Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 17:34
Behavioral task
behavioral1
Sample
JaffaCakes118_19a30eba2f1f9f8b44ba1ced34cecdd5c70e6b9b8c331cf812494756a6566415.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_19a30eba2f1f9f8b44ba1ced34cecdd5c70e6b9b8c331cf812494756a6566415.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_19a30eba2f1f9f8b44ba1ced34cecdd5c70e6b9b8c331cf812494756a6566415.exe
-
Size
1.3MB
-
MD5
2566e9a0059f9fac9e4e999937f0d94f
-
SHA1
418d6ffcffd6eb1ba7b6966ca5437ebc3c4615a0
-
SHA256
19a30eba2f1f9f8b44ba1ced34cecdd5c70e6b9b8c331cf812494756a6566415
-
SHA512
6dfd6f0a0aa78dfb7eb3117f645e35ae52d52b641886b9041a8cb8856228914426f97eecabd1b911c0ce3309c345e7a38015f0b2239f87571e958c4577131966
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1116 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4072 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3440 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4512 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1120 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1320 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3132 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4600 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4504 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4648 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4536 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3176 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3992 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1424 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 820 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4236 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3636 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 184 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4976 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3200 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3756 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4880 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4760 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 220 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3244 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4364 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 996 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3268 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4824 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5028 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5008 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4432 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4144 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5024 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5072 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5004 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4256 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 636 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3732 1140 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 1140 schtasks.exe 94 -
resource yara_rule behavioral2/files/0x0007000000023c98-10.dat dcrat behavioral2/memory/4156-13-0x0000000000E10000-0x0000000000F20000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2108 powershell.exe 4032 powershell.exe 1300 powershell.exe 3556 powershell.exe 2984 powershell.exe 4992 powershell.exe 2324 powershell.exe 952 powershell.exe 1096 powershell.exe 4528 powershell.exe 4356 powershell.exe 4888 powershell.exe 4912 powershell.exe 1180 powershell.exe 5104 powershell.exe 4828 powershell.exe 5068 powershell.exe 4392 powershell.exe 3692 powershell.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation JaffaCakes118_19a30eba2f1f9f8b44ba1ced34cecdd5c70e6b9b8c331cf812494756a6566415.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation sppsvc.exe -
Executes dropped EXE 14 IoCs
pid Process 4156 DllCommonsvc.exe 5664 sppsvc.exe 4456 sppsvc.exe 4176 sppsvc.exe 4512 sppsvc.exe 5392 sppsvc.exe 2348 sppsvc.exe 5304 sppsvc.exe 2428 sppsvc.exe 952 sppsvc.exe 1180 sppsvc.exe 432 sppsvc.exe 6076 sppsvc.exe 4492 sppsvc.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 55 raw.githubusercontent.com 57 raw.githubusercontent.com 58 raw.githubusercontent.com 18 raw.githubusercontent.com 40 raw.githubusercontent.com 41 raw.githubusercontent.com 54 raw.githubusercontent.com 47 raw.githubusercontent.com 56 raw.githubusercontent.com 19 raw.githubusercontent.com 26 raw.githubusercontent.com 45 raw.githubusercontent.com 46 raw.githubusercontent.com -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Multimedia Platform\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\5b884080fd4f94 DllCommonsvc.exe File created C:\Program Files\Windows Media Player\uk-UA\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files\Microsoft Office 15\ClientX64\System.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe DllCommonsvc.exe File created C:\Program Files\Windows Media Player\uk-UA\lsass.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\fontdrvhost.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office 15\ClientX64\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\5b884080fd4f94 DllCommonsvc.exe File created C:\Program Files\Crashpad\SearchApp.exe DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Multimedia Platform\smss.exe DllCommonsvc.exe File created C:\Program Files\Crashpad\38384e6a620884 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\5b884080fd4f94 DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Prefetch\ReadyBoot\wininit.exe DllCommonsvc.exe File created C:\Windows\Prefetch\ReadyBoot\56085415360792 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_19a30eba2f1f9f8b44ba1ced34cecdd5c70e6b9b8c331cf812494756a6566415.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings JaffaCakes118_19a30eba2f1f9f8b44ba1ced34cecdd5c70e6b9b8c331cf812494756a6566415.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings sppsvc.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4600 schtasks.exe 4536 schtasks.exe 820 schtasks.exe 184 schtasks.exe 1944 schtasks.exe 2448 schtasks.exe 3636 schtasks.exe 1848 schtasks.exe 4236 schtasks.exe 4880 schtasks.exe 3732 schtasks.exe 5004 schtasks.exe 636 schtasks.exe 2664 schtasks.exe 1728 schtasks.exe 4504 schtasks.exe 3200 schtasks.exe 2840 schtasks.exe 2352 schtasks.exe 3756 schtasks.exe 4760 schtasks.exe 3244 schtasks.exe 4364 schtasks.exe 996 schtasks.exe 4432 schtasks.exe 4976 schtasks.exe 220 schtasks.exe 1600 schtasks.exe 1116 schtasks.exe 4072 schtasks.exe 3132 schtasks.exe 5024 schtasks.exe 1664 schtasks.exe 2468 schtasks.exe 1320 schtasks.exe 1424 schtasks.exe 3440 schtasks.exe 4824 schtasks.exe 4512 schtasks.exe 2676 schtasks.exe 4256 schtasks.exe 5072 schtasks.exe 1920 schtasks.exe 1120 schtasks.exe 2700 schtasks.exe 5028 schtasks.exe 5008 schtasks.exe 3176 schtasks.exe 3992 schtasks.exe 1940 schtasks.exe 3268 schtasks.exe 4144 schtasks.exe 4648 schtasks.exe 2044 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4156 DllCommonsvc.exe 4156 DllCommonsvc.exe 4156 DllCommonsvc.exe 4156 DllCommonsvc.exe 4156 DllCommonsvc.exe 4156 DllCommonsvc.exe 4156 DllCommonsvc.exe 4156 DllCommonsvc.exe 4156 DllCommonsvc.exe 4156 DllCommonsvc.exe 2108 powershell.exe 2108 powershell.exe 4356 powershell.exe 4356 powershell.exe 5068 powershell.exe 5068 powershell.exe 2324 powershell.exe 2324 powershell.exe 4528 powershell.exe 4528 powershell.exe 4828 powershell.exe 4828 powershell.exe 3692 powershell.exe 3692 powershell.exe 3556 powershell.exe 3556 powershell.exe 5104 powershell.exe 5104 powershell.exe 952 powershell.exe 952 powershell.exe 1300 powershell.exe 1300 powershell.exe 4912 powershell.exe 4912 powershell.exe 4888 powershell.exe 4032 powershell.exe 4888 powershell.exe 4032 powershell.exe 4392 powershell.exe 4392 powershell.exe 2984 powershell.exe 2984 powershell.exe 1096 powershell.exe 1096 powershell.exe 4992 powershell.exe 4992 powershell.exe 952 powershell.exe 4528 powershell.exe 1180 powershell.exe 1180 powershell.exe 2324 powershell.exe 4032 powershell.exe 1180 powershell.exe 2108 powershell.exe 2108 powershell.exe 3692 powershell.exe 5068 powershell.exe 4356 powershell.exe 4356 powershell.exe 1096 powershell.exe 4912 powershell.exe 5104 powershell.exe 4888 powershell.exe 2984 powershell.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 4156 DllCommonsvc.exe Token: SeDebugPrivilege 2108 powershell.exe Token: SeDebugPrivilege 3692 powershell.exe Token: SeDebugPrivilege 4356 powershell.exe Token: SeDebugPrivilege 5068 powershell.exe Token: SeDebugPrivilege 2324 powershell.exe Token: SeDebugPrivilege 4528 powershell.exe Token: SeDebugPrivilege 4828 powershell.exe Token: SeDebugPrivilege 3556 powershell.exe Token: SeDebugPrivilege 5104 powershell.exe Token: SeDebugPrivilege 952 powershell.exe Token: SeDebugPrivilege 1300 powershell.exe Token: SeDebugPrivilege 4912 powershell.exe Token: SeDebugPrivilege 1096 powershell.exe Token: SeDebugPrivilege 4888 powershell.exe Token: SeDebugPrivilege 1180 powershell.exe Token: SeDebugPrivilege 4032 powershell.exe Token: SeDebugPrivilege 2984 powershell.exe Token: SeDebugPrivilege 4392 powershell.exe Token: SeDebugPrivilege 4992 powershell.exe Token: SeDebugPrivilege 5664 sppsvc.exe Token: SeDebugPrivilege 4456 sppsvc.exe Token: SeDebugPrivilege 4176 sppsvc.exe Token: SeDebugPrivilege 4512 sppsvc.exe Token: SeDebugPrivilege 5392 sppsvc.exe Token: SeDebugPrivilege 2348 sppsvc.exe Token: SeDebugPrivilege 5304 sppsvc.exe Token: SeDebugPrivilege 2428 sppsvc.exe Token: SeDebugPrivilege 952 sppsvc.exe Token: SeDebugPrivilege 1180 sppsvc.exe Token: SeDebugPrivilege 432 sppsvc.exe Token: SeDebugPrivilege 6076 sppsvc.exe Token: SeDebugPrivilege 4492 sppsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3668 wrote to memory of 552 3668 JaffaCakes118_19a30eba2f1f9f8b44ba1ced34cecdd5c70e6b9b8c331cf812494756a6566415.exe 85 PID 3668 wrote to memory of 552 3668 JaffaCakes118_19a30eba2f1f9f8b44ba1ced34cecdd5c70e6b9b8c331cf812494756a6566415.exe 85 PID 3668 wrote to memory of 552 3668 JaffaCakes118_19a30eba2f1f9f8b44ba1ced34cecdd5c70e6b9b8c331cf812494756a6566415.exe 85 PID 552 wrote to memory of 4752 552 WScript.exe 89 PID 552 wrote to memory of 4752 552 WScript.exe 89 PID 552 wrote to memory of 4752 552 WScript.exe 89 PID 4752 wrote to memory of 4156 4752 cmd.exe 92 PID 4752 wrote to memory of 4156 4752 cmd.exe 92 PID 4156 wrote to memory of 4992 4156 DllCommonsvc.exe 150 PID 4156 wrote to memory of 4992 4156 DllCommonsvc.exe 150 PID 4156 wrote to memory of 2108 4156 DllCommonsvc.exe 151 PID 4156 wrote to memory of 2108 4156 DllCommonsvc.exe 151 PID 4156 wrote to memory of 3692 4156 DllCommonsvc.exe 152 PID 4156 wrote to memory of 3692 4156 DllCommonsvc.exe 152 PID 4156 wrote to memory of 4392 4156 DllCommonsvc.exe 153 PID 4156 wrote to memory of 4392 4156 DllCommonsvc.exe 153 PID 4156 wrote to memory of 5068 4156 DllCommonsvc.exe 154 PID 4156 wrote to memory of 5068 4156 DllCommonsvc.exe 154 PID 4156 wrote to memory of 4528 4156 DllCommonsvc.exe 155 PID 4156 wrote to memory of 4528 4156 DllCommonsvc.exe 155 PID 4156 wrote to memory of 4912 4156 DllCommonsvc.exe 156 PID 4156 wrote to memory of 4912 4156 DllCommonsvc.exe 156 PID 4156 wrote to memory of 2984 4156 DllCommonsvc.exe 157 PID 4156 wrote to memory of 2984 4156 DllCommonsvc.exe 157 PID 4156 wrote to memory of 4828 4156 DllCommonsvc.exe 158 PID 4156 wrote to memory of 4828 4156 DllCommonsvc.exe 158 PID 4156 wrote to memory of 1096 4156 DllCommonsvc.exe 159 PID 4156 wrote to memory of 1096 4156 DllCommonsvc.exe 159 PID 4156 wrote to memory of 4032 4156 DllCommonsvc.exe 160 PID 4156 wrote to memory of 4032 4156 DllCommonsvc.exe 160 PID 4156 wrote to memory of 3556 4156 DllCommonsvc.exe 161 PID 4156 wrote to memory of 3556 4156 DllCommonsvc.exe 161 PID 4156 wrote to memory of 1300 4156 DllCommonsvc.exe 162 PID 4156 wrote to memory of 1300 4156 DllCommonsvc.exe 162 PID 4156 wrote to memory of 5104 4156 DllCommonsvc.exe 163 PID 4156 wrote to memory of 5104 4156 DllCommonsvc.exe 163 PID 4156 wrote to memory of 952 4156 DllCommonsvc.exe 164 PID 4156 wrote to memory of 952 4156 DllCommonsvc.exe 164 PID 4156 wrote to memory of 4888 4156 DllCommonsvc.exe 165 PID 4156 wrote to memory of 4888 4156 DllCommonsvc.exe 165 PID 4156 wrote to memory of 1180 4156 DllCommonsvc.exe 166 PID 4156 wrote to memory of 1180 4156 DllCommonsvc.exe 166 PID 4156 wrote to memory of 4356 4156 DllCommonsvc.exe 167 PID 4156 wrote to memory of 4356 4156 DllCommonsvc.exe 167 PID 4156 wrote to memory of 2324 4156 DllCommonsvc.exe 168 PID 4156 wrote to memory of 2324 4156 DllCommonsvc.exe 168 PID 4156 wrote to memory of 3708 4156 DllCommonsvc.exe 188 PID 4156 wrote to memory of 3708 4156 DllCommonsvc.exe 188 PID 3708 wrote to memory of 5952 3708 cmd.exe 190 PID 3708 wrote to memory of 5952 3708 cmd.exe 190 PID 3708 wrote to memory of 5664 3708 cmd.exe 196 PID 3708 wrote to memory of 5664 3708 cmd.exe 196 PID 5664 wrote to memory of 2260 5664 sppsvc.exe 198 PID 5664 wrote to memory of 2260 5664 sppsvc.exe 198 PID 2260 wrote to memory of 3012 2260 cmd.exe 200 PID 2260 wrote to memory of 3012 2260 cmd.exe 200 PID 2260 wrote to memory of 4456 2260 cmd.exe 202 PID 2260 wrote to memory of 4456 2260 cmd.exe 202 PID 4456 wrote to memory of 5084 4456 sppsvc.exe 204 PID 4456 wrote to memory of 5084 4456 sppsvc.exe 204 PID 5084 wrote to memory of 4312 5084 cmd.exe 206 PID 5084 wrote to memory of 4312 5084 cmd.exe 206 PID 5084 wrote to memory of 4176 5084 cmd.exe 210 PID 5084 wrote to memory of 4176 5084 cmd.exe 210 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_19a30eba2f1f9f8b44ba1ced34cecdd5c70e6b9b8c331cf812494756a6566415.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_19a30eba2f1f9f8b44ba1ced34cecdd5c70e6b9b8c331cf812494756a6566415.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\sihost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft OneDrive\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5104
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\uk-UA\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\SearchApp.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1180
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WKGBtBnPFh.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:5952
-
-
C:\Recovery\WindowsRE\sppsvc.exe"C:\Recovery\WindowsRE\sppsvc.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5664 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:3012
-
-
C:\Recovery\WindowsRE\sppsvc.exe"C:\Recovery\WindowsRE\sppsvc.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QO5FEA9wo1.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:4312
-
-
C:\Recovery\WindowsRE\sppsvc.exe"C:\Recovery\WindowsRE\sppsvc.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4176 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b9aNmsEibB.bat"11⤵PID:6020
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:3276
-
-
C:\Recovery\WindowsRE\sppsvc.exe"C:\Recovery\WindowsRE\sppsvc.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4512 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j8BV8simza.bat"13⤵PID:2704
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:3284
-
-
C:\Recovery\WindowsRE\sppsvc.exe"C:\Recovery\WindowsRE\sppsvc.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5392 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XBBOHPKclM.bat"15⤵PID:5184
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:6096
-
-
C:\Recovery\WindowsRE\sppsvc.exe"C:\Recovery\WindowsRE\sppsvc.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2348 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat"17⤵PID:1088
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:5484
-
-
C:\Recovery\WindowsRE\sppsvc.exe"C:\Recovery\WindowsRE\sppsvc.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5304 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0WHmS6dpJ0.bat"19⤵PID:2896
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:6012
-
-
C:\Recovery\WindowsRE\sppsvc.exe"C:\Recovery\WindowsRE\sppsvc.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2428 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zlkj4ltLQI.bat"21⤵PID:5972
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:5616
-
-
C:\Recovery\WindowsRE\sppsvc.exe"C:\Recovery\WindowsRE\sppsvc.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:952 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RFyBjogktz.bat"23⤵PID:2324
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1452
-
-
C:\Recovery\WindowsRE\sppsvc.exe"C:\Recovery\WindowsRE\sppsvc.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1180 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0quqFCQQe7.bat"25⤵PID:5380
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:1832
-
-
C:\Recovery\WindowsRE\sppsvc.exe"C:\Recovery\WindowsRE\sppsvc.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PJw82jcrZC.bat"27⤵PID:1228
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:2892
-
-
C:\Recovery\WindowsRE\sppsvc.exe"C:\Recovery\WindowsRE\sppsvc.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:6076 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o0FbW2pZd9.bat"29⤵PID:4072
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:230⤵PID:1196
-
-
C:\Recovery\WindowsRE\sppsvc.exe"C:\Recovery\WindowsRE\sppsvc.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4492
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\ReadyBoot\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\ReadyBoot\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft OneDrive\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft OneDrive\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\providercommon\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\uk-UA\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\uk-UA\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\uk-UA\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Crashpad\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Crashpad\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Crashpad\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\providercommon\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD5e448fe0d240184c6597a31d3be2ced58
SHA1372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA5120b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
197B
MD53ab9abaebb0d09612dd61395e194d774
SHA1ddfdbb6ae36346cac30cf861873a4eb7e523b978
SHA256ce0c5e864711ec337459bc427f541d1e30eb757804607d07b4120d1a7271aa67
SHA51228bf5996e1904de0e0f5479900c5c73982518947f2db8393b16e3eae03546cc9b5dbfcca3184b7fb7c169e1ba5cabe7e75bf6a01eb3fe65d022a77c6ad544327
-
Filesize
197B
MD5ebeec12f608d4ebd3c7165f8b9337ec1
SHA1d64699026bbd6f51aba3308e5adaea3816e0b1a3
SHA25637442107d10e3136c64a104289d6dc3e5651310775e890ad5f6437e72eeb739c
SHA512fca39b22d03ca7be068f04d54a95591f47d24525ae2d4042aff53dd0eeeeb17517b09f2aab73db8dd580d0631620a3db5ff0fb24c6c408c290f69133aa8d21a5
-
Filesize
197B
MD5e0419a9aeac70fc218de8252f39c51b7
SHA11ff66d46eb56b399b8fff011dbf5e8e4d5d5a096
SHA256a4065e7575391d995fdd2d358febc215dbac1f129781f307fb69879827378432
SHA51291c309af6bb329415c72782853e0c1116fe8de3b607a9cd8331fb321f430d97849d98653aa752ca1912a6e07139865f84f2342e7a5b6cc6cf030009b9f7c3fcd
-
Filesize
197B
MD5ef82c243c0b72a0fa72074af2132ef72
SHA10c613a35c6b5f7af2f78044debeccfb6accddff4
SHA2562298c1816dffe2d6b48330d6a2dbbc146cd6bd4c41260fa648663f5f3ef854fe
SHA512e8c7deacec050c0b027f7f172f899b9a07061cad67b4a8f6406fd364d30047c6f0a9f9c8ac256a1db9ed2474f3968d1e370d047ab6b456695cf5a0dbadeb9321
-
Filesize
197B
MD5716c590167d216c40db97086f0e7c9b0
SHA11c7a48512b6b0fcd0d563903baa8780bfb544ebd
SHA256d96df2b865c2d57482a36852c2202692ba21b60cf860d76f871900ef8d19aed3
SHA512bb1129925333a5ac051383014019b7f2cfafcc7dfc32915775f2a05f100914d29d19f6f478a3812441dd8ebc7c77d59176bd2105cc0ea5cd2fa1d3eb0a493f7c
-
Filesize
197B
MD539bbf7a58bc196a0f1c1d5f2004159cb
SHA1ab83f53cd666f9a9c2e78d789e6b2d2756694112
SHA25689e64be659b1b486a9c6581843a17863e69bb5e5fbdf8e2963fd7d8b5fd7dc2b
SHA512e207549ab28b0f7d42332be629826930b3cd70f2954376af9293f1baa345fae8bca0db5710fe847176110e62430c19f746de130c1c9945298b275319fc084208
-
Filesize
197B
MD5a082d94581d9422b6336718d99ffa41e
SHA1c65c45bbda9a20033da698a1831a0482bebb9bc3
SHA256701e87afc13cb3b10655726e664e935b465ff226b05b913442fab69bd2061a86
SHA5120892872068004b5c46da60b0d05214000e546b49c56d3356d52ba1d882cf47204cb82d11513c6d38b5b5bc4ecbc245139ab04baa64b6800b8623568cb3901988
-
Filesize
197B
MD502519199548d73faf1db6d3280714cc2
SHA14d9adcd079d7765044b6c989200d41224b9f4bd5
SHA256139e215f4c6e3189e7c062edec39d88a1947f8f4af80d70af04a02fcbc60b1b1
SHA51231fc8ba2b1731eb57519757271ddaf1c6ba84a04c00dcce34be628f196a9525a3edac47ee8db36851ed4b30a5786b532fe182c36fb1b9383d815d52cb696767d
-
Filesize
197B
MD51483b59ecbb3d4fb1399536d08bd06ce
SHA148c9633f70d4784fa92dc2f01584a44e0f0caf11
SHA256338c47530b08e68535333eacdf44e917fc03f63eacc4536c091a48dbece117ae
SHA512ad90feefbeec34eb13c21f3106e679290985f3224d79afd38f8e8357a9e7332bbec61ed8eeb2b5adce23a732e939ccb5a82eb334942a98619596ee73360447a6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
197B
MD536d67f00b57848f29a50d291b52f57ce
SHA1b12744495c6365cb3ab10fc98140a1afa10997c6
SHA256659221101106812f87373e2ada08ba326cc25515031704a9bb13f39ae984d92f
SHA512844a89ee60f4174f5b362d1d033a559957652dd1ad89c9c4cafb5722aa6a789d088e4b2b2b4efc0d11152a2668c7e99920dd7e0407fe84b056464bb8e6f9e264
-
Filesize
197B
MD5a45e30dd333c6675e41c535f4dc5a582
SHA12c7a5cde0dd930f67442e4a32998a54b1d4728c2
SHA25688b4fb1e52873a589aebc2cf7034374059b61194d2766947a354c300552d06e9
SHA512ac042f47de1f4b94af36e288e72750b5a81baaea9caf162047b1874c975e778936dd8d957955dd7b0bd720cc986c8071d2f6025b418e8f72df4ec7996f91ca99
-
Filesize
197B
MD517a1a331a5c9875a703ef41a6e203b20
SHA177c8336432c0ba959c41f2d17e29f829b76a7cd1
SHA2562298868cf31f243ff331f66e0c6cdb228ce1b19cbf91cc25cad72667dbb9b952
SHA512b433a47c25e9fba5f5372e8b0946a82164a1e6c9c2dc501f07c2c0a0da49b1c0227e61cf894aa4736d5c20df0b12d736617e53b7eec334d0507a17b4354d9c46
-
Filesize
197B
MD5d29bea09fb928d6dc8ae501b00c0152e
SHA14d55a1d3dc8e13b4085550c909ab43f15b8f1fec
SHA256c6679cfa7520e50eb1de6292af135c88255c29e5c6e04fcd47e158b5610e1246
SHA512880c21b34cdab2426f7afe2c267618d7fa6be01fed62c27816d7fdf3f8ed0b625e7cfa44946e6b3d40c081d32c9b0fe42d800184cbed9e3645006aefa79dac2f
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478