Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 17:41
Behavioral task
behavioral1
Sample
JaffaCakes118_b864648c3665b63ba4a6fdab253dd9b87f5e242314a6c5998d56af54b2b3b37a.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_b864648c3665b63ba4a6fdab253dd9b87f5e242314a6c5998d56af54b2b3b37a.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_b864648c3665b63ba4a6fdab253dd9b87f5e242314a6c5998d56af54b2b3b37a.exe
-
Size
1.3MB
-
MD5
f53dfacb6b320a39657fa0b75dfdcf0a
-
SHA1
4e92bc0af0f3d647744fef41c7b2c73e404c384e
-
SHA256
b864648c3665b63ba4a6fdab253dd9b87f5e242314a6c5998d56af54b2b3b37a
-
SHA512
25a9aa92f83dec0f6ac71dba96027a20c82419a6d6da323582906b6803a5164b5529f3770936f91ff5b11d7b912c02d231d0e315af9d09fef12082907c7ab442
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1572 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1120 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 376 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 280 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1396 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1236 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1864 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 608 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 932 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1452 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 828 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 876 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1260 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 2716 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000018780-9.dat dcrat behavioral1/memory/2828-13-0x0000000000D50000-0x0000000000E60000-memory.dmp dcrat behavioral1/memory/900-86-0x0000000000A10000-0x0000000000B20000-memory.dmp dcrat behavioral1/memory/4020-222-0x0000000000AE0000-0x0000000000BF0000-memory.dmp dcrat behavioral1/memory/2832-342-0x0000000000390000-0x00000000004A0000-memory.dmp dcrat behavioral1/memory/1500-402-0x00000000000D0000-0x00000000001E0000-memory.dmp dcrat behavioral1/memory/3328-462-0x0000000000AC0000-0x0000000000BD0000-memory.dmp dcrat behavioral1/memory/4080-582-0x0000000000210000-0x0000000000320000-memory.dmp dcrat behavioral1/memory/3292-643-0x0000000001250000-0x0000000001360000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1116 powershell.exe 812 powershell.exe 2620 powershell.exe 2364 powershell.exe 2504 powershell.exe 2092 powershell.exe 2068 powershell.exe 2908 powershell.exe 2660 powershell.exe 1280 powershell.exe 3016 powershell.exe 2736 powershell.exe 2040 powershell.exe 1764 powershell.exe 2500 powershell.exe 3012 powershell.exe 2576 powershell.exe 1444 powershell.exe 2832 powershell.exe 1136 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2828 DllCommonsvc.exe 900 audiodg.exe 4020 audiodg.exe 2340 audiodg.exe 2832 audiodg.exe 1500 audiodg.exe 3328 audiodg.exe 3684 audiodg.exe 4080 audiodg.exe 3292 audiodg.exe 3504 audiodg.exe 3508 audiodg.exe -
Loads dropped DLL 2 IoCs
pid Process 2744 cmd.exe 2744 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 9 raw.githubusercontent.com 12 raw.githubusercontent.com 22 raw.githubusercontent.com 30 raw.githubusercontent.com 37 raw.githubusercontent.com 40 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 26 raw.githubusercontent.com 33 raw.githubusercontent.com 15 raw.githubusercontent.com 18 raw.githubusercontent.com -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\conhost.exe DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\088424020bedd6 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\explorer.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\088424020bedd6 DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\OSPPSVC.exe DllCommonsvc.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\fr-FR\WmiPrvSE.exe DllCommonsvc.exe File created C:\Windows\fr-FR\24dbde2999530e DllCommonsvc.exe File created C:\Windows\IME\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Windows\Boot\PCAT\tr-TR\taskhost.exe DllCommonsvc.exe File created C:\Windows\tracing\csrss.exe DllCommonsvc.exe File opened for modification C:\Windows\fr-FR\WmiPrvSE.exe DllCommonsvc.exe File created C:\Windows\IME\cmd.exe DllCommonsvc.exe File created C:\Windows\tracing\886983d96e3d3e DllCommonsvc.exe File created C:\Windows\servicing\fr-FR\wininit.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b864648c3665b63ba4a6fdab253dd9b87f5e242314a6c5998d56af54b2b3b37a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1592 schtasks.exe 1260 schtasks.exe 2784 schtasks.exe 1784 schtasks.exe 3040 schtasks.exe 1120 schtasks.exe 376 schtasks.exe 2692 schtasks.exe 2656 schtasks.exe 2720 schtasks.exe 2796 schtasks.exe 2780 schtasks.exe 1396 schtasks.exe 2340 schtasks.exe 1992 schtasks.exe 2580 schtasks.exe 2576 schtasks.exe 1864 schtasks.exe 2980 schtasks.exe 2120 schtasks.exe 1984 schtasks.exe 2036 schtasks.exe 1860 schtasks.exe 1980 schtasks.exe 2604 schtasks.exe 2512 schtasks.exe 1744 schtasks.exe 2424 schtasks.exe 280 schtasks.exe 2188 schtasks.exe 2072 schtasks.exe 2924 schtasks.exe 1908 schtasks.exe 1900 schtasks.exe 1572 schtasks.exe 2236 schtasks.exe 876 schtasks.exe 1944 schtasks.exe 1876 schtasks.exe 2516 schtasks.exe 1716 schtasks.exe 2896 schtasks.exe 2200 schtasks.exe 1484 schtasks.exe 2916 schtasks.exe 2496 schtasks.exe 1236 schtasks.exe 932 schtasks.exe 2532 schtasks.exe 608 schtasks.exe 1660 schtasks.exe 828 schtasks.exe 2228 schtasks.exe 1728 schtasks.exe 1452 schtasks.exe 1708 schtasks.exe 2956 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2828 DllCommonsvc.exe 1444 powershell.exe 3012 powershell.exe 2092 powershell.exe 2832 powershell.exe 2908 powershell.exe 2660 powershell.exe 2068 powershell.exe 2620 powershell.exe 2736 powershell.exe 2504 powershell.exe 2500 powershell.exe 1136 powershell.exe 3016 powershell.exe 2576 powershell.exe 812 powershell.exe 2040 powershell.exe 2364 powershell.exe 1116 powershell.exe 1280 powershell.exe 1764 powershell.exe 900 audiodg.exe 4020 audiodg.exe 2340 audiodg.exe 2832 audiodg.exe 1500 audiodg.exe 3328 audiodg.exe 3684 audiodg.exe 4080 audiodg.exe 3292 audiodg.exe 3504 audiodg.exe 3508 audiodg.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeDebugPrivilege 2828 DllCommonsvc.exe Token: SeDebugPrivilege 3012 powershell.exe Token: SeDebugPrivilege 1444 powershell.exe Token: SeDebugPrivilege 2092 powershell.exe Token: SeDebugPrivilege 2832 powershell.exe Token: SeDebugPrivilege 2908 powershell.exe Token: SeDebugPrivilege 2660 powershell.exe Token: SeDebugPrivilege 2068 powershell.exe Token: SeDebugPrivilege 2620 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 2504 powershell.exe Token: SeDebugPrivilege 2500 powershell.exe Token: SeDebugPrivilege 1136 powershell.exe Token: SeDebugPrivilege 3016 powershell.exe Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 812 powershell.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeDebugPrivilege 2364 powershell.exe Token: SeDebugPrivilege 1116 powershell.exe Token: SeDebugPrivilege 1280 powershell.exe Token: SeDebugPrivilege 1764 powershell.exe Token: SeDebugPrivilege 900 audiodg.exe Token: SeDebugPrivilege 4020 audiodg.exe Token: SeDebugPrivilege 2340 audiodg.exe Token: SeDebugPrivilege 2832 audiodg.exe Token: SeDebugPrivilege 1500 audiodg.exe Token: SeDebugPrivilege 3328 audiodg.exe Token: SeDebugPrivilege 3684 audiodg.exe Token: SeDebugPrivilege 4080 audiodg.exe Token: SeDebugPrivilege 3292 audiodg.exe Token: SeDebugPrivilege 3504 audiodg.exe Token: SeDebugPrivilege 3508 audiodg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2584 wrote to memory of 2388 2584 JaffaCakes118_b864648c3665b63ba4a6fdab253dd9b87f5e242314a6c5998d56af54b2b3b37a.exe 30 PID 2584 wrote to memory of 2388 2584 JaffaCakes118_b864648c3665b63ba4a6fdab253dd9b87f5e242314a6c5998d56af54b2b3b37a.exe 30 PID 2584 wrote to memory of 2388 2584 JaffaCakes118_b864648c3665b63ba4a6fdab253dd9b87f5e242314a6c5998d56af54b2b3b37a.exe 30 PID 2584 wrote to memory of 2388 2584 JaffaCakes118_b864648c3665b63ba4a6fdab253dd9b87f5e242314a6c5998d56af54b2b3b37a.exe 30 PID 2388 wrote to memory of 2744 2388 WScript.exe 31 PID 2388 wrote to memory of 2744 2388 WScript.exe 31 PID 2388 wrote to memory of 2744 2388 WScript.exe 31 PID 2388 wrote to memory of 2744 2388 WScript.exe 31 PID 2744 wrote to memory of 2828 2744 cmd.exe 33 PID 2744 wrote to memory of 2828 2744 cmd.exe 33 PID 2744 wrote to memory of 2828 2744 cmd.exe 33 PID 2744 wrote to memory of 2828 2744 cmd.exe 33 PID 2828 wrote to memory of 2660 2828 DllCommonsvc.exe 92 PID 2828 wrote to memory of 2660 2828 DllCommonsvc.exe 92 PID 2828 wrote to memory of 2660 2828 DllCommonsvc.exe 92 PID 2828 wrote to memory of 3012 2828 DllCommonsvc.exe 93 PID 2828 wrote to memory of 3012 2828 DllCommonsvc.exe 93 PID 2828 wrote to memory of 3012 2828 DllCommonsvc.exe 93 PID 2828 wrote to memory of 3016 2828 DllCommonsvc.exe 95 PID 2828 wrote to memory of 3016 2828 DllCommonsvc.exe 95 PID 2828 wrote to memory of 3016 2828 DllCommonsvc.exe 95 PID 2828 wrote to memory of 2500 2828 DllCommonsvc.exe 96 PID 2828 wrote to memory of 2500 2828 DllCommonsvc.exe 96 PID 2828 wrote to memory of 2500 2828 DllCommonsvc.exe 96 PID 2828 wrote to memory of 812 2828 DllCommonsvc.exe 97 PID 2828 wrote to memory of 812 2828 DllCommonsvc.exe 97 PID 2828 wrote to memory of 812 2828 DllCommonsvc.exe 97 PID 2828 wrote to memory of 1444 2828 DllCommonsvc.exe 98 PID 2828 wrote to memory of 1444 2828 DllCommonsvc.exe 98 PID 2828 wrote to memory of 1444 2828 DllCommonsvc.exe 98 PID 2828 wrote to memory of 1764 2828 DllCommonsvc.exe 99 PID 2828 wrote to memory of 1764 2828 DllCommonsvc.exe 99 PID 2828 wrote to memory of 1764 2828 DllCommonsvc.exe 99 PID 2828 wrote to memory of 2908 2828 DllCommonsvc.exe 100 PID 2828 wrote to memory of 2908 2828 DllCommonsvc.exe 100 PID 2828 wrote to memory of 2908 2828 DllCommonsvc.exe 100 PID 2828 wrote to memory of 2040 2828 DllCommonsvc.exe 101 PID 2828 wrote to memory of 2040 2828 DllCommonsvc.exe 101 PID 2828 wrote to memory of 2040 2828 DllCommonsvc.exe 101 PID 2828 wrote to memory of 2832 2828 DllCommonsvc.exe 102 PID 2828 wrote to memory of 2832 2828 DllCommonsvc.exe 102 PID 2828 wrote to memory of 2832 2828 DllCommonsvc.exe 102 PID 2828 wrote to memory of 1116 2828 DllCommonsvc.exe 103 PID 2828 wrote to memory of 1116 2828 DllCommonsvc.exe 103 PID 2828 wrote to memory of 1116 2828 DllCommonsvc.exe 103 PID 2828 wrote to memory of 2068 2828 DllCommonsvc.exe 104 PID 2828 wrote to memory of 2068 2828 DllCommonsvc.exe 104 PID 2828 wrote to memory of 2068 2828 DllCommonsvc.exe 104 PID 2828 wrote to memory of 2736 2828 DllCommonsvc.exe 105 PID 2828 wrote to memory of 2736 2828 DllCommonsvc.exe 105 PID 2828 wrote to memory of 2736 2828 DllCommonsvc.exe 105 PID 2828 wrote to memory of 2092 2828 DllCommonsvc.exe 106 PID 2828 wrote to memory of 2092 2828 DllCommonsvc.exe 106 PID 2828 wrote to memory of 2092 2828 DllCommonsvc.exe 106 PID 2828 wrote to memory of 2504 2828 DllCommonsvc.exe 108 PID 2828 wrote to memory of 2504 2828 DllCommonsvc.exe 108 PID 2828 wrote to memory of 2504 2828 DllCommonsvc.exe 108 PID 2828 wrote to memory of 2364 2828 DllCommonsvc.exe 109 PID 2828 wrote to memory of 2364 2828 DllCommonsvc.exe 109 PID 2828 wrote to memory of 2364 2828 DllCommonsvc.exe 109 PID 2828 wrote to memory of 2576 2828 DllCommonsvc.exe 111 PID 2828 wrote to memory of 2576 2828 DllCommonsvc.exe 111 PID 2828 wrote to memory of 2576 2828 DllCommonsvc.exe 111 PID 2828 wrote to memory of 1136 2828 DllCommonsvc.exe 113 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b864648c3665b63ba4a6fdab253dd9b87f5e242314a6c5998d56af54b2b3b37a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b864648c3665b63ba4a6fdab253dd9b87f5e242314a6c5998d56af54b2b3b37a.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\http\dialogs\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\Roaming\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\My Documents\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1136
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280
-
-
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:900 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GW80Ek08hx.bat"6⤵PID:3952
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:3992
-
-
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat"8⤵PID:2616
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1816
-
-
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8qIUyQJ4qD.bat"10⤵PID:3012
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2988
-
-
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Cu9aubHCzw.bat"12⤵PID:2588
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2928
-
-
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat"14⤵PID:1600
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:3524
-
-
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3328 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat"16⤵PID:3940
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1120
-
-
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3684 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat"18⤵PID:2772
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2880
-
-
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4080 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat"20⤵PID:2024
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2628
-
-
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3292 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\12JaEZR6zX.bat"22⤵PID:2472
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2620
-
-
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3504 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\peQnm3nkJb.bat"24⤵PID:2116
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:3168
-
-
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3508 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8qIUyQJ4qD.bat"26⤵PID:3644
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:2468
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\providercommon\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Windows\IME\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\IME\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\IME\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\providercommon\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\lua\http\dialogs\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\http\dialogs\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\lua\http\dialogs\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Local Settings\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Local Settings\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default\AppData\Roaming\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Default\AppData\Roaming\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Default\My Documents\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\My Documents\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Default\My Documents\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\providercommon\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\Desktop\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\tracing\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5110b10df65688f838a71de1d433ff537
SHA19415b45c546cf3b88ff1ec1aebc9d2958845e451
SHA2568bbeeb684915e6c2bd28b9df896db4bba9ae60a5bddd5c8a497c5edd4a0b157b
SHA5123b3f04fe2fa9240a3dc0e22d7041c7c82e90c1813d336dacf680f46b01341a6e9e714092313f4fe0be9169a86bdfab145d4da31b3457e6114f091b1d88741e45
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57143fb88a43f1405f11d6da35f3893e2
SHA186d7797de641f5e5d17722e28356e0668d087fd7
SHA25626af1a6fb705beaccbe0f9cf259d46d1750acb025c275c8e10a1c7546fa1a9a3
SHA51242f90ad714a9d4e6835f79d7e96feada5e21b6bac84cce04a4296b9a5fb4413b4d3d9fa1b9cda4c836e6344b571fc969791de20695ff541981643503ebf13a6b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD578660cf59ac98ce3368bbc2642b7d05f
SHA1d577a6fd31fc8c7ad22e1767d8b083874515a2af
SHA25637d70f952dad26662c2adbac67c356a8fe3a7bfd59fd7ac49662f94484d8c84b
SHA5126d7aef1a56ce96fba451a987a1b3104f706cd5be056c2b0b33cf7a8c7061853891428b4cc6dff6f13d11bf03e2e1b59af5f56d61d6db7b73fb51c77ff89f9fd2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD514f7205e7cf63f69cedc6da70d833e7f
SHA10419c99f11dd9608630da603f097d3dfe30854d4
SHA2569fd27d7101a2e1955ff44584ed05a542661c9e9075ed8493da1c1bc1e6616a18
SHA512906c84316edb5b780dd83fbb2d05f919c3748cc23fb218d9562ae5dab8e555871a040e03cf0348c822c7a47140361f6076720c2d4159d24a115e3b97fda8aaef
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD547a34cd28acae3d22df5f48456ced877
SHA17de645d536863046a5cb08f0a3d5c368cb718717
SHA25686c9d10be584ac7b3e81724be644e290bddf2d042177e581b9d8f455a0ac02df
SHA512ddcde2433b5725046d189c5a9fff6f5b406c21666a52cafd9fb6727b32797b98baf1a4b2a1f120dd38e5f52e224f3f892628b9d805ac71665525cd39254f541d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b84f2a37e0af3e5b5371f06b780e5cc1
SHA1803d40709d0dc9aa10888e5f44e816e65c720629
SHA256451076848876460f03303c002b26892cf275ec6c34b104daafdb2647e5c9c809
SHA5127755b2129b3a7de4fc53c99173c5787caee5efc92e5bbda8d0fed706e16c454fc451d5e5c81fbf3f25ed066d9292a543fc84603d6b1bea0f2f0d1a541ed2baab
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52920fa2b56e7a4ef6ad3ba1d9bc53d95
SHA1644deb0bf129ba3b5eab09f8dd134e71a24c4978
SHA256a0430248c16d93fb89febb0ddff21347edeedc1ce86234683fd0dac070a455e4
SHA5123dd15d8bc3c383d033229ef75c93c57aa6f1f487e78bd3be7575df99f12b079eaf52c3f1356511a28330322893de3f29317ac289d3a60e17f841e117499ae97f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD530a9b8695360b7e583509a3e57194c8e
SHA1b3e321ce8a043dff3d91b6a62a429afffb7a39cd
SHA25609b36fdc96601deea572b97fde1ac6312cc9a8be1bbe75b7eb3d05d497844afe
SHA512471332268d7aee71d9c232e8b3f921641ce3b23c82b1794e7b47c8c8bc5d672cb05bff40d846a8a1cd0f4ede4f08a4322f2739d4613ff72bbf951d793a334b5d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f48ff35aee254922b099c41377ecc5a8
SHA137be640c84a00e88bf465eb5d0855da9d88c84f9
SHA2565ca2e09676f87db58a3c89d390a48c941c89ec6c9a788fada0ff9d40593a8044
SHA512456badb59385d00d281d2a0655cec09f23ebf81aa4c6c27b8399d204407260bcce9f4bd646cb5ea34694561a5657bc17a9a8bb736b76497afb9db23781bcbc50
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a764cd72e918149ec309b98980b9bcc2
SHA1321f64a9943f6e8e75bb80222ab9ebaee4d724af
SHA256c24ae739319dad8766dd9b3257a332cef6e31153526c732aad1486ff86c6a094
SHA512be659c3924bd10accd08cfcb6361b9ae0733ac75b911151d468be23a1238da414ebfe5200f1ecda5d266a5a3a8775b22409982f9f70a255e716a2127b66f9a9f
-
Filesize
225B
MD551db68638c7131082749fffe00b465f9
SHA1c1d2912ef1f2cd3408ca595272e5aa74141cb501
SHA25634b47a63619e230a9f1df85a4f67e2cfe4d41777421dac989c5e80a5fa3a02f3
SHA512b9d615cd645e0d6f1844e0e95d973180f77e7af9f20c94b0273c4c4626391e21081bc31af549198a301cee03a2d4c72a5dc4e27875083e00bd2136e95386e9b4
-
Filesize
225B
MD528c6c812540348cfaf3f73e9da542177
SHA119982d227536edffc335514b7fafb3f6ff448a95
SHA256a90423e14bab9858087ed539cd3dd8b8cf74f2315422e07c69aecc2379d69fd1
SHA5129d17cb215c6f246f553cdae850bf23d14a91b9df0f2bd72de06540388a5a2b48b6dab4d61db41b6d6294f8ebc1dc46b7f051f8e924c53154affb2532eb6a339e
-
Filesize
225B
MD5628c3daa6f331fb04c5cb80f35b782bd
SHA1091f2cb5ad1e3fe38aa9e69916a58d780c022c26
SHA25685a374d632a0376f0d9941edb037f29773544577c9d999ac174af18b9dc778ff
SHA512b6c6105f0aba91be2458a5ee85b7021f36cd8862ce588d1153983a99975f5377777e69e8ef1614e7c409b09cd11438ad4f5d01c50a4ff6334582a64f781b42a2
-
Filesize
225B
MD54936a1c179b4991ca9e9b504c14706bd
SHA1996e731a850ae94596c5ce3f38935c1e3cc7bcc3
SHA2560700437b722ae5ad13b81f9b2a5c278722e0bb39eee2f63f1415bd0c8ae1ec60
SHA5121430a656d5759e3498e6cbad43e2ced45cbb4f7bb5ed0c5c9d2d4939357453a8ca5b9a881ff8c21b8ad5ba33054823510df7bafdeb024e6ec5963fbf86b2a61f
-
Filesize
225B
MD59bfd04fa29c7db16d335500c01ccb378
SHA166e6e965f60e5a0eb65d012814e6374442aef847
SHA256a99b3ce5c44eef269a6505fe3ce214f92429634d7edf86a46b4b1617cfb17bd1
SHA512ed5df0bb527f57341a5fda4099bab8ddc8ab61be9f3d266caad054d94a15d7abe0cd1254c163bc257fb86db694805e1352363d396a279f87f793003f15ba4fc0
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
225B
MD57d3ff9140de55201671c601e40a9b06a
SHA142d91862d294ecb934a99ffae34a7f8c94e36c6e
SHA2563acb70cf58736f124f3985955dbb4c1611a02a4e90dbfd09d7afcd740ad818df
SHA51244ee813d27533a67c4b22b11ca8cb1e636df697facf10b5cd47257226a5602a947cea92602ce956ae7e916e73b9fa955e171d5c836356959ade3339c63c5d917
-
Filesize
225B
MD560278db84d20341aa7ec6c83e26f6087
SHA1a32981b4d393811b443199ca79dffcb24e7ae6c6
SHA256d12f2c6bb42ce5205476eb32e9d6dba88c901d1cf9e1c41b9799091650b63c7e
SHA512cd5e8072d4a63e13188493528724c8d30ba557a300725dd9dd016a437fe1e62c6d21f7015335b68efd2c671a2e777543d587212636c5fb8f96bdd72950205e42
-
Filesize
225B
MD56b36c775a830576a47dcf8a3ee31d152
SHA12972d74fa287890613269b91fd667207f37d70cb
SHA2566982ec7f7363f00c2e623bee811c7d60c69b6edd69c8141b0bfbc566654884b6
SHA5120840b7bd460300b77ecd59a1705acb4003245e701682be34c92d25441ee8e5ef2784aed159fefa97635b703ddd54c8587a13f3ebe0c7455c9a01692f675ee415
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
225B
MD56182aafc805d1aef4b48bca8e1e3b9f3
SHA185b4ae3cdab2db780df271518cb39f099351e9d3
SHA2563b6c3f4be8dc0b8552820c2becc4416df66802a8a255e155e9071f48250920bf
SHA512780262f3636fc81076b09bb82dc306bb4184d0b9b4d2b93c9e660dc481b4fb18ac1a5df5b68ec26b35a5d4c13796a4cea3522b0fb45fc0d1aadd80d893c5221b
-
Filesize
225B
MD526a85b2834f42b439311bd18f57be2f9
SHA19537df7975955525defbcde4446a01c5d39f4750
SHA2564698c715eeb2c889cfe9f77a37e35da623f36f42a9dee0979b6d30c29d6e567d
SHA512d59af77d154eb2bc861f8b82475d5d7a08364166593c7d097b26e3279d6565c0b2fd4f4b5aab6d4a36d0fbf47db6a94f3dec1268cd4af4653b92cfed11d8d334
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c9a04ffb441e071dda802f695c009531
SHA1e85af172d5dcf715704cb529a73b744280260fed
SHA25619a602500f1b53d02e3ad7ca150935e745d6a10b79604e8ff7fc34e6db775173
SHA5127263f93053692f32bb9944e618740024e4faee5a804bc29f005cf6b4c0f9c85c73420e1225bf9dc85094a98d6335fc668b3fad74479a8afd2f22b2c4657dcad2
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394