Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:29
Behavioral task
behavioral1
Sample
JaffaCakes118_5e7f3126a61489a1bcd26be369016b16af3097eed9b37810513ec72d78d6cc61.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_5e7f3126a61489a1bcd26be369016b16af3097eed9b37810513ec72d78d6cc61.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_5e7f3126a61489a1bcd26be369016b16af3097eed9b37810513ec72d78d6cc61.exe
-
Size
1.3MB
-
MD5
0d60d367b53c3e700571f2932005f2d2
-
SHA1
1dcba8575a1b1b2fca1513e55a8f16d6f78900e6
-
SHA256
5e7f3126a61489a1bcd26be369016b16af3097eed9b37810513ec72d78d6cc61
-
SHA512
5c076d7a169ebecb5315595381ca7ec3c75e9c22f82eda18e8e29d4433094cb4441c6a862b17baf4752d146aed9a4873e561f85cf496c42df7725379e634c3df
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 60 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1520 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 308 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 444 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1828 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1444 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 692 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1004 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 300 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2264 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1380 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 376 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 284 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1868 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 648 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 2864 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 2864 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016c51-12.dat dcrat behavioral1/memory/2800-13-0x0000000000370000-0x0000000000480000-memory.dmp dcrat behavioral1/memory/1828-185-0x0000000000840000-0x0000000000950000-memory.dmp dcrat behavioral1/memory/2688-244-0x0000000000090000-0x00000000001A0000-memory.dmp dcrat behavioral1/memory/1780-304-0x0000000000BE0000-0x0000000000CF0000-memory.dmp dcrat behavioral1/memory/1476-364-0x00000000012D0000-0x00000000013E0000-memory.dmp dcrat behavioral1/memory/2356-602-0x0000000001360000-0x0000000001470000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1544 powershell.exe 296 powershell.exe 2388 powershell.exe 2428 powershell.exe 2244 powershell.exe 1912 powershell.exe 2008 powershell.exe 476 powershell.exe 2044 powershell.exe 1660 powershell.exe 672 powershell.exe 1600 powershell.exe 800 powershell.exe 1168 powershell.exe 1688 powershell.exe 2008 powershell.exe 1708 powershell.exe 2980 powershell.exe 2808 powershell.exe 904 powershell.exe 444 powershell.exe 1592 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2800 DllCommonsvc.exe 1348 DllCommonsvc.exe 1828 audiodg.exe 2688 audiodg.exe 1780 audiodg.exe 1476 audiodg.exe 1736 audiodg.exe 1656 audiodg.exe 2336 audiodg.exe 2356 audiodg.exe 880 audiodg.exe -
Loads dropped DLL 2 IoCs
pid Process 2720 cmd.exe 2720 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 26 raw.githubusercontent.com 4 raw.githubusercontent.com 9 raw.githubusercontent.com 15 raw.githubusercontent.com 18 raw.githubusercontent.com 33 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 22 raw.githubusercontent.com 29 raw.githubusercontent.com -
Drops file in Program Files directory 11 IoCs
description ioc Process File created C:\Program Files\Mozilla Firefox\browser\features\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\ja-JP\dwm.exe DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\ja-JP\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\it-IT\taskhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\it-IT\b75386f1303e64 DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\System\en-US\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\System\en-US\24dbde2999530e DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\browser\features\System.exe DllCommonsvc.exe File created C:\Program Files\Windows Media Player\Icons\smss.exe DllCommonsvc.exe File created C:\Program Files\DVD Maker\fr-FR\sppsvc.exe DllCommonsvc.exe File created C:\Program Files\DVD Maker\fr-FR\0a1fd5f707cd16 DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Speech\Common\it-IT\winlogon.exe DllCommonsvc.exe File created C:\Windows\winsxs\x86_microsoft-windows-s..iprovider.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d661f15bff622f11\winlogon.exe DllCommonsvc.exe File created C:\Windows\ShellNew\wininit.exe DllCommonsvc.exe File created C:\Windows\ShellNew\56085415360792 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5e7f3126a61489a1bcd26be369016b16af3097eed9b37810513ec72d78d6cc61.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 60 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1848 schtasks.exe 1444 schtasks.exe 2872 schtasks.exe 2448 schtasks.exe 1900 schtasks.exe 1004 schtasks.exe 1332 schtasks.exe 692 schtasks.exe 3028 schtasks.exe 3012 schtasks.exe 2672 schtasks.exe 2364 schtasks.exe 2060 schtasks.exe 2208 schtasks.exe 1712 schtasks.exe 1828 schtasks.exe 2212 schtasks.exe 2472 schtasks.exe 2780 schtasks.exe 1996 schtasks.exe 2856 schtasks.exe 3044 schtasks.exe 2012 schtasks.exe 1240 schtasks.exe 2260 schtasks.exe 2380 schtasks.exe 1920 schtasks.exe 2748 schtasks.exe 444 schtasks.exe 2084 schtasks.exe 2552 schtasks.exe 1724 schtasks.exe 2668 schtasks.exe 1648 schtasks.exe 1516 schtasks.exe 2756 schtasks.exe 2844 schtasks.exe 2984 schtasks.exe 2656 schtasks.exe 2500 schtasks.exe 2740 schtasks.exe 1520 schtasks.exe 308 schtasks.exe 648 schtasks.exe 300 schtasks.exe 2264 schtasks.exe 1380 schtasks.exe 376 schtasks.exe 2116 schtasks.exe 2332 schtasks.exe 2328 schtasks.exe 2856 schtasks.exe 2160 schtasks.exe 1860 schtasks.exe 2340 schtasks.exe 2488 schtasks.exe 1560 schtasks.exe 1764 schtasks.exe 284 schtasks.exe 1868 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 2800 DllCommonsvc.exe 2008 powershell.exe 1544 powershell.exe 1912 powershell.exe 1688 powershell.exe 476 powershell.exe 1348 DllCommonsvc.exe 1348 DllCommonsvc.exe 1348 DllCommonsvc.exe 2388 powershell.exe 2808 powershell.exe 2008 powershell.exe 672 powershell.exe 1600 powershell.exe 904 powershell.exe 1708 powershell.exe 1660 powershell.exe 1168 powershell.exe 2428 powershell.exe 1592 powershell.exe 800 powershell.exe 2244 powershell.exe 296 powershell.exe 2044 powershell.exe 444 powershell.exe 2980 powershell.exe 1828 audiodg.exe 2688 audiodg.exe 1780 audiodg.exe 1476 audiodg.exe 1736 audiodg.exe 1656 audiodg.exe 2336 audiodg.exe 2356 audiodg.exe 880 audiodg.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 2800 DllCommonsvc.exe Token: SeDebugPrivilege 2008 powershell.exe Token: SeDebugPrivilege 1544 powershell.exe Token: SeDebugPrivilege 1912 powershell.exe Token: SeDebugPrivilege 1688 powershell.exe Token: SeDebugPrivilege 476 powershell.exe Token: SeDebugPrivilege 1348 DllCommonsvc.exe Token: SeDebugPrivilege 2388 powershell.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeDebugPrivilege 2008 powershell.exe Token: SeDebugPrivilege 672 powershell.exe Token: SeDebugPrivilege 1600 powershell.exe Token: SeDebugPrivilege 904 powershell.exe Token: SeDebugPrivilege 1708 powershell.exe Token: SeDebugPrivilege 1660 powershell.exe Token: SeDebugPrivilege 1168 powershell.exe Token: SeDebugPrivilege 2428 powershell.exe Token: SeDebugPrivilege 1592 powershell.exe Token: SeDebugPrivilege 800 powershell.exe Token: SeDebugPrivilege 2244 powershell.exe Token: SeDebugPrivilege 296 powershell.exe Token: SeDebugPrivilege 2044 powershell.exe Token: SeDebugPrivilege 444 powershell.exe Token: SeDebugPrivilege 2980 powershell.exe Token: SeDebugPrivilege 1828 audiodg.exe Token: SeDebugPrivilege 2688 audiodg.exe Token: SeDebugPrivilege 1780 audiodg.exe Token: SeDebugPrivilege 1476 audiodg.exe Token: SeDebugPrivilege 1736 audiodg.exe Token: SeDebugPrivilege 1656 audiodg.exe Token: SeDebugPrivilege 2336 audiodg.exe Token: SeDebugPrivilege 2356 audiodg.exe Token: SeDebugPrivilege 880 audiodg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2272 wrote to memory of 2104 2272 JaffaCakes118_5e7f3126a61489a1bcd26be369016b16af3097eed9b37810513ec72d78d6cc61.exe 30 PID 2272 wrote to memory of 2104 2272 JaffaCakes118_5e7f3126a61489a1bcd26be369016b16af3097eed9b37810513ec72d78d6cc61.exe 30 PID 2272 wrote to memory of 2104 2272 JaffaCakes118_5e7f3126a61489a1bcd26be369016b16af3097eed9b37810513ec72d78d6cc61.exe 30 PID 2272 wrote to memory of 2104 2272 JaffaCakes118_5e7f3126a61489a1bcd26be369016b16af3097eed9b37810513ec72d78d6cc61.exe 30 PID 2104 wrote to memory of 2720 2104 WScript.exe 31 PID 2104 wrote to memory of 2720 2104 WScript.exe 31 PID 2104 wrote to memory of 2720 2104 WScript.exe 31 PID 2104 wrote to memory of 2720 2104 WScript.exe 31 PID 2720 wrote to memory of 2800 2720 cmd.exe 33 PID 2720 wrote to memory of 2800 2720 cmd.exe 33 PID 2720 wrote to memory of 2800 2720 cmd.exe 33 PID 2720 wrote to memory of 2800 2720 cmd.exe 33 PID 2800 wrote to memory of 1544 2800 DllCommonsvc.exe 47 PID 2800 wrote to memory of 1544 2800 DllCommonsvc.exe 47 PID 2800 wrote to memory of 1544 2800 DllCommonsvc.exe 47 PID 2800 wrote to memory of 1912 2800 DllCommonsvc.exe 48 PID 2800 wrote to memory of 1912 2800 DllCommonsvc.exe 48 PID 2800 wrote to memory of 1912 2800 DllCommonsvc.exe 48 PID 2800 wrote to memory of 2008 2800 DllCommonsvc.exe 49 PID 2800 wrote to memory of 2008 2800 DllCommonsvc.exe 49 PID 2800 wrote to memory of 2008 2800 DllCommonsvc.exe 49 PID 2800 wrote to memory of 476 2800 DllCommonsvc.exe 50 PID 2800 wrote to memory of 476 2800 DllCommonsvc.exe 50 PID 2800 wrote to memory of 476 2800 DllCommonsvc.exe 50 PID 2800 wrote to memory of 1688 2800 DllCommonsvc.exe 51 PID 2800 wrote to memory of 1688 2800 DllCommonsvc.exe 51 PID 2800 wrote to memory of 1688 2800 DllCommonsvc.exe 51 PID 2800 wrote to memory of 1644 2800 DllCommonsvc.exe 57 PID 2800 wrote to memory of 1644 2800 DllCommonsvc.exe 57 PID 2800 wrote to memory of 1644 2800 DllCommonsvc.exe 57 PID 1644 wrote to memory of 1284 1644 cmd.exe 59 PID 1644 wrote to memory of 1284 1644 cmd.exe 59 PID 1644 wrote to memory of 1284 1644 cmd.exe 59 PID 1644 wrote to memory of 1348 1644 cmd.exe 60 PID 1644 wrote to memory of 1348 1644 cmd.exe 60 PID 1644 wrote to memory of 1348 1644 cmd.exe 60 PID 1348 wrote to memory of 1660 1348 DllCommonsvc.exe 110 PID 1348 wrote to memory of 1660 1348 DllCommonsvc.exe 110 PID 1348 wrote to memory of 1660 1348 DllCommonsvc.exe 110 PID 1348 wrote to memory of 2008 1348 DllCommonsvc.exe 111 PID 1348 wrote to memory of 2008 1348 DllCommonsvc.exe 111 PID 1348 wrote to memory of 2008 1348 DllCommonsvc.exe 111 PID 1348 wrote to memory of 2044 1348 DllCommonsvc.exe 112 PID 1348 wrote to memory of 2044 1348 DllCommonsvc.exe 112 PID 1348 wrote to memory of 2044 1348 DllCommonsvc.exe 112 PID 1348 wrote to memory of 296 1348 DllCommonsvc.exe 114 PID 1348 wrote to memory of 296 1348 DllCommonsvc.exe 114 PID 1348 wrote to memory of 296 1348 DllCommonsvc.exe 114 PID 1348 wrote to memory of 672 1348 DllCommonsvc.exe 116 PID 1348 wrote to memory of 672 1348 DllCommonsvc.exe 116 PID 1348 wrote to memory of 672 1348 DllCommonsvc.exe 116 PID 1348 wrote to memory of 2388 1348 DllCommonsvc.exe 117 PID 1348 wrote to memory of 2388 1348 DllCommonsvc.exe 117 PID 1348 wrote to memory of 2388 1348 DllCommonsvc.exe 117 PID 1348 wrote to memory of 1708 1348 DllCommonsvc.exe 118 PID 1348 wrote to memory of 1708 1348 DllCommonsvc.exe 118 PID 1348 wrote to memory of 1708 1348 DllCommonsvc.exe 118 PID 1348 wrote to memory of 2980 1348 DllCommonsvc.exe 119 PID 1348 wrote to memory of 2980 1348 DllCommonsvc.exe 119 PID 1348 wrote to memory of 2980 1348 DllCommonsvc.exe 119 PID 1348 wrote to memory of 2808 1348 DllCommonsvc.exe 121 PID 1348 wrote to memory of 2808 1348 DllCommonsvc.exe 121 PID 1348 wrote to memory of 2808 1348 DllCommonsvc.exe 121 PID 1348 wrote to memory of 1600 1348 DllCommonsvc.exe 122 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e7f3126a61489a1bcd26be369016b16af3097eed9b37810513ec72d78d6cc61.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e7f3126a61489a1bcd26be369016b16af3097eed9b37810513ec72d78d6cc61.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\ja-JP\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zSoFCSTtdt.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1284
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\it-IT\taskhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\en-US\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\System.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\System.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\Idle.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\smss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\features\System.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\fr-FR\sppsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2244
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oinIVsngqt.bat"7⤵PID:3056
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2328
-
-
C:\providercommon\audiodg.exe"C:\providercommon\audiodg.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat"9⤵PID:1620
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1508
-
-
C:\providercommon\audiodg.exe"C:\providercommon\audiodg.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat"11⤵PID:2308
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1412
-
-
C:\providercommon\audiodg.exe"C:\providercommon\audiodg.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat"13⤵PID:608
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1704
-
-
C:\providercommon\audiodg.exe"C:\providercommon\audiodg.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DJG58brWjr.bat"15⤵PID:2592
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:300
-
-
C:\providercommon\audiodg.exe"C:\providercommon\audiodg.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\voEVGuhWUp.bat"17⤵PID:1716
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:468
-
-
C:\providercommon\audiodg.exe"C:\providercommon\audiodg.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OS3CX563UF.bat"19⤵PID:2248
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1900
-
-
C:\providercommon\audiodg.exe"C:\providercommon\audiodg.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat"21⤵PID:3032
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:320
-
-
C:\providercommon\audiodg.exe"C:\providercommon\audiodg.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gMBHdlpNUB.bat"23⤵PID:2412
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2572
-
-
C:\providercommon\audiodg.exe"C:\providercommon\audiodg.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XErLL4imMU.bat"25⤵PID:2012
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2432
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellNew\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ShellNew\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellNew\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\providercommon\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\providercommon\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\providercommon\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\System\en-US\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\en-US\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\System\en-US\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\providercommon\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Templates\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Templates\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Templates\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\browser\features\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\browser\features\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\fr-FR\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\fr-FR\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\fr-FR\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD559124d97e08f1c50627542eece387cda
SHA19d1f167c9d8fe9dc98fc93e1b1377e082aa806e0
SHA2563d011706dba2d9ba72cbb6517eba89b548f3465dcd76bf1b0303fe1e2b2392fe
SHA5120947c5959fb762e9ca5d5c7456226a9f1ea021ce3e88a519c364b13f1b822c6e52570572b4351f799f3fc5b4e920ef63f31d1896734ce6a8dbd59301fb6f1d2f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bb384690538c772b7da4ba88facab5cf
SHA1f59b7d199378811c73be697f420d6ee03ea36c65
SHA2563f743124bf992b7629236903e5d9fe6765fe4eb2671ac2e0f03fd96a5844391d
SHA512bd611d33e32c69c0da54e534e62ab79e2f5e137834f3bdeeaa77331bef1ac119c7842ee291ceed1fc1c483e3fec5a073736b00cb5e36e3bce650db88c23bcc56
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59258515f1b29cbedff1b332ed6534b3e
SHA1a384f125f0edfbdf4e11b1e5c18ca6847d0ba9b7
SHA256c534fd4c39d64cca410b5cf33cf7855f52af2a7594630877e33cdab846487dd7
SHA51296c58d92441085b7982ab8ab65a79755f5cb1ecd473446cc3b51b97adacba7d105c0b25c18cc830fbd6f0c51b0fc201d494089352ad0f0249aa3289a3528edb0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b02256a71ab2f9cdf7e0143ca20eb7f7
SHA19bfa208a4a8001312aa61ac80b35e23ffecc2be4
SHA256605f8932ed343a89ca2f0d02bddd11caf25d304d38378105318db5d7397875a3
SHA51257cf23c1e8a128517011e1d261eb9963873b23ca5032848395072a65a5144b35dd399a73bf0ff7e501f407518de5760d653a420f4a4b446dfb90282edbe19a3b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52bda77a5d5d674427fcb5516112bda7c
SHA1ed05c2af5f74146da8039ea84a4a337bbdcf95cb
SHA256e3a1b783e7b36b4278c1d57894b6346bb18110b3b72235525fb97b38992affbe
SHA512ee5bd6be463ddb20defa173761774c7af004b101044e058672bc4d92d077d6b5e9abcbfee99556b963215059750ebf41b2abd3577de3a8efd430b6f9ff5bb891
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d1130106bf66292fd75e6bc4719302b6
SHA102e198dc99e79817e9c5bc19a78d150e818ccc02
SHA256d7462f2efdb9195cc08be32f7bedb98c6b34d312bdd10e5d8c7ee1240a68f8a5
SHA512a6a25538540819d8128a843d13e05b3b4e0429799366f6b7c78b4b16f630f6d1c188a9f824cb5f12d4b6ea40ee3dabc93f8139f4a3e7755122428460add80255
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b462dd988fbcdc9a24e133943b203d2e
SHA166620b2ee6670bb59d35e35aa97d0efcbc06ef2a
SHA2569aafdb3b6f614da5c58e5b598b643d214e879d55a87a950e9b202b2eaf2a3425
SHA51209bcd294db1f39a8f9d571dc5a40cb064ba314ec81ce842d83863ac71e872820dc12dc97a3fee75a3a656796714c61b3d8ba9701472ca486f1797a617474d8eb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD532bfcf2c8730a4bd081a52bc1d88f015
SHA118b2d6063541e85dd721e85f3e9ec409b9c4a230
SHA256ab5a7d7e50ee5ba55907129595abe702033689f92c52fce9fa7da614db904f00
SHA5123c82d53362df10e7cc4ad6201c86cd61de5424a3129673ab0602603a886c46ad283e843ebf2c2876f816f18286690f43be4cb24db3c5f02aefe9afcb5ec46a07
-
Filesize
194B
MD5d239116a64015cbba6b64ebfa1f9875e
SHA194c0372e8d74064a2d2567622ce1ebe31c32d401
SHA2567f625f2ea235d093efb7db3f6090fad0cef8245540831660a55ebd95d7719ab3
SHA512df82766f42afcb1dc5aed96009035d75cc72cc39bf93ca2a0fb9de3869a5a2fcd312ec0709c3f18f3d4be0c80817dbeeaaf19ea7dd12653849c5225cd6964839
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
194B
MD54d9adbd7978b52e2beda952bb0cbfcc1
SHA1d25e17675985ea3a7ec2330942cfb06cc448432c
SHA2566bfb387643dcdc2b139c4468fd7d79d4c0035a0428ff6eeecea300b4ccab28ac
SHA512d844325bc9015a1ada2fb580cd408b16cb5d36c1880d3f91dcee852c18be7d7013ee2593f194600370c0f65fa671cd81f009ca93c5ac3e3de177d4b0a93c3d4f
-
Filesize
194B
MD59ba68aff727e0e916d8821d39db220ac
SHA17b4c1a0883701fd1be2254bd50877ec40e0f4243
SHA25616508bde732ada7ae8503d8ff13c3d240a1d1fdf3c285cdf7fb55e49f933cc8f
SHA512ba4f06d03ad1dac7c952298a2d1cebd1995459b98faf2297efea437b1e1d05c2d0f2361ae26941f15f954f3c151ff035fdc7bd76da4492d8ffe57cffd5bdc563
-
Filesize
194B
MD5cf9b2b7831a36c39a9fcdb23d518f9a8
SHA1303610f5321df13bfa2dffb7194d143a2f1a53e6
SHA256b8ca34320a6aaf61a73aa4921b5557da9e740e6d8d24162bf55f99398c76a16e
SHA512917f58569ead55cc08f4f2906d2a5ebe0558b29973598f1f92a234066ec0e6d4e60c6a539653e36cd093acd4d337d70637d18ad9d53f1d09326c52a8d8148ca9
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
194B
MD5c4ed56a8cd8d1f5af95057702bc09101
SHA19cfa7d4864f45a12e90596ccab1c8e63a7c5e4e5
SHA256dccafebc5a3d2684b00a7b2fc5b0fc161c4724aa439eb0ff8a070c46056b602c
SHA512ffb158b19efd9f980f6d7dd1b798bf563f4a4680bf2e9997478da73a13c8f7b7dc49c18ce5f33eb43d8d3eb094b3e2122fdf7e8ddb07d4828d0727ee519565b1
-
Filesize
194B
MD5942acf1b0ca7584a6f97ff030bc76246
SHA14949ddb700b5ed309e254c29f171b3ca31d9b10a
SHA25648c0d942d83b2f66e562d1cd63904de4657796d93283c1c84d0d0b51250eb830
SHA512ea0e3204ad6d775333284c7491f7dcd452c0bd4f18571ccb62101f7078a5209c0683019e3088f649c20585b4467b20b2be6eacb590627274c53888dd7a56a11d
-
Filesize
194B
MD5e9e214215740cbf81b22c5dff0fb4872
SHA1ae21f721359b5235409be3e759d1ee4c861d6b31
SHA2563ae4507bfb74acd34ea7f5dabd6c09201bf20c563383c1d4732ba33057f34d1e
SHA51215ea8b178c4e88bc14bc8120e8b78b92b3d5f53ba37f75fee5ab05da5036a130d498c5f734edd58ba32c3ddc6dda85a1e40e92d5e82f251a083776638c97a8a0
-
Filesize
194B
MD50d9c36016fe7873638f5b1acea82a7b6
SHA11133a2503e930a32a3ab23b08b6456493eb44ddb
SHA256096633fdb329a3576107628ab04d5b998bcacda26cbed84ec737a196aa9f04d7
SHA51276603f572a12f176b8ae6d738399a1c4e26cfe443cd11ee82dd8a638ec9c50a04dc779d1570eb75b3804a9a70ab4b18664cd9746039ce6405bf97615f8cb080f
-
Filesize
194B
MD5a7f983cfbe3381561913a6884d462a1f
SHA115e6f9ba33210da33fd96e798d436a8ca8899a64
SHA256942755fd0fecffb31e34ab65b7f69dfbe22545e4ef52d38fa2386aecf09f7980
SHA51242ab186f4ee63eedb37582fec5f506e0d71e23afac5c2097d27baaa35663d59688a258d67a082523cbbaa03488c0c3a8959932b6d593aa72bd15252ab03d71b3
-
Filesize
194B
MD571bd4a7453f09b83a61301006bc88762
SHA1228dd9842b6d2f99c9ac9245e5c8203f296a23fd
SHA25638df0b171f011b6bb811e7dbc6e4b595c7cd37b3f9675e1e133d85ac5eb3f1d5
SHA512006cd6a1a46c2a7fe28eec81abbe6bf44fbae46b5b9969e8040ee783d9aa3d0ec864c080af42d3c5ee6da2fa4d857341b4b96999248b2f9ff2ae7decc76a9272
-
Filesize
199B
MD5162372895978540278f2afec2bd77370
SHA18e4dcab9d383a2d77c24d6cf251fb3f5ec78bc1d
SHA256718dc96f3aec911b8a504e3e0c41cb0c29e54cace7a806d885ab83b0f8350d04
SHA5128c595d782fb49232e99c41c961906badef2af5b776eb89b38a51d0eee2608c1876c34d6bc82cd2aa6acd72fa99b215a817a626029f9997f4ecec09593f380479
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD59e1802a007613cd30fa03b1d7b25fc7a
SHA102316979566879f2637bd4583122a57c372d9834
SHA256e40ab522ffa893348f732e352e033053f9ef837f195808dd0a3455ef462efdee
SHA512ffc1fe1c32294643f6e6ca0934bb77b9d0f7b737243fd809845c62aa9b31b7b911e82601134f83eaa7b2651e96be2ce97433292008e87c9ceef36a7ec1e73e63
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5f9d266ea7bb9600c810bbcbda842e4a5
SHA14df1405ec63d0924682339b2b8aa1a804e481254
SHA256fa42784c3d423119d2255ab8580876fd4d97423be1845ea6c8fa64cbc502e7bb
SHA512328415bc8ed46051478c09e6afcd67222bc526d475ec1d1c61a5267a5383c86f55f20c29d99fadf211bc344ad18ebb3b4d604e08b1f9c9b43f62633df1a1e8ab
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478