Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 02:01
Behavioral task
behavioral1
Sample
JaffaCakes118_5ffba813301245829dedc5a71d69d91f368e7ef1bd826dc86d02d84ddf99ea24.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_5ffba813301245829dedc5a71d69d91f368e7ef1bd826dc86d02d84ddf99ea24.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_5ffba813301245829dedc5a71d69d91f368e7ef1bd826dc86d02d84ddf99ea24.exe
-
Size
1.3MB
-
MD5
190de366c69cccb7c329ed896d21e705
-
SHA1
9195874442ba7e1c889709cc84adf5533f2de23d
-
SHA256
5ffba813301245829dedc5a71d69d91f368e7ef1bd826dc86d02d84ddf99ea24
-
SHA512
c177b2e74b18ebbaced07eab84010fba90a34ffe728930b579064af2c590e103243b5881b61d21e00c63da9c8144430682bd9e2c2ed187a1f0cddb51b2c2c9b1
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3276 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4116 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3656 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4724 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3152 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4936 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3496 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4976 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4960 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3172 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3324 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1216 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 728 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4924 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4700 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 972 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4568 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3980 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3764 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1300 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 408 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3148 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1424 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1828 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4080 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4984 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1436 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4008 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1084 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4140 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3936 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4884 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4408 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3932 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4056 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1076 388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3160 388 schtasks.exe 88 -
resource yara_rule behavioral2/files/0x0007000000023c8c-10.dat dcrat behavioral2/memory/4832-13-0x0000000000EC0000-0x0000000000FD0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4036 powershell.exe 1588 powershell.exe 848 powershell.exe 4260 powershell.exe 4796 powershell.exe 2784 powershell.exe 3200 powershell.exe 4844 powershell.exe 4448 powershell.exe 4128 powershell.exe 5020 powershell.exe 2124 powershell.exe 4608 powershell.exe 3388 powershell.exe 3992 powershell.exe 2860 powershell.exe 1848 powershell.exe 1048 powershell.exe 1700 powershell.exe -
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation JaffaCakes118_5ffba813301245829dedc5a71d69d91f368e7ef1bd826dc86d02d84ddf99ea24.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Registry.exe -
Executes dropped EXE 15 IoCs
pid Process 4832 DllCommonsvc.exe 2244 Registry.exe 5620 Registry.exe 4872 Registry.exe 920 Registry.exe 5212 Registry.exe 2216 Registry.exe 2912 Registry.exe 5552 Registry.exe 5632 Registry.exe 2316 Registry.exe 3872 Registry.exe 808 Registry.exe 1912 Registry.exe 2500 Registry.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs
flow ioc 51 raw.githubusercontent.com 12 raw.githubusercontent.com 38 raw.githubusercontent.com 47 raw.githubusercontent.com 42 raw.githubusercontent.com 43 raw.githubusercontent.com 49 raw.githubusercontent.com 50 raw.githubusercontent.com 15 raw.githubusercontent.com 36 raw.githubusercontent.com 41 raw.githubusercontent.com 52 raw.githubusercontent.com 13 raw.githubusercontent.com 37 raw.githubusercontent.com 53 raw.githubusercontent.com -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files\Windows Defender\uk-UA\lsass.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\5b884080fd4f94 DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\fr-FR\wininit.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\wininit.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\f3b6ecef712a24 DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files\Windows Defender\uk-UA\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\fontdrvhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ea1d8f6d871115 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\fr-FR\56085415360792 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe DllCommonsvc.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\ServiceProfiles\Registry.exe DllCommonsvc.exe File created C:\Windows\ServiceProfiles\ee2ad38f3d4382 DllCommonsvc.exe File created C:\Windows\DiagTrack\Scenarios\OfficeClickToRun.exe DllCommonsvc.exe File created C:\Windows\DiagTrack\Scenarios\e6c9b481da804f DllCommonsvc.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\StartMenuExperienceHost.exe DllCommonsvc.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\55b276f4edf653 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5ffba813301245829dedc5a71d69d91f368e7ef1bd826dc86d02d84ddf99ea24.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings JaffaCakes118_5ffba813301245829dedc5a71d69d91f368e7ef1bd826dc86d02d84ddf99ea24.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings Registry.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1436 schtasks.exe 3496 schtasks.exe 3764 schtasks.exe 4080 schtasks.exe 2212 schtasks.exe 4008 schtasks.exe 1076 schtasks.exe 972 schtasks.exe 1216 schtasks.exe 408 schtasks.exe 1084 schtasks.exe 3656 schtasks.exe 1144 schtasks.exe 1828 schtasks.exe 4140 schtasks.exe 3932 schtasks.exe 2356 schtasks.exe 2848 schtasks.exe 3980 schtasks.exe 2324 schtasks.exe 3276 schtasks.exe 4116 schtasks.exe 1300 schtasks.exe 2764 schtasks.exe 1996 schtasks.exe 4924 schtasks.exe 3148 schtasks.exe 4960 schtasks.exe 2112 schtasks.exe 3324 schtasks.exe 1424 schtasks.exe 3936 schtasks.exe 3160 schtasks.exe 4724 schtasks.exe 2948 schtasks.exe 2256 schtasks.exe 1856 schtasks.exe 4884 schtasks.exe 4056 schtasks.exe 3152 schtasks.exe 3172 schtasks.exe 4984 schtasks.exe 1636 schtasks.exe 2892 schtasks.exe 2380 schtasks.exe 2868 schtasks.exe 728 schtasks.exe 4568 schtasks.exe 1152 schtasks.exe 2944 schtasks.exe 4936 schtasks.exe 4700 schtasks.exe 4408 schtasks.exe 4976 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4832 DllCommonsvc.exe 4832 DllCommonsvc.exe 4832 DllCommonsvc.exe 4832 DllCommonsvc.exe 4832 DllCommonsvc.exe 4832 DllCommonsvc.exe 4832 DllCommonsvc.exe 4832 DllCommonsvc.exe 4832 DllCommonsvc.exe 4832 DllCommonsvc.exe 4832 DllCommonsvc.exe 4832 DllCommonsvc.exe 4832 DllCommonsvc.exe 4832 DllCommonsvc.exe 4832 DllCommonsvc.exe 4832 DllCommonsvc.exe 4832 DllCommonsvc.exe 1048 powershell.exe 1048 powershell.exe 2784 powershell.exe 2784 powershell.exe 3388 powershell.exe 3388 powershell.exe 4260 powershell.exe 4260 powershell.exe 4448 powershell.exe 4448 powershell.exe 1700 powershell.exe 1700 powershell.exe 4608 powershell.exe 4608 powershell.exe 848 powershell.exe 848 powershell.exe 2124 powershell.exe 2124 powershell.exe 1588 powershell.exe 1588 powershell.exe 3992 powershell.exe 3992 powershell.exe 4844 powershell.exe 4844 powershell.exe 3200 powershell.exe 3200 powershell.exe 4128 powershell.exe 4128 powershell.exe 5020 powershell.exe 5020 powershell.exe 4036 powershell.exe 4036 powershell.exe 4796 powershell.exe 4796 powershell.exe 1848 powershell.exe 1848 powershell.exe 2860 powershell.exe 2860 powershell.exe 4608 powershell.exe 2244 Registry.exe 2244 Registry.exe 4036 powershell.exe 2860 powershell.exe 1048 powershell.exe 1048 powershell.exe 3388 powershell.exe 3388 powershell.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeDebugPrivilege 4832 DllCommonsvc.exe Token: SeDebugPrivilege 1048 powershell.exe Token: SeDebugPrivilege 2784 powershell.exe Token: SeDebugPrivilege 3388 powershell.exe Token: SeDebugPrivilege 4796 powershell.exe Token: SeDebugPrivilege 4260 powershell.exe Token: SeDebugPrivilege 4448 powershell.exe Token: SeDebugPrivilege 1700 powershell.exe Token: SeDebugPrivilege 4608 powershell.exe Token: SeDebugPrivilege 848 powershell.exe Token: SeDebugPrivilege 1588 powershell.exe Token: SeDebugPrivilege 2124 powershell.exe Token: SeDebugPrivilege 3992 powershell.exe Token: SeDebugPrivilege 4844 powershell.exe Token: SeDebugPrivilege 3200 powershell.exe Token: SeDebugPrivilege 4128 powershell.exe Token: SeDebugPrivilege 2860 powershell.exe Token: SeDebugPrivilege 5020 powershell.exe Token: SeDebugPrivilege 4036 powershell.exe Token: SeDebugPrivilege 2244 Registry.exe Token: SeDebugPrivilege 1848 powershell.exe Token: SeDebugPrivilege 5620 Registry.exe Token: SeDebugPrivilege 4872 Registry.exe Token: SeDebugPrivilege 920 Registry.exe Token: SeDebugPrivilege 5212 Registry.exe Token: SeDebugPrivilege 2216 Registry.exe Token: SeDebugPrivilege 2912 Registry.exe Token: SeDebugPrivilege 5552 Registry.exe Token: SeDebugPrivilege 5632 Registry.exe Token: SeDebugPrivilege 2316 Registry.exe Token: SeDebugPrivilege 3872 Registry.exe Token: SeDebugPrivilege 808 Registry.exe Token: SeDebugPrivilege 1912 Registry.exe Token: SeDebugPrivilege 2500 Registry.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2100 wrote to memory of 3620 2100 JaffaCakes118_5ffba813301245829dedc5a71d69d91f368e7ef1bd826dc86d02d84ddf99ea24.exe 83 PID 2100 wrote to memory of 3620 2100 JaffaCakes118_5ffba813301245829dedc5a71d69d91f368e7ef1bd826dc86d02d84ddf99ea24.exe 83 PID 2100 wrote to memory of 3620 2100 JaffaCakes118_5ffba813301245829dedc5a71d69d91f368e7ef1bd826dc86d02d84ddf99ea24.exe 83 PID 3620 wrote to memory of 1900 3620 WScript.exe 85 PID 3620 wrote to memory of 1900 3620 WScript.exe 85 PID 3620 wrote to memory of 1900 3620 WScript.exe 85 PID 1900 wrote to memory of 4832 1900 cmd.exe 87 PID 1900 wrote to memory of 4832 1900 cmd.exe 87 PID 4832 wrote to memory of 1848 4832 DllCommonsvc.exe 144 PID 4832 wrote to memory of 1848 4832 DllCommonsvc.exe 144 PID 4832 wrote to memory of 3200 4832 DllCommonsvc.exe 145 PID 4832 wrote to memory of 3200 4832 DllCommonsvc.exe 145 PID 4832 wrote to memory of 4608 4832 DllCommonsvc.exe 146 PID 4832 wrote to memory of 4608 4832 DllCommonsvc.exe 146 PID 4832 wrote to memory of 2784 4832 DllCommonsvc.exe 147 PID 4832 wrote to memory of 2784 4832 DllCommonsvc.exe 147 PID 4832 wrote to memory of 4796 4832 DllCommonsvc.exe 148 PID 4832 wrote to memory of 4796 4832 DllCommonsvc.exe 148 PID 4832 wrote to memory of 4260 4832 DllCommonsvc.exe 149 PID 4832 wrote to memory of 4260 4832 DllCommonsvc.exe 149 PID 4832 wrote to memory of 2124 4832 DllCommonsvc.exe 150 PID 4832 wrote to memory of 2124 4832 DllCommonsvc.exe 150 PID 4832 wrote to memory of 5020 4832 DllCommonsvc.exe 152 PID 4832 wrote to memory of 5020 4832 DllCommonsvc.exe 152 PID 4832 wrote to memory of 4128 4832 DllCommonsvc.exe 153 PID 4832 wrote to memory of 4128 4832 DllCommonsvc.exe 153 PID 4832 wrote to memory of 848 4832 DllCommonsvc.exe 155 PID 4832 wrote to memory of 848 4832 DllCommonsvc.exe 155 PID 4832 wrote to memory of 4448 4832 DllCommonsvc.exe 156 PID 4832 wrote to memory of 4448 4832 DllCommonsvc.exe 156 PID 4832 wrote to memory of 2860 4832 DllCommonsvc.exe 157 PID 4832 wrote to memory of 2860 4832 DllCommonsvc.exe 157 PID 4832 wrote to memory of 1700 4832 DllCommonsvc.exe 158 PID 4832 wrote to memory of 1700 4832 DllCommonsvc.exe 158 PID 4832 wrote to memory of 4844 4832 DllCommonsvc.exe 159 PID 4832 wrote to memory of 4844 4832 DllCommonsvc.exe 159 PID 4832 wrote to memory of 1588 4832 DllCommonsvc.exe 160 PID 4832 wrote to memory of 1588 4832 DllCommonsvc.exe 160 PID 4832 wrote to memory of 4036 4832 DllCommonsvc.exe 161 PID 4832 wrote to memory of 4036 4832 DllCommonsvc.exe 161 PID 4832 wrote to memory of 3992 4832 DllCommonsvc.exe 162 PID 4832 wrote to memory of 3992 4832 DllCommonsvc.exe 162 PID 4832 wrote to memory of 3388 4832 DllCommonsvc.exe 164 PID 4832 wrote to memory of 3388 4832 DllCommonsvc.exe 164 PID 4832 wrote to memory of 1048 4832 DllCommonsvc.exe 165 PID 4832 wrote to memory of 1048 4832 DllCommonsvc.exe 165 PID 4832 wrote to memory of 2244 4832 DllCommonsvc.exe 181 PID 4832 wrote to memory of 2244 4832 DllCommonsvc.exe 181 PID 2244 wrote to memory of 5472 2244 Registry.exe 184 PID 2244 wrote to memory of 5472 2244 Registry.exe 184 PID 5472 wrote to memory of 5548 5472 cmd.exe 186 PID 5472 wrote to memory of 5548 5472 cmd.exe 186 PID 5472 wrote to memory of 5620 5472 cmd.exe 187 PID 5472 wrote to memory of 5620 5472 cmd.exe 187 PID 5620 wrote to memory of 5836 5620 Registry.exe 189 PID 5620 wrote to memory of 5836 5620 Registry.exe 189 PID 5836 wrote to memory of 5888 5836 cmd.exe 191 PID 5836 wrote to memory of 5888 5836 cmd.exe 191 PID 5836 wrote to memory of 4872 5836 cmd.exe 198 PID 5836 wrote to memory of 4872 5836 cmd.exe 198 PID 4872 wrote to memory of 4452 4872 Registry.exe 209 PID 4872 wrote to memory of 4452 4872 Registry.exe 209 PID 4452 wrote to memory of 3388 4452 cmd.exe 211 PID 4452 wrote to memory of 3388 4452 cmd.exe 211 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ffba813301245829dedc5a71d69d91f368e7ef1bd826dc86d02d84ddf99ea24.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ffba813301245829dedc5a71d69d91f368e7ef1bd826dc86d02d84ddf99ea24.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\fr-FR\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\OfficeClickToRun.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4260
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\uk-UA\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DiagTrack\Scenarios\OfficeClickToRun.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\My Documents\StartMenuExperienceHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\StartMenuExperienceHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\it-IT\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft OneDrive\setup\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\Registry.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Registry.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1048
-
-
C:\Windows\ServiceProfiles\Registry.exe"C:\Windows\ServiceProfiles\Registry.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZcfpJnj91J.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:5472 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:5548
-
-
C:\Windows\ServiceProfiles\Registry.exe"C:\Windows\ServiceProfiles\Registry.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5620 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pi2dGiCBJ7.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:5836 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:5888
-
-
C:\Windows\ServiceProfiles\Registry.exe"C:\Windows\ServiceProfiles\Registry.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:3388
-
-
C:\Windows\ServiceProfiles\Registry.exe"C:\Windows\ServiceProfiles\Registry.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:920 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat"12⤵PID:736
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:4500
-
-
C:\Windows\ServiceProfiles\Registry.exe"C:\Windows\ServiceProfiles\Registry.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5212 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\djCrJd6RmA.bat"14⤵PID:1152
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:4464
-
-
C:\Windows\ServiceProfiles\Registry.exe"C:\Windows\ServiceProfiles\Registry.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2216 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aoAocY3YSO.bat"16⤵PID:4612
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1564
-
-
C:\Windows\ServiceProfiles\Registry.exe"C:\Windows\ServiceProfiles\Registry.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2912 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kOAwrWovpT.bat"18⤵PID:3100
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:5532
-
-
C:\Windows\ServiceProfiles\Registry.exe"C:\Windows\ServiceProfiles\Registry.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5552 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tYG4XGbOex.bat"20⤵PID:5784
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:5640
-
-
C:\Windows\ServiceProfiles\Registry.exe"C:\Windows\ServiceProfiles\Registry.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5632 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat"22⤵PID:5876
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:5156
-
-
C:\Windows\ServiceProfiles\Registry.exe"C:\Windows\ServiceProfiles\Registry.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2316 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9BpIS9nw5f.bat"24⤵PID:2932
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:5976
-
-
C:\Windows\ServiceProfiles\Registry.exe"C:\Windows\ServiceProfiles\Registry.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3872 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat"26⤵PID:4588
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:2620
-
-
C:\Windows\ServiceProfiles\Registry.exe"C:\Windows\ServiceProfiles\Registry.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:808 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BGyPdaK1JU.bat"28⤵PID:5404
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:2836
-
-
C:\Windows\ServiceProfiles\Registry.exe"C:\Windows\ServiceProfiles\Registry.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1912 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEoBbgPmrR.bat"30⤵PID:5232
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:2336
-
-
C:\Windows\ServiceProfiles\Registry.exe"C:\Windows\ServiceProfiles\Registry.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2500 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M1TWCJOn7d.bat"32⤵PID:5144
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:233⤵PID:5264
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Application Data\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\Application Data\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Application Data\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\providercommon\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\uk-UA\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\uk-UA\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\uk-UA\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Windows\DiagTrack\Scenarios\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Scenarios\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Windows\DiagTrack\Scenarios\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\My Documents\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\My Documents\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Default\My Documents\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Windows\ServiceProfiles\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Windows\ServiceProfiles\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\providercommon\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3160
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
204B
MD5d57344427812d5559a05c2e11d75dd4a
SHA186a9b1d64afb718468d20bd9b0aae2e6163dfb22
SHA256e7c55f163fd798c62114a14f76565b03c300ecd6bc825f7165a391ba9dac39a1
SHA512bd046ea55b34f888f9cbdba6131eae0ea43cbbd50e83c4fe80c71f33c7f721b2d9575a44482c921dfc3bceeb0d56aca51e93c7a6fb461b89118c5d2ac2cf0ea2
-
Filesize
204B
MD555be539dadaf3fc3128f9d470525a893
SHA1ce2ed6cd22ce92e3812867810affe225b24fcfce
SHA256a0827c61900519d87188e986d8ed31fa365dbe72edcd729b3fefb2004790a025
SHA512f92e516274f4ba9750d0d900ee1841f1b3694d16d626c861725cc1a3499e5f94dde95529af4d824e1372d3996611d700e2204842f2f2fd9ac44f619ae0d7abd0
-
Filesize
204B
MD5e0c8569f60ba2eff49296933b74883a3
SHA17fb86b19b9d2635afdcc9a8bdfc0a87e991fa287
SHA256d1277abcd6eb06fb3a472f9f86193654590670d048edce13899224e785438520
SHA51215044e5d141c2a33bf6dda533588d11cc4f697456fbbebf03f34b26c17caaa67bfdeb1be5dca458a4408578ebd8ce665f048ffc6fe5491ad9605bcc3c870f2b8
-
Filesize
204B
MD5c1e07d0e4ad78095e0311fdec075aac6
SHA1fe06d428b2e8875e09ec4b4d80c4e040e2033fa4
SHA256c3bd202ac82f0ac211658c77f704ce67d816746408e28487f38a0cf03d75d71d
SHA51230c6f4ea60450bdbbdb3b94ff3883bc3d2feb7127811a3bd7e2ccf0f7a7b4981e4ae958b0e53bcb5e7ea35e6c0c4d068067e1b22d9b86675c77afff43ab3289f
-
Filesize
204B
MD5d2bf81e41fb1347fd1ed141f362eeef6
SHA12ad952d9ae7de5bc67e1294e9b497a552bd30cf0
SHA2569c44e6ab8b9789733be3c92fc6b7bcb1e7ba2559686f9de7483f0ebc76d0c45a
SHA512ea3cc1d83d5c69f53d288b050231818df2988ff7cd778faf966654faaab16fd39ab3fb74d60406d0a7f6fc0c2206075de72dea36d0ffbf819fa3c969a8c418b4
-
Filesize
204B
MD51380fad2117b79aa3c96a5549b600cd2
SHA1ec1292bcc33037182d64cd6dfb083501d9d87f57
SHA256403adcaf33566576a15a57f131cf42853782135146383732fae8fdf1350a477e
SHA512ad0be6ca24ca3818e036e75b2ac70bf8d9e7b4e86576754b06ce88f40c6cd169e2fc00a65990fbfab254dc74c0283f0b54c7a7ac440e632bb3242e5f800f06a7
-
Filesize
204B
MD5b8fec66f3a68f8a33dc92c2299b663e2
SHA15454c4aa1483fb1f60755b8636a9b6efbc48cf27
SHA2560dad37b9d2aa4ae21c73ae2fb3861d2e00dcbb82a4e6b6ff460ee76619315f84
SHA512b20d66f1472fe27364e72b955ab7a4ccb9ad5dfc6a21cab56e787012d828441d5ad1cdc17f162acab128e774013eedbfbce3ec8def69090902a86a9a1e8c5131
-
Filesize
204B
MD5424ffa15ebcaf3593ed802cade945907
SHA134a2d76d9dccee857cc2224702d06547c528a288
SHA25612dbfd72cdb0d6906c1a9fb153192449c6440db96cb9fad2f93c3d81503f6227
SHA51202489153f24c278d9ed9203d5fbe548666cc892828fec78c2187c89bd91814bca214b1f4a0418aeacc8139e9eede0e75caea1a2358bc6870bfc1e9206b97968a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
204B
MD515148ed3190b2a8d5a5b176c35105283
SHA19a0cb05d86c8de834513a6ffa7d884d08726f215
SHA2566d537b1882bb2b5e05763d74a0e3627b081e256aaecc46b12fc40159a3c08841
SHA51284f777b05c813d51e43a285cef0d06785023ef5a8a80f3ff2c7026e910dbc14df7346e98ab3b08e29c661da15b0bc9d967497f04c9d76c64cedb296c1da20edd
-
Filesize
204B
MD5512ec265b6798545d081147c927ee125
SHA1b36dee50aaa2ef706dd2dcf2924b0b6e456428d9
SHA256384358bafc1add138d44f58e3d438d7d2de75e448523057f1e9cb8e1c52a233e
SHA5121b8ad4fb4b1b908278c895ad069ea23daf16311ae6710ef96392926e5575902dd45ba711a9ddc34e211885552f9d22fb532cf69cd1a02ecc044ad83766430088
-
Filesize
204B
MD553347d92db6a99b083c07069ceea599f
SHA17c5ea212cc7b1f529e2325277af7681df2732a18
SHA2568b7f83228e0f72b8741bccbc55870bf487cfdea77dc62ae9acd8f3040e73813c
SHA512bd7285cdf333b2ad2b6957021bcb2304cb5c898e42600887f70628837c875b70ccab8f9806d137071501ae7863c068ad61b2c65fd76600ba9649a868ed1d7a02
-
Filesize
204B
MD5713d39370f50af6b7b7975f79c56e5d3
SHA167b31ea0d991307613710170789728e77465af6d
SHA256cba80ed41fd65e355c049dc627c0a60dde3c08223426fd907afd1b5f0f65ef57
SHA512c3f53aea51cc3ec0547db2a0998ef33b714cd433e6fc8b4f77de07331c8a15a7e2ea0e48d004e6fd33d8340d1fe7147dda98a0e61f66f3c8fe1b8110bb42b73b
-
Filesize
204B
MD564bebd3b138e7e42c08a5d1097b918c0
SHA196c2958d505d5b7bfa44c1daa0c43876e4eb3875
SHA256f892ce3737cad501c93a991d604c13c538c7a4379169d078e312a735f1bed16e
SHA512fb4df3540db512c2ebccf6e73378456b6e6de6b45dc5c711cd019b18f7f54dd2a99531098b0c093e4d19872733514778680b7c355c8ea6b02ae8d479c615303e
-
Filesize
204B
MD589fb7863d4448b7d6e79b4652df063cc
SHA1e28abd45e02c189634f772d66096b5a5445130ec
SHA2564e4b7c2116f4be06833a9a9825f8945d650f189465121fe4c88941c345883f1d
SHA5121aacd07f30ef50ab4fdfb2a35527a369775bb46ace6d9a29458482dbdb30f062efaba22146ba9ee5f2db8574dd2ab7e8c0eed44a34c1da22316a61ec5209c20b
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478