Analysis
-
max time kernel
143s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 00:33
Behavioral task
behavioral1
Sample
JaffaCakes118_bfaef7cb4811a7c0b577807e161326cdbd92562c0c00129cc3b69a8cc670c06e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_bfaef7cb4811a7c0b577807e161326cdbd92562c0c00129cc3b69a8cc670c06e.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_bfaef7cb4811a7c0b577807e161326cdbd92562c0c00129cc3b69a8cc670c06e.exe
-
Size
1.3MB
-
MD5
6d43f526c616a7c4062bb12f13ae1dd8
-
SHA1
080775f3f2adb478bef3ac5bf9d04a3235044965
-
SHA256
bfaef7cb4811a7c0b577807e161326cdbd92562c0c00129cc3b69a8cc670c06e
-
SHA512
f2735baee1c7cae75a7172229ff5909fe7748a2d9d23543281e8b332423a2331601f4c3db343f3f6eff0c3308794db12ad08a64983bebbbd8884698f64d9db1f
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 212 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 228 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4944 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5112 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3420 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4376 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3816 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3592 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3528 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4148 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4992 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4828 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3472 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4560 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2300 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 768 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4720 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1004 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1448 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1100 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1136 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 948 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3780 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4692 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3988 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3872 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3776 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 812 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3172 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3132 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4292 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3976 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 644 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1016 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3668 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 368 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4456 4892 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4416 4892 schtasks.exe 87 -
resource yara_rule behavioral2/files/0x0007000000023c9b-10.dat dcrat behavioral2/memory/2052-13-0x00000000006B0000-0x00000000007C0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2304 powershell.exe 1340 powershell.exe 4268 powershell.exe 1804 powershell.exe 4656 powershell.exe 3468 powershell.exe 2192 powershell.exe 3648 powershell.exe 2560 powershell.exe 4296 powershell.exe 2376 powershell.exe 1740 powershell.exe 4032 powershell.exe 2416 powershell.exe 3116 powershell.exe 440 powershell.exe 4708 powershell.exe 432 powershell.exe 4184 powershell.exe 4576 powershell.exe -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation JaffaCakes118_bfaef7cb4811a7c0b577807e161326cdbd92562c0c00129cc3b69a8cc670c06e.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation StartMenuExperienceHost.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation StartMenuExperienceHost.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation StartMenuExperienceHost.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation StartMenuExperienceHost.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation StartMenuExperienceHost.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation StartMenuExperienceHost.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation StartMenuExperienceHost.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation StartMenuExperienceHost.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation StartMenuExperienceHost.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation StartMenuExperienceHost.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation StartMenuExperienceHost.exe -
Executes dropped EXE 13 IoCs
pid Process 2052 DllCommonsvc.exe 5724 StartMenuExperienceHost.exe 5324 StartMenuExperienceHost.exe 4952 StartMenuExperienceHost.exe 5000 StartMenuExperienceHost.exe 5064 StartMenuExperienceHost.exe 1444 StartMenuExperienceHost.exe 5276 StartMenuExperienceHost.exe 4832 StartMenuExperienceHost.exe 4692 StartMenuExperienceHost.exe 3664 StartMenuExperienceHost.exe 5764 StartMenuExperienceHost.exe 5380 StartMenuExperienceHost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 22 raw.githubusercontent.com 23 raw.githubusercontent.com 40 raw.githubusercontent.com 53 raw.githubusercontent.com 46 raw.githubusercontent.com 51 raw.githubusercontent.com 52 raw.githubusercontent.com 54 raw.githubusercontent.com 35 raw.githubusercontent.com 39 raw.githubusercontent.com 44 raw.githubusercontent.com 45 raw.githubusercontent.com -
Drops file in Program Files directory 18 IoCs
description ioc Process File created C:\Program Files\Windows Mail\sysmon.exe DllCommonsvc.exe File created C:\Program Files (x86)\WindowsPowerShell\smss.exe DllCommonsvc.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\lsass.exe DllCommonsvc.exe File created C:\Program Files\dotnet\swidtag\winlogon.exe DllCommonsvc.exe File created C:\Program Files\Common Files\System\ja-JP\66fc9ff0ee96c2 DllCommonsvc.exe File created C:\Program Files (x86)\WindowsPowerShell\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\images\55b276f4edf653 DllCommonsvc.exe File created C:\Program Files\dotnet\swidtag\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files\Common Files\System\ja-JP\sihost.exe DllCommonsvc.exe File created C:\Program Files\Windows Defender\en-US\cmd.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Multimedia Platform\9e8d7a4ca61bd9 DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\spoolsv.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\f3b6ecef712a24 DllCommonsvc.exe File created C:\Program Files\Windows Mail\121e5b5079f7c0 DllCommonsvc.exe File created C:\Program Files\Windows Defender\en-US\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bfaef7cb4811a7c0b577807e161326cdbd92562c0c00129cc3b69a8cc670c06e.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings JaffaCakes118_bfaef7cb4811a7c0b577807e161326cdbd92562c0c00129cc3b69a8cc670c06e.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings StartMenuExperienceHost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2352 schtasks.exe 3776 schtasks.exe 2308 schtasks.exe 2992 schtasks.exe 4376 schtasks.exe 1100 schtasks.exe 644 schtasks.exe 3872 schtasks.exe 2136 schtasks.exe 1536 schtasks.exe 4828 schtasks.exe 4692 schtasks.exe 368 schtasks.exe 4944 schtasks.exe 5112 schtasks.exe 4720 schtasks.exe 2360 schtasks.exe 2452 schtasks.exe 228 schtasks.exe 1596 schtasks.exe 1628 schtasks.exe 1448 schtasks.exe 1688 schtasks.exe 3592 schtasks.exe 1944 schtasks.exe 1500 schtasks.exe 2936 schtasks.exe 812 schtasks.exe 4456 schtasks.exe 1004 schtasks.exe 2896 schtasks.exe 3976 schtasks.exe 4992 schtasks.exe 3472 schtasks.exe 4560 schtasks.exe 768 schtasks.exe 948 schtasks.exe 2760 schtasks.exe 212 schtasks.exe 2300 schtasks.exe 1660 schtasks.exe 1136 schtasks.exe 3780 schtasks.exe 3988 schtasks.exe 3132 schtasks.exe 3420 schtasks.exe 4148 schtasks.exe 1652 schtasks.exe 1156 schtasks.exe 4292 schtasks.exe 3668 schtasks.exe 4416 schtasks.exe 1788 schtasks.exe 3528 schtasks.exe 3172 schtasks.exe 1016 schtasks.exe 3816 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2052 DllCommonsvc.exe 2052 DllCommonsvc.exe 2052 DllCommonsvc.exe 2052 DllCommonsvc.exe 2052 DllCommonsvc.exe 2052 DllCommonsvc.exe 2052 DllCommonsvc.exe 2052 DllCommonsvc.exe 2052 DllCommonsvc.exe 2052 DllCommonsvc.exe 2052 DllCommonsvc.exe 2052 DllCommonsvc.exe 2052 DllCommonsvc.exe 2052 DllCommonsvc.exe 2052 DllCommonsvc.exe 2052 DllCommonsvc.exe 2052 DllCommonsvc.exe 2052 DllCommonsvc.exe 4268 powershell.exe 4268 powershell.exe 440 powershell.exe 440 powershell.exe 4576 powershell.exe 4576 powershell.exe 4656 powershell.exe 4656 powershell.exe 3468 powershell.exe 3468 powershell.exe 1340 powershell.exe 1340 powershell.exe 3116 powershell.exe 3116 powershell.exe 2192 powershell.exe 2192 powershell.exe 1804 powershell.exe 1804 powershell.exe 3648 powershell.exe 3648 powershell.exe 432 powershell.exe 432 powershell.exe 2416 powershell.exe 2416 powershell.exe 4032 powershell.exe 4032 powershell.exe 2304 powershell.exe 2304 powershell.exe 2560 powershell.exe 2560 powershell.exe 4296 powershell.exe 4296 powershell.exe 2376 powershell.exe 2376 powershell.exe 1740 powershell.exe 1740 powershell.exe 4184 powershell.exe 4184 powershell.exe 4708 powershell.exe 4708 powershell.exe 1740 powershell.exe 3648 powershell.exe 4708 powershell.exe 4576 powershell.exe 3116 powershell.exe 440 powershell.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 2052 DllCommonsvc.exe Token: SeDebugPrivilege 4268 powershell.exe Token: SeDebugPrivilege 440 powershell.exe Token: SeDebugPrivilege 4576 powershell.exe Token: SeDebugPrivilege 4656 powershell.exe Token: SeDebugPrivilege 3468 powershell.exe Token: SeDebugPrivilege 1340 powershell.exe Token: SeDebugPrivilege 3116 powershell.exe Token: SeDebugPrivilege 2376 powershell.exe Token: SeDebugPrivilege 2192 powershell.exe Token: SeDebugPrivilege 1804 powershell.exe Token: SeDebugPrivilege 1740 powershell.exe Token: SeDebugPrivilege 3648 powershell.exe Token: SeDebugPrivilege 432 powershell.exe Token: SeDebugPrivilege 2416 powershell.exe Token: SeDebugPrivilege 4708 powershell.exe Token: SeDebugPrivilege 4032 powershell.exe Token: SeDebugPrivilege 2304 powershell.exe Token: SeDebugPrivilege 2560 powershell.exe Token: SeDebugPrivilege 4296 powershell.exe Token: SeDebugPrivilege 4184 powershell.exe Token: SeDebugPrivilege 5724 StartMenuExperienceHost.exe Token: SeDebugPrivilege 5324 StartMenuExperienceHost.exe Token: SeDebugPrivilege 4952 StartMenuExperienceHost.exe Token: SeDebugPrivilege 5000 StartMenuExperienceHost.exe Token: SeDebugPrivilege 5064 StartMenuExperienceHost.exe Token: SeDebugPrivilege 1444 StartMenuExperienceHost.exe Token: SeDebugPrivilege 5276 StartMenuExperienceHost.exe Token: SeDebugPrivilege 4832 StartMenuExperienceHost.exe Token: SeDebugPrivilege 4692 StartMenuExperienceHost.exe Token: SeDebugPrivilege 3664 StartMenuExperienceHost.exe Token: SeDebugPrivilege 5764 StartMenuExperienceHost.exe Token: SeDebugPrivilege 5380 StartMenuExperienceHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3836 wrote to memory of 2544 3836 JaffaCakes118_bfaef7cb4811a7c0b577807e161326cdbd92562c0c00129cc3b69a8cc670c06e.exe 83 PID 3836 wrote to memory of 2544 3836 JaffaCakes118_bfaef7cb4811a7c0b577807e161326cdbd92562c0c00129cc3b69a8cc670c06e.exe 83 PID 3836 wrote to memory of 2544 3836 JaffaCakes118_bfaef7cb4811a7c0b577807e161326cdbd92562c0c00129cc3b69a8cc670c06e.exe 83 PID 2544 wrote to memory of 864 2544 WScript.exe 84 PID 2544 wrote to memory of 864 2544 WScript.exe 84 PID 2544 wrote to memory of 864 2544 WScript.exe 84 PID 864 wrote to memory of 2052 864 cmd.exe 86 PID 864 wrote to memory of 2052 864 cmd.exe 86 PID 2052 wrote to memory of 4184 2052 DllCommonsvc.exe 145 PID 2052 wrote to memory of 4184 2052 DllCommonsvc.exe 145 PID 2052 wrote to memory of 1740 2052 DllCommonsvc.exe 146 PID 2052 wrote to memory of 1740 2052 DllCommonsvc.exe 146 PID 2052 wrote to memory of 4576 2052 DllCommonsvc.exe 147 PID 2052 wrote to memory of 4576 2052 DllCommonsvc.exe 147 PID 2052 wrote to memory of 2416 2052 DllCommonsvc.exe 148 PID 2052 wrote to memory of 2416 2052 DllCommonsvc.exe 148 PID 2052 wrote to memory of 1340 2052 DllCommonsvc.exe 149 PID 2052 wrote to memory of 1340 2052 DllCommonsvc.exe 149 PID 2052 wrote to memory of 4032 2052 DllCommonsvc.exe 150 PID 2052 wrote to memory of 4032 2052 DllCommonsvc.exe 150 PID 2052 wrote to memory of 3648 2052 DllCommonsvc.exe 151 PID 2052 wrote to memory of 3648 2052 DllCommonsvc.exe 151 PID 2052 wrote to memory of 2560 2052 DllCommonsvc.exe 152 PID 2052 wrote to memory of 2560 2052 DllCommonsvc.exe 152 PID 2052 wrote to memory of 1804 2052 DllCommonsvc.exe 153 PID 2052 wrote to memory of 1804 2052 DllCommonsvc.exe 153 PID 2052 wrote to memory of 4656 2052 DllCommonsvc.exe 154 PID 2052 wrote to memory of 4656 2052 DllCommonsvc.exe 154 PID 2052 wrote to memory of 4296 2052 DllCommonsvc.exe 155 PID 2052 wrote to memory of 4296 2052 DllCommonsvc.exe 155 PID 2052 wrote to memory of 4268 2052 DllCommonsvc.exe 156 PID 2052 wrote to memory of 4268 2052 DllCommonsvc.exe 156 PID 2052 wrote to memory of 3468 2052 DllCommonsvc.exe 157 PID 2052 wrote to memory of 3468 2052 DllCommonsvc.exe 157 PID 2052 wrote to memory of 3116 2052 DllCommonsvc.exe 158 PID 2052 wrote to memory of 3116 2052 DllCommonsvc.exe 158 PID 2052 wrote to memory of 440 2052 DllCommonsvc.exe 159 PID 2052 wrote to memory of 440 2052 DllCommonsvc.exe 159 PID 2052 wrote to memory of 4708 2052 DllCommonsvc.exe 160 PID 2052 wrote to memory of 4708 2052 DllCommonsvc.exe 160 PID 2052 wrote to memory of 2376 2052 DllCommonsvc.exe 161 PID 2052 wrote to memory of 2376 2052 DllCommonsvc.exe 161 PID 2052 wrote to memory of 2192 2052 DllCommonsvc.exe 162 PID 2052 wrote to memory of 2192 2052 DllCommonsvc.exe 162 PID 2052 wrote to memory of 432 2052 DllCommonsvc.exe 163 PID 2052 wrote to memory of 432 2052 DllCommonsvc.exe 163 PID 2052 wrote to memory of 2304 2052 DllCommonsvc.exe 164 PID 2052 wrote to memory of 2304 2052 DllCommonsvc.exe 164 PID 2052 wrote to memory of 3528 2052 DllCommonsvc.exe 185 PID 2052 wrote to memory of 3528 2052 DllCommonsvc.exe 185 PID 3528 wrote to memory of 1600 3528 cmd.exe 187 PID 3528 wrote to memory of 1600 3528 cmd.exe 187 PID 3528 wrote to memory of 5724 3528 cmd.exe 191 PID 3528 wrote to memory of 5724 3528 cmd.exe 191 PID 5724 wrote to memory of 6052 5724 StartMenuExperienceHost.exe 195 PID 5724 wrote to memory of 6052 5724 StartMenuExperienceHost.exe 195 PID 6052 wrote to memory of 6112 6052 cmd.exe 197 PID 6052 wrote to memory of 6112 6052 cmd.exe 197 PID 6052 wrote to memory of 5324 6052 cmd.exe 198 PID 6052 wrote to memory of 5324 6052 cmd.exe 198 PID 5324 wrote to memory of 2616 5324 StartMenuExperienceHost.exe 200 PID 5324 wrote to memory of 2616 5324 StartMenuExperienceHost.exe 200 PID 2616 wrote to memory of 1156 2616 cmd.exe 202 PID 2616 wrote to memory of 1156 2616 cmd.exe 202 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfaef7cb4811a7c0b577807e161326cdbd92562c0c00129cc3b69a8cc670c06e.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfaef7cb4811a7c0b577807e161326cdbd92562c0c00129cc3b69a8cc670c06e.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:864 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OfficeClickToRun.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\swidtag\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\en-US\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\sysmon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ja-JP\sihost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3468
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\en-US\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yP8Ja1d28V.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1600
-
-
C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe"C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5724 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YQG5KQjShu.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:6052 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:6112
-
-
C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe"C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5324 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1156
-
-
C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe"C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4952 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat"11⤵PID:3660
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1840
-
-
C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe"C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat"13⤵PID:5244
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:5460
-
-
C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe"C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5064 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iLsGNVHQP6.bat"15⤵PID:4520
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:5172
-
-
C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe"C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1444 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHuJ4aKJis.bat"17⤵PID:2428
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:4944
-
-
C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe"C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5276 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat"19⤵PID:3012
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2388
-
-
C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe"C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4832 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat"21⤵PID:2352
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:5512
-
-
C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe"C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4692 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat"23⤵PID:2196
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:3976
-
-
C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe"C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3664 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat"25⤵PID:4056
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:5860
-
-
C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe"C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5764 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YQG5KQjShu.bat"27⤵PID:6104
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:2676
-
-
C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe"C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5380
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\providercommon\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Music\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Music\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Music\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\dotnet\swidtag\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\swidtag\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\System\ja-JP\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\ja-JP\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\System\ja-JP\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\en-US\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\en-US\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Saved Games\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Saved Games\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4416
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD5e448fe0d240184c6597a31d3be2ced58
SHA1372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA5120b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
944B
MD5aaaac7c68d2b7997ed502c26fd9f65c2
SHA17c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA2568724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac
-
Filesize
944B
MD5ecceac16628651c18879d836acfcb062
SHA1420502b3e5220a01586c59504e94aa1ee11982c9
SHA25658238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9
SHA512be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3
-
Filesize
240B
MD5b29a2afc1fc0a2fd39cd0d33b3629c9e
SHA1f08e3030ae9eba6b74caaef58fbef96205ac52e7
SHA256e5e0221fdcd7ce9896dcc7d5a51e1c41ee981a604f57385de0a28514577a9f11
SHA512dca3df4e97edb4576be193972a3b07b4d461ae8f9ba1191265879b5801e35a556c9d455ece357bffd2f8c761f71e11d53790794e7fb6cb74470255807d21e9a0
-
Filesize
240B
MD5eddcaef367a7fe0686aaa38b4b520910
SHA1e456a1526d4bbaa48688f29c40fd312c3779f154
SHA25600bdd086260a7b86f430b1f56560b58cc99b8cdd9ed44591522ddd0364d44bea
SHA512e00a13a222533496f282e60b7e08e5564572c6beed1faa9b65a643bffad0567ab5f9f3b24742aeef440eb4a98c99ec2c1757fc4de683bb5e78fa9500a8cefd8c
-
Filesize
240B
MD50beff4971b63a01347fe05e6d65d2c7e
SHA17c85e0babdc088b95f4c842237f5dc68df322372
SHA2567964b56de07e033d3a5205db2ceabf364a46ce816a5a1f68d642240cb366a6cd
SHA512c59adc4dc0049b586a746285dcb37ee2cafa24d48be1009f0d3f82b142d98b59f4da5ba58d05528f41c7d42d5538ac48d9db6bbbf9eed77785d3fec354dbd9b1
-
Filesize
240B
MD552c9977d205bd3f0618e7cb96056d9ad
SHA19c775590441daf1d4e6f111d9945212a4e90a4ed
SHA256478482dc72a91961f34c9ab222462d1143a033bf07b0c72c0a612aa18182254c
SHA512b0c08b13f5e4ec6b68388ca2175be8a67cc5d450c25053e29df06a0485ad689d29e59f54ac4605dd360177af235d5210d9586854cf2fd30291547dee7ee2fb32
-
Filesize
240B
MD540216768a8029d89295d57d8cce90bdc
SHA1f298a4f60b37bec17938fd4e52d2cb93874eed49
SHA256dc6e783ce9ab3f2255d5eb8e73189c504cfbd46763ce6ec1ff97ddfc11971416
SHA5126f904142c6ad0681b5b5690cb2b93b55ee348932604f2974fc981b9246c78a0293f4bae4fdc0e370c592e66f522046398721da7d70ac1691e63e177e51dfc6bf
-
Filesize
240B
MD5b347c3b95f949d916f0821a798302ad4
SHA18129bd83330904fa39167a32c457911c78699f27
SHA256085e4048c2a07746090b40d2aa0b02e0772c9d90dd4bc599796864edc5a5af8b
SHA512696c9343261ccff833c22e2f1069513114df35c6266331f3b94ace7d6bb99750fdfe6d09d1715e2017d50cd56639f887d8d2f74248e7e67dd8d6881bfa55fe9a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
240B
MD5960d46aeb29e0c7eda06b8d8b49e5bcd
SHA1078289fb67b017871fcc8ba6454a22b718c7bd6f
SHA2569fb05856dbb09aa6660f747e93704b749f9065fc16bfb3e9f6dd6affc33069b8
SHA51267237e9fc591c8944f669f29901afc44c0ec09e74d66b0d637ea3ba4c975943018f76e2e70fb7502094ab1587c9132c87dc41481270bf032cfd8da228088c376
-
Filesize
240B
MD589dae872d1d2e044033cd67fdefc5b0b
SHA1ffbdc599801dd75c023f511f13a4aaf317a3ecdb
SHA256aa4355abd7b256f081be934145129eec70cb7287a89e0536ad2cdc30c420dfaa
SHA512475cfcbd84f3f8edda9176ea91fb9baa5d00c5b56b0cee38da1e2dd0b52116a8a9f6fd591c79632bc6f28c72eef7cc4282fc0157ac02cf415feed678d31e8ce4
-
Filesize
240B
MD5f96640ff9e3460246e93c26aca4f577f
SHA1b12c16cbb9182f40bb94877e3f4123e4ae10c9af
SHA256c329ebf0b683f32d5ed0e5fdc6feeb9f442988fb18898c66faaf95eab764d7af
SHA5123a2d81bc35098f8bc72ff1af884f99fdaf60bfa550c3a60b7b8531290c826472c53e1b9bd5f2c2dfc8bfd39cfbb82cda4698423f00e2499673a38f52ccfc2b13
-
Filesize
240B
MD59f52df596a3c007ab2f08a86af2eba52
SHA16a0435231a77e5b6e14b9e68d2745c8f565e507a
SHA256d3dfea1168627857cffd4aff69c43b2fbce8c2beadcf5f3dff1fcbf0a53e2983
SHA5125c428db39e2fe0ce39d6eca07e8de13d5841db46325e5f934ee24464fbac212fa79abafbfbd35b3a240e9c91fc21674233739a4dc6c0035ac90983006e3cbd91
-
Filesize
240B
MD558233ff2b3b392c56e0da5b0b754573b
SHA1f63c8a4207c8915f011c66068c7dc533d5706d7a
SHA256ea989874a2ac243a82e3613fdb42705aec2bc0c2b49b548a9531c1cb552c4159
SHA512fb13b71f0671a5eda907fb7851f4f82814fecdbbc9c22de9e3f8c33de6541df955099f9bd73d4aff37717f2af59124cd729b9697d299f7982e3d8a4af234cab5
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478