2932 powershell.exe Token: SeDebugPrivilege 2772 audiodg.exe Token: SeDebugPrivilege 1244 audiodg.exe Token: SeDebugPrivilege 2136 audiodg.exe Token: SeDebugPrivilege 2104 audiodg.exe Token: SeDebugPrivilege 2808 audiodg.exe Token: SeDebugPrivilege 2508 audiodg.exe Token: SeDebugPrivilege 2908 audiodg.exe Token: SeDebugPrivilege 2040 audiodg.exe Token: SeDebugPrivilege 1156 audiodg.exe Token: SeDebugPrivilege 2388 audiodg.exe Token: SeDebugPrivilege 2724 audiodg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2432 2412 JaffaCakes118_b3b23f91f4a2a86aad5574f5b31cc9bfe4b3b86fc650f41bc6c04bfdf625e1ba.exe 28 PID 2412 wrote to memory of 2432 2412 JaffaCakes118_b3b23f91f4a2a86aad5574f5b31cc9bfe4b3b86fc650f41bc6c04bfdf625e1ba.exe 28 PID 2412 wrote to memory of 2432 2412 JaffaCakes118_b3b23f91f4a2a86aad5574f5b31cc9bfe4b3b86fc650f41bc6c04bfdf625e1ba.exe 28 PID 2412 wrote to memory of 2432 2412 JaffaCakes118_b3b23f91f4a2a86aad5574f5b31cc9bfe4b3b86fc650f41bc6c04bfdf625e1ba.exe 28 PID 2432 wrote to memory of 2936 2432 WScript.exe 29 PID 2432 wrote to memory of 2936 2432 WScript.exe 29 PID 2432 wrote to memory of 2936 2432 WScript.exe 29 PID 2432 wrote to memory of 2936 2432 WScript.exe 29 PID 2936 wrote to memory of 2960 2936 cmd.exe 31 PID 2936 wrote to memory of 2960 2936 cmd.exe 31 PID 2936 wrote to memory of 2960 2936 cmd.exe 31 PID 2936 wrote to memory of 2960 2936 cmd.exe 31 PID 2960 wrote to memory of 2932 2960 DllCommonsvc.exe 90 PID 2960 wrote to memory of 2932 2960 DllCommonsvc.exe 90 PID 2960 wrote to memory of 2932 2960 DllCommonsvc.exe 90 PID 2960 wrote to memory of 2444 2960 DllCommonsvc.exe 91 PID 2960 wrote to memory of 2444 2960 DllCommonsvc.exe 91 PID 2960 wrote to memory of 2444 2960 DllCommonsvc.exe 91 PID 2960 wrote to memory of 2580 2960 DllCommonsvc.exe 92 PID 2960 wrote to memory of 2580 2960 DllCommonsvc.exe 92 PID 2960 wrote to memory of 2580 2960 DllCommonsvc.exe 92 PID 2960 wrote to memory of 2440 2960 DllCommonsvc.exe 93 PID 2960 wrote to memory of 2440 2960 DllCommonsvc.exe 93 PID 2960 wrote to memory of 2440 2960 DllCommonsvc.exe 93 PID 2960 wrote to memory of 2576 2960 DllCommonsvc.exe 94 PID 2960 wrote to memory of 2576 2960 DllCommonsvc.exe 94 PID 2960 wrote to memory of 2576 2960 DllCommonsvc.exe 94 PID 2960 wrote to memory of 2944 2960 DllCommonsvc.exe 95 PID 2960 wrote to memory of 2944 2960 DllCommonsvc.exe 95 PID 2960 wrote to memory of 2944 2960 DllCommonsvc.exe 95 PID 2960 wrote to memory of 2996 2960 DllCommonsvc.exe 96 PID 2960 wrote to memory of 2996 2960 DllCommonsvc.exe 96 PID 2960 wrote to memory of 2996 2960 DllCommonsvc.exe 96 PID 2960 wrote to memory of 2992 2960 DllCommonsvc.exe 97 PID 2960 wrote to memory of 2992 2960 DllCommonsvc.exe 97 PID 2960 wrote to memory of 2992 2960 DllCommonsvc.exe 97 PID 2960 wrote to memory of 2456 2960 DllCommonsvc.exe 100 PID 2960 wrote to memory of 2456 2960 DllCommonsvc.exe 100 PID 2960 wrote to memory of 2456 2960 DllCommonsvc.exe 100 PID 2960 wrote to memory of 2880 2960 DllCommonsvc.exe 102 PID 2960 wrote to memory of 2880 2960 DllCommonsvc.exe 102 PID 2960 wrote to memory of 2880 2960 DllCommonsvc.exe 102 PID 2960 wrote to memory of 2652 2960 DllCommonsvc.exe 103 PID 2960 wrote to memory of 2652 2960 DllCommonsvc.exe 103 PID 2960 wrote to memory of 2652 2960 DllCommonsvc.exe 103 PID 2960 wrote to memory of 2740 2960 DllCommonsvc.exe 104 PID 2960 wrote to memory of 2740 2960 DllCommonsvc.exe 104 PID 2960 wrote to memory of 2740 2960 DllCommonsvc.exe 104 PID 2960 wrote to memory of 2768 2960 DllCommonsvc.exe 105 PID 2960 wrote to memory of 2768 2960 DllCommonsvc.exe 105 PID 2960 wrote to memory of 2768 2960 DllCommonsvc.exe 105 PID 2960 wrote to memory of 2620 2960 DllCommonsvc.exe 106 PID 2960 wrote to memory of 2620 2960 DllCommonsvc.exe 106 PID 2960 wrote to memory of 2620 2960 DllCommonsvc.exe 106 PID 2960 wrote to memory of 2704 2960 DllCommonsvc.exe 107 PID 2960 wrote to memory of 2704 2960 DllCommonsvc.exe 107 PID 2960 wrote to memory of 2704 2960 DllCommonsvc.exe 107 PID 2960 wrote to memory of 2532 2960 DllCommonsvc.exe 108 PID 2960 wrote to memory of 2532 2960 DllCommonsvc.exe 108 PID 2960 wrote to memory of 2532 2960 DllCommonsvc.exe 108 PID 2960 wrote to memory of 1656 2960 DllCommonsvc.exe 109 PID 2960 wrote to memory of 1656 2960 DllCommonsvc.exe 109 PID 2960 wrote to memory of 1656 2960 DllCommonsvc.exe 109 PID 2960 wrote to memory of 2820 2960 DllCommonsvc.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b3b23f91f4a2a86aad5574f5b31cc9bfe4b3b86fc650f41bc6c04bfdf625e1ba.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b3b23f91f4a2a86aad5574f5b31cc9bfe4b3b86fc650f41bc6c04bfdf625e1ba.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Music\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Y5sLtlTti.bat"5⤵PID:1308
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2848
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lZfwAG7KGX.bat"7⤵PID:2164
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2036
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1244 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhzsSyDvNE.bat"9⤵PID:1512
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2760
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat"11⤵PID:2872
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2548
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat"13⤵PID:2984
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:908
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCeLVPpGxY.bat"15⤵PID:448
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2648
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsMShxucCb.bat"17⤵PID:2468
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2244
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GRgsn2v6O3.bat"19⤵PID:2512
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:684
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xghrCifyI9.bat"21⤵PID:2880
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2856
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1156 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CPbxFudqw6.bat"23⤵PID:640
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1436
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat"25⤵PID:2624
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:1820
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\en-US\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\en-US\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\CrashReports\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\CrashReports\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Music\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Music\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Music\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\providercommon\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Windows\IME\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\IME\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Windows\IME\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\providercommon\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Favorites\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Favorites\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f2de349698ce5081e9bd77ec97f63906
SHA19e64dd9a0ef6df68a902c944e10125e426bf6b51
SHA256ffe2c71c23025718a4a2d7cc10030a329a2f1b5f1cdcd65f3966a53f42b11b11
SHA512d11b08f477fff06b15103efa8b54da122bd245cc096476a0f6a3ece7b76775b05106294bde055fe6745f58d77c91ab5e7bab057d1e7a192038355ef2dc2212a7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51b45d1d9dc49752af070fe8c0df8f09c
SHA14955e55f221298de4f82ed7d523abcd8fab8f6ae
SHA25629fde71e0fd5b4c9ffcc53b3d41594f4b7aef5cd9dff322bfef4f0d7c2251afa
SHA512567c69ece38fe19f8bb44d20920b248e6220909fa47f46573f67262fcd004f87539886fbba5f9b79fd36f491d59f321f1543f9782417ccdb43f1618a4241a8f0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5495c42fbcc1dfb5fa9d1cff714148d80
SHA13a58cf73035ad094e9c12df6b6f8afeb54e43aa4
SHA2569e2a2de1b69edb03ec460d808d4a158d62df14446383da899c96096ed60cfc39
SHA51296f262e1d0347634d0f87fda5328837b6da8ba0f5526f14092129f7b3403f4699e608749fad5c9f6953fde4303ba13b6ab077b681917caa2eee2be060ebaba3a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD596d4da46a107aaa4027a282898aa7c2f
SHA1f9baed52d4baf8a4516dad80915aa1ce26381067
SHA2561f66bf5aa423c718ff7d356c4e033a73be806e9a0539def24e6615ef99ae8304
SHA5123dddd30565496ec5b0ca871abc500aedef229695ec0bd045f73aa7065a7016c6cfaa9e6bbe87e52e37b7526a3a3cdcd7fb07284f5c376ee4bae34d3129d602ed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e53b697a1a367369141b52f36c939f0f
SHA182e65f122582f883f9251b646ce918c94074cd4d
SHA2568e94024f9aadad721dbc7f94c28d9df764d7c74d5b5efbf2935b3ecf78f0e7f0
SHA51278ef4a34db24c2a5ff25e71ba0a0b4f6539a5605d6a14dd6465e8adc2c96dde7ae1d7bcb54ed8fdc1f7830fca810d9db06ef30cc8bf75b9c81e666de5148674d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5da79f39f5c531ffd23ba8b4c9d0fa39b
SHA161893534ff397cf636c62b8f708c3c3cdf5551db
SHA256be493d7d6b9302b1871f08a2ee8aba5e93676339a155de6ff2b964247bc92a18
SHA512fd39e4aaafc1904d4cb7ea42aa39a378ec123d0dd9cb5c9611662110b8c7e64d9e0659033ae4b8d163fa8fdfffba47062e7502e05d53a7c189a5288b28a5dd62
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59430caca9eab4f66159a6d8582bddac4
SHA1416d343f303bdf4d560d578b86f7d01efbb01c22
SHA25664bb97832138285930ad9c353f6922fdc5e8a38e73aaa5fc3dda049315cb4215
SHA51283e0f5342bf48749ae0534486ea4570dd68b2433f5d07e6ecdff6cde807775ea366f969811e12849c9c86d8bfa906bb34d637b638573768249f110cd0faf206a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD504e69338eef4c2ef639e02fbec2d6315
SHA1fd3bbde795d7b8a334dc4987ee86f7742cc585d1
SHA2569ab56235999f515c7b70f936d83d1928a10c526b154e315fa8eb9d53d28a23ee
SHA51217f91e75bce61619ce2a6ebec5725cf42c5741d0df524b266130632b045e4bfa83f8683c425ef8e383e7517551adf759be9d56bc42320ee5bf75a012d54d72d1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c2383c575f38b84e23ebe1a905ddc6c2
SHA1b3b43215194f763ea3ef2668a29b46cad697c4e9
SHA256efcf24b432cdf608a965fc8109e1ccf0aa4d4461b50f79ffcd7619a781243877
SHA512a68c46439204e50337c77e6f7ba4dc5ec032556252e4008ed7670ae1134c538099f164408d92d981ea64f5986fe6e70fabca034fbd15f43d62bf2bca3f8b5fd1
-
Filesize
239B
MD5816f4b1a4ca87218efba49460ed5e9c1
SHA151277c240ca306f249907b34e80c888bb7288bb9
SHA256cf5420a423f501e1a640cbb58b333ff0c8172c6872e16b2772ef2d83f3e81467
SHA5126250e2ee4c3470779bb8d6bc8e5cdd37e07643f47747f4b68ca40110221e88cbdc4f9c28a230d2399c0ed961628cbdce39320ed894f74169b188154d56e6c59b
-
Filesize
239B
MD5072041e94d346d562a81594581643721
SHA117e90ca9ab628ccc3a0414d73eed1912b87da430
SHA256221d51e685e3e8110c51d31caa7d60d95548a7fd8ada1d922451ae721d37df99
SHA51236a7745cabd2ab63ac6bb65175345d9d1260ce8074b3b1b58466cfebde4706230d47fed7121c4fa156a985161883befad276a9dfd6e7813a0c182086ae30eef9
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
239B
MD5de5d3acc119f5b56eae2d13cd88397ef
SHA16555838084500d28edbc3a666215a4f116e5cecc
SHA256d02d741d0d731c8cad8217d79a8e6ebdc6e2293b3eaf1e84e73808fc9fe1376b
SHA512ba6c9c742864bab6a6c623d2055821a77f5170a0abf576097a004928ee1f471cf1e68c9a22ffc2f75b5ef65bbc5a85e7e8f4e08f3109abeae06ad3408fbd9b20
-
Filesize
239B
MD5fc34a44ac52c3e2f5f316d0cf0e51ef6
SHA104886667740ea3bfbc8a180b7f502a14ac5ff237
SHA256e282fc465b6a79f9f6ef274d324cb5651732eff3fce28b43d6f29509ed7a9327
SHA5125b0f13f18642d534069ea0fe53f0156f310bcb2d8b8c269239e3e9e6ab5f7d223747a95771920dcd4ad764140bc956751967ad13508e08881ad5177618474b40
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
239B
MD5cd2a0c4099c6d4a4033e8dfeb3a464a1
SHA1b555509795225a82277b4f1b2876085bde1a2fa5
SHA256b9370bbe3731d0759a1fbcb8777fc24146ef0833abfe6cf9cc96a8d7aedb37a3
SHA5123b8ffc72245aa89a1aece98eb744a38b9e298df891f580b829fa991a453b31dad948f2e661d4b3f38c5b262f09320bd4699d809afac8870161429dfb211645c5
-
Filesize
239B
MD50128f9d07ca0291b1295833166dad2f5
SHA18c8d45a2b583eef1badec27644f047820c818284
SHA2569f07010d380c5cd43661395f3092eae365a872ab87d7b0ef600aad8cfeda4fc4
SHA5123cd3fa75bb17ef478fd734591197c56fed328618e0cde4619e3bdebd3d5e4dd6beff77f3be396bc5cbceab383121d643cf004815cf496ab561e496c1d3fc8609
-
Filesize
239B
MD523dcfefcf8c3d7f4c6bc6599f69f1376
SHA19e6073cbe5244a62d3a91ab11e2d8a7afccaff7c
SHA256d80f48ff73333f9426f5ffcf4e660bdfc294168042369e0000b6a4a1bf4b954f
SHA512cb250a24e209e2ad45638f4621abca5a47ae70f5d1e780f9b2dd366149d848d0aa2f89d5705e3afb5acb3bdd4e54039f244876e733f96b52adc2d6667dcd721f
-
Filesize
239B
MD58e2b2f381abdec3e0124f44f4c0040c0
SHA1f1f45b2d26ae5a511ff77f74b5eaafebdb73d641
SHA2560035ae5bacf3cac7b295e951960fd72dda14dd52e03c600ab6e6ad257ce15f98
SHA512df559fab646c2fb57527fa3ffd75182672a449800de7881d566f0ca4a9a1883cfb5639778ee9c5806b95b78dd263339ae1ce3504af8658075181d31f4de5d9cc
-
Filesize
239B
MD5966dc0868782711c5dbf73c0b6508dd9
SHA16554c2ae22f45ee56c46ede7142c00f62ebc6d76
SHA256d594317c6953a0eddf1ee2adeb64015b43bfd27bc7e251aabe302427e5ab0554
SHA512886aca0f45f186119b9b3e9aa0c04a89d7b5860b40e4e4673092e62ad85c4c8f4dc4675e5310c789809724456e1f262749ea94aaee44dcab4399f91af3cc3e4a
-
Filesize
239B
MD56bf8eac633570981862ab26143aa3a42
SHA17a59898e0a05fce44fe2a42968c825e94063080f
SHA256359da85f5e6c3b52f3532ce4330458af87b2d13ca2f7138091fc2db05a39b19b
SHA512e6ea0dfd2c578d886dcf437923e447a45d4ac6612bbe3770c66a0acbed1f8322b1816acaed7473d52d46ea995273ccbf20e9a2c814a23dc942bde9f1ebcbcd2e
-
Filesize
239B
MD5f2d34de8c78ec3690bc3184ed6d45d20
SHA1646bc01d67f7e246beba411139e11ef9e2ce18ba
SHA25676b9d0ac1439d48186061af37c9c9cc423cc87b26cf853946cef89c4e185cd50
SHA51223f55d98cd056dd6d0ade422c057acd6918870e0271b7334cdbd8f5a9330a57775bf7bf2be610085c91597f85ca852bc8d4dd4dc62290ec0c41370b83e2285eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5e142fe0c0c54745eedf835fc0debbd92
SHA163e11d87bfb96d2c3ef55f7ec686ffe93fa08d23
SHA256a3d589620dd6df1ee39511808fe08209602f97627bdbc8fbbe675c7f20c1158c
SHA5126a3b747c3028e7f4255b6146574aef7ea63d4e4dc24bf18c5fcacbc760e6b51930a793d49e9626af5be6b222eea3389366c5ee6995c6979b9ebf35cfe0cbbb8e
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478