Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 17:45
Behavioral task
behavioral1
Sample
JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe
-
Size
1.3MB
-
MD5
c9c1a928abbc7ce1398f28a970c84933
-
SHA1
5f92b79f4d085a5840b8612f7886c86dc7dff018
-
SHA256
9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb
-
SHA512
c37881d9428b64f97e24e808c394f05f29e19334b1ad25c2ea0eb32a507a9a08791d6d8192bc951865d9247c8ae975418165932e9ceb4a0ab7638a8792f4b8e7
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 824 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 468 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1112 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 668 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 660 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 692 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1120 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1772 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1280 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 628 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1608 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 292 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1204 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 592 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 304 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2156 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1084 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 2708 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 880 2708 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0006000000018766-9.dat dcrat behavioral1/memory/3004-13-0x0000000000130000-0x0000000000240000-memory.dmp dcrat behavioral1/memory/1248-154-0x0000000000F60000-0x0000000001070000-memory.dmp dcrat behavioral1/memory/1636-213-0x0000000000300000-0x0000000000410000-memory.dmp dcrat behavioral1/memory/1908-273-0x0000000000DA0000-0x0000000000EB0000-memory.dmp dcrat behavioral1/memory/1888-334-0x00000000003A0000-0x00000000004B0000-memory.dmp dcrat behavioral1/memory/1796-394-0x0000000000110000-0x0000000000220000-memory.dmp dcrat behavioral1/memory/1592-454-0x0000000000FC0000-0x00000000010D0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2756 powershell.exe 2368 powershell.exe 2140 powershell.exe 2856 powershell.exe 2392 powershell.exe 2664 powershell.exe 2604 powershell.exe 2268 powershell.exe 2464 powershell.exe 2904 powershell.exe 2736 powershell.exe 2264 powershell.exe 1908 powershell.exe 2928 powershell.exe 2892 powershell.exe 2716 powershell.exe 2184 powershell.exe 2488 powershell.exe 2924 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 3004 DllCommonsvc.exe 1248 smss.exe 1636 smss.exe 1908 smss.exe 1888 smss.exe 1796 smss.exe 1592 smss.exe 2956 smss.exe 2288 smss.exe 2852 smss.exe 3048 smss.exe 876 smss.exe -
Loads dropped DLL 2 IoCs
pid Process 2492 cmd.exe 2492 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 4 raw.githubusercontent.com 15 raw.githubusercontent.com 18 raw.githubusercontent.com 22 raw.githubusercontent.com 28 raw.githubusercontent.com 36 raw.githubusercontent.com 39 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 25 raw.githubusercontent.com 32 raw.githubusercontent.com -
Drops file in Program Files directory 18 IoCs
description ioc Process File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\csrss.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\plugins\winlogon.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\plugins\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files\Uninstall Information\System.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\de-DE\lsass.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\microsoft shared\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\browser\VisualElements\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files\Windows Defender\fr-FR\lsass.exe DllCommonsvc.exe File created C:\Program Files\Windows Defender\fr-FR\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files\Uninstall Information\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\microsoft shared\winlogon.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\de-DE\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\browser\VisualElements\winlogon.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\winlogon.exe DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\security\ApplicationId\PolicyManagement\smss.exe DllCommonsvc.exe File created C:\Windows\security\ApplicationId\PolicyManagement\69ddcba757bf72 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 668 schtasks.exe 1772 schtasks.exe 2672 schtasks.exe 692 schtasks.exe 2416 schtasks.exe 2104 schtasks.exe 628 schtasks.exe 660 schtasks.exe 1672 schtasks.exe 2504 schtasks.exe 2872 schtasks.exe 2776 schtasks.exe 2088 schtasks.exe 2224 schtasks.exe 292 schtasks.exe 880 schtasks.exe 824 schtasks.exe 1112 schtasks.exe 1608 schtasks.exe 1084 schtasks.exe 2032 schtasks.exe 1156 schtasks.exe 1768 schtasks.exe 1492 schtasks.exe 2016 schtasks.exe 2156 schtasks.exe 2768 schtasks.exe 2216 schtasks.exe 1204 schtasks.exe 2372 schtasks.exe 2092 schtasks.exe 1280 schtasks.exe 2524 schtasks.exe 2532 schtasks.exe 304 schtasks.exe 1120 schtasks.exe 2716 schtasks.exe 2596 schtasks.exe 2816 schtasks.exe 468 schtasks.exe 2424 schtasks.exe 2996 schtasks.exe 2320 schtasks.exe 1784 schtasks.exe 592 schtasks.exe 2144 schtasks.exe 1900 schtasks.exe 2408 schtasks.exe 2336 schtasks.exe 2352 schtasks.exe 2936 schtasks.exe 2044 schtasks.exe 2992 schtasks.exe 2788 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 3004 DllCommonsvc.exe 3004 DllCommonsvc.exe 3004 DllCommonsvc.exe 3004 DllCommonsvc.exe 3004 DllCommonsvc.exe 2264 powershell.exe 2856 powershell.exe 2604 powershell.exe 2892 powershell.exe 2464 powershell.exe 2928 powershell.exe 2716 powershell.exe 2184 powershell.exe 1908 powershell.exe 2488 powershell.exe 2736 powershell.exe 2924 powershell.exe 2664 powershell.exe 2392 powershell.exe 2368 powershell.exe 2140 powershell.exe 2904 powershell.exe 2268 powershell.exe 2756 powershell.exe 1248 smss.exe 1636 smss.exe 1908 smss.exe 1888 smss.exe 1796 smss.exe 1592 smss.exe 2956 smss.exe 2288 smss.exe 2852 smss.exe 3048 smss.exe 876 smss.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 3004 DllCommonsvc.exe Token: SeDebugPrivilege 2264 powershell.exe Token: SeDebugPrivilege 2856 powershell.exe Token: SeDebugPrivilege 2604 powershell.exe Token: SeDebugPrivilege 2892 powershell.exe Token: SeDebugPrivilege 2464 powershell.exe Token: SeDebugPrivilege 2928 powershell.exe Token: SeDebugPrivilege 2716 powershell.exe Token: SeDebugPrivilege 2184 powershell.exe Token: SeDebugPrivilege 1908 powershell.exe Token: SeDebugPrivilege 2488 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 2924 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 2392 powershell.exe Token: SeDebugPrivilege 2368 powershell.exe Token: SeDebugPrivilege 2140 powershell.exe Token: SeDebugPrivilege 2904 powershell.exe Token: SeDebugPrivilege 2268 powershell.exe Token: SeDebugPrivilege 2756 powershell.exe Token: SeDebugPrivilege 1248 smss.exe Token: SeDebugPrivilege 1636 smss.exe Token: SeDebugPrivilege 1908 smss.exe Token: SeDebugPrivilege 1888 smss.exe Token: SeDebugPrivilege 1796 smss.exe Token: SeDebugPrivilege 1592 smss.exe Token: SeDebugPrivilege 2956 smss.exe Token: SeDebugPrivilege 2288 smss.exe Token: SeDebugPrivilege 2852 smss.exe Token: SeDebugPrivilege 3048 smss.exe Token: SeDebugPrivilege 876 smss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2072 wrote to memory of 2368 2072 JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe 31 PID 2072 wrote to memory of 2368 2072 JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe 31 PID 2072 wrote to memory of 2368 2072 JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe 31 PID 2072 wrote to memory of 2368 2072 JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe 31 PID 2368 wrote to memory of 2492 2368 WScript.exe 32 PID 2368 wrote to memory of 2492 2368 WScript.exe 32 PID 2368 wrote to memory of 2492 2368 WScript.exe 32 PID 2368 wrote to memory of 2492 2368 WScript.exe 32 PID 2492 wrote to memory of 3004 2492 cmd.exe 34 PID 2492 wrote to memory of 3004 2492 cmd.exe 34 PID 2492 wrote to memory of 3004 2492 cmd.exe 34 PID 2492 wrote to memory of 3004 2492 cmd.exe 34 PID 3004 wrote to memory of 2268 3004 DllCommonsvc.exe 90 PID 3004 wrote to memory of 2268 3004 DllCommonsvc.exe 90 PID 3004 wrote to memory of 2268 3004 DllCommonsvc.exe 90 PID 3004 wrote to memory of 2264 3004 DllCommonsvc.exe 91 PID 3004 wrote to memory of 2264 3004 DllCommonsvc.exe 91 PID 3004 wrote to memory of 2264 3004 DllCommonsvc.exe 91 PID 3004 wrote to memory of 2488 3004 DllCommonsvc.exe 92 PID 3004 wrote to memory of 2488 3004 DllCommonsvc.exe 92 PID 3004 wrote to memory of 2488 3004 DllCommonsvc.exe 92 PID 3004 wrote to memory of 2392 3004 DllCommonsvc.exe 93 PID 3004 wrote to memory of 2392 3004 DllCommonsvc.exe 93 PID 3004 wrote to memory of 2392 3004 DllCommonsvc.exe 93 PID 3004 wrote to memory of 2464 3004 DllCommonsvc.exe 94 PID 3004 wrote to memory of 2464 3004 DllCommonsvc.exe 94 PID 3004 wrote to memory of 2464 3004 DllCommonsvc.exe 94 PID 3004 wrote to memory of 2368 3004 DllCommonsvc.exe 95 PID 3004 wrote to memory of 2368 3004 DllCommonsvc.exe 95 PID 3004 wrote to memory of 2368 3004 DllCommonsvc.exe 95 PID 3004 wrote to memory of 2924 3004 DllCommonsvc.exe 96 PID 3004 wrote to memory of 2924 3004 DllCommonsvc.exe 96 PID 3004 wrote to memory of 2924 3004 DllCommonsvc.exe 96 PID 3004 wrote to memory of 2140 3004 DllCommonsvc.exe 97 PID 3004 wrote to memory of 2140 3004 DllCommonsvc.exe 97 PID 3004 wrote to memory of 2140 3004 DllCommonsvc.exe 97 PID 3004 wrote to memory of 2856 3004 DllCommonsvc.exe 98 PID 3004 wrote to memory of 2856 3004 DllCommonsvc.exe 98 PID 3004 wrote to memory of 2856 3004 DllCommonsvc.exe 98 PID 3004 wrote to memory of 2756 3004 DllCommonsvc.exe 99 PID 3004 wrote to memory of 2756 3004 DllCommonsvc.exe 99 PID 3004 wrote to memory of 2756 3004 DllCommonsvc.exe 99 PID 3004 wrote to memory of 2184 3004 DllCommonsvc.exe 100 PID 3004 wrote to memory of 2184 3004 DllCommonsvc.exe 100 PID 3004 wrote to memory of 2184 3004 DllCommonsvc.exe 100 PID 3004 wrote to memory of 2904 3004 DllCommonsvc.exe 103 PID 3004 wrote to memory of 2904 3004 DllCommonsvc.exe 103 PID 3004 wrote to memory of 2904 3004 DllCommonsvc.exe 103 PID 3004 wrote to memory of 2928 3004 DllCommonsvc.exe 104 PID 3004 wrote to memory of 2928 3004 DllCommonsvc.exe 104 PID 3004 wrote to memory of 2928 3004 DllCommonsvc.exe 104 PID 3004 wrote to memory of 1908 3004 DllCommonsvc.exe 106 PID 3004 wrote to memory of 1908 3004 DllCommonsvc.exe 106 PID 3004 wrote to memory of 1908 3004 DllCommonsvc.exe 106 PID 3004 wrote to memory of 2892 3004 DllCommonsvc.exe 108 PID 3004 wrote to memory of 2892 3004 DllCommonsvc.exe 108 PID 3004 wrote to memory of 2892 3004 DllCommonsvc.exe 108 PID 3004 wrote to memory of 2716 3004 DllCommonsvc.exe 109 PID 3004 wrote to memory of 2716 3004 DllCommonsvc.exe 109 PID 3004 wrote to memory of 2716 3004 DllCommonsvc.exe 109 PID 3004 wrote to memory of 2604 3004 DllCommonsvc.exe 110 PID 3004 wrote to memory of 2604 3004 DllCommonsvc.exe 110 PID 3004 wrote to memory of 2604 3004 DllCommonsvc.exe 110 PID 3004 wrote to memory of 2736 3004 DllCommonsvc.exe 111 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\microsoft shared\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\VisualElements\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\plugins\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\fr-FR\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft Help\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\de-DE\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\ApplicationId\PolicyManagement\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YAkRWmVbYY.bat"5⤵PID:2788
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1988
-
-
C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat"7⤵PID:1984
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1244
-
-
C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEoBbgPmrR.bat"9⤵PID:2604
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:692
-
-
C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat"11⤵PID:2956
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1456
-
-
C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat"13⤵PID:2584
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1056
-
-
C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat"15⤵PID:3008
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2188
-
-
C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LnIbptgF5R.bat"17⤵PID:2384
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2916
-
-
C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat"19⤵PID:1784
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2156
-
-
C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EH4KCibIlQ.bat"21⤵PID:1536
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2044
-
-
C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.bat"23⤵PID:2568
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2760
-
-
C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3048 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"25⤵PID:2100
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2868
-
-
C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:876 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat"27⤵PID:1528
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:2076
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\microsoft shared\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\plugins\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\plugins\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\fr-FR\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\fr-FR\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\providercommon\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft Help\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft Help\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\security\ApplicationId\PolicyManagement\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5843730a6cc770eba67aae8587c87b5b2
SHA112a9db311979e2107f76830fc7eb104aa665c948
SHA256aabc2fc80953306c0bcbfed78589e16238ca6c72c6c8372b478bfb04f390b2b0
SHA512e110db50a92bc52d44ee1063f3fa6d2d083345654508eeb3a4c9f6ec4a875d9545730d277c00a2745d469bbabca1fb5c4ed1c13bbdf5c41ef06563e6f558cfe9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a574f001c748a9b8346a955ec362768c
SHA1555c0d5959c4be94070e26372bd782654003e2fd
SHA256f43d91e0fc148c7f7cbfa9a034a4177cc5a12cbe96bcefb2667f8d3d59d84b9c
SHA51259c75458344dc37a746413c3e2824e8f389f10712d2e48be3841bce6133b0b24eb64a3fd12175f59021c91e99f94ae3cd0801785a21d69c3b60dc42288c8bb49
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d526e68802e00638024167b50fb4269b
SHA18108dba5221f99ab7630950e7e07a4d2fb94d0a3
SHA256753c0ab455dd4e0d3d16b3085b90da8363e1b2e152ee71a5da24794d094abe7a
SHA512c5e4ee7545458d6fdf0f600c0fadfa4dcb5fd77eeed297d314aa133dd211cb286f0a2f75dd0b72ad09035b0cd48bb9d9127d67534bf0aaaa730d9c5e172f7719
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b7a5671b885fbb212b36885f15c2f164
SHA15b477009255b063f9e8122e07d5c87c85da2b431
SHA25638794bf22ed9e261e0dd800f20e824189713cce25f672e5d5d7414b66e6256fb
SHA5123f00376f7b14f9203305b9f38f33f837eb43726701672e6b0ebe13612e8a8a2b1110cebffa3f199b2c08e444703951133628c0c5d2c153906b5831f7d18e98bd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50478932949fad9bd72ccda6a42e99078
SHA1f97a33effe66ec3d23d5a28034f9c00677d58f53
SHA256826f2f4066a3338b15c9adc9e019a518c4ea9b0c008f051c7d6a3437810b491f
SHA5121a2e34a921d8865206baec6c7f150812d1a182d4884d56344854093a4347497d1f7e1819c07b7bd481d7eafbc27b2b42f9985a03eeeb62814f72dda3f6c5852f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51199253a33969a0fdeaf6bdec929e7ae
SHA192b3cc7aaea828cd261ff01baff46892fc9545a9
SHA2562ac3bb74a1287f30e08680391564eb088649a2cc058cb6b842fa2b712b1b3d0f
SHA512d0d6226e02620ab2c4efaccf6929538950c8e62473ee7af83c86313f98b6524eae340b457fbf255155937e33fb62a45477d83ac5069f6e293a0c099911e61667
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fc887d65d62afdcd019ecb9e290b87ad
SHA131c3729d66b40477c4be0fb681a9525d34571b3a
SHA2564eabe1891d0aabc9a74a8c368bae7b8c187d75787e8d86d649d63fa3bc47ddb5
SHA51270491f6b26162f7bb99d3ec07800d464993b47fda35d63e6fe612ce11c2b22ab0913a4e5ac9deb9cf5cc7a2fe7f947d936aaec04bdf741d2ebc9b613f8965687
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dbe67d514efc35c4888d96d4c26bf531
SHA1233ff6f6ee93ac5116dda42d922c7bc009c83731
SHA2563ff5d04e54c60873370d65ff8e5c24ff5e75a68805151fa63f2649b8493b4676
SHA5123d97054a4712b2ed2eca17038b6ccd1aa9ec852dd43e98725222f58427c248fbf936fdd82d092c3dab680e0238cf09a4b59c2fef5be88084c83eb72522dfe257
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD579e1f658948dee3e8d3696f86ea8d3d9
SHA12570e1b9b002f794a43504eab0efd5ff38d34602
SHA2563efa1f5aa38bcf0d4277554191eb74d0cf55ca5e0366e489e6eba1a5824c1646
SHA512ac8353c959d4921f83ba767c1a59b7764627a89ba44a94dc0095a722ed8929df03cf72e33f237b0a501f5140f8a8650a455f49de85185dff0a0e07aa7c40f0c7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e4ad68b1774a8bd236a7f9462f191a85
SHA1bd0f40369ef330a08a7768d66e302a1d7c3cc239
SHA2569997ab9718510aafb6d76b9e532a40fd3d3b8acf78e0f18060b73284d8349062
SHA51288abad87cd136f477cb918ec978179148376ede692b71a55030be97535b25d5c2338397ccd705e37b0487dc8c604e570390419664d4eaf3eda90891038c9fe2c
-
Filesize
224B
MD5f1dc49f68868a04351965a34a5dd6140
SHA1e62ea58c941ec3fa5668288c9176c6b9cc5c9299
SHA25622e2d9c06df2e983ea9e549137e8a615b5febee5f7d8e8526e2edff0458152f1
SHA5128bcd6e370b1af61cbd74c6b599485a086984f261ce63c9f59f374d8aa135419a92dd2e08f4206e424acdfb2239ffe7e04bb9307ae356d730624714ff05d9018c
-
Filesize
224B
MD55dd2400f8fe6746d170e3a9ae3d36e68
SHA13c67f0737395522fe8f5f798dd09cec28692ce9e
SHA256f9a1c7b25a7774348d53f867673fbbe1d1d58256da98d8ab46a206a71f7e79e3
SHA5121e33af2afbb7df755cfd70369a91e224f09552d590a07d36bb0e4be58d68d935e5e48eec23fd720c79d3e0557f5d9fa3847c84471c3bf3257158da5d8ada8f9c
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
224B
MD5ffc5df1e852e9bd0f827039607b3003f
SHA1aa94c690aa55af2adeaaf3dd93d9754eb9a2e49f
SHA256340beb780393fc2a6ab1fc29cd7eec78bc75775f958a0d87034228b4cfb5f9eb
SHA512392cf6bc9f068675ac8fe1b48ad6a04aabab9d17a9851bbd5b57ce76134d841a26ea7522ef313ea3242b6bb15cef3e4ecfed7b6199cbe1ce9cd5b836dff3144b
-
Filesize
224B
MD5976ef28c72e8d7781fbd9edac354ca79
SHA156bcfb4a19cf5e03488ac6be9840c19e60e70d82
SHA25691e900fafabd66e077b7566fd9ae1b6c426fff62b6472cd31a8fb7fbc7e0e121
SHA512b2fccba95c83c92768b20e54087e1d6c714bc269a46d8d42f5b564f94a6d3563c1079e47c95f0e52975ad8e4d0922a77f74604004895cbedbd6a6e71fa58aa83
-
Filesize
224B
MD5892ff23822f628bc0b138b6577feb18f
SHA11e702a9f36eadbacbe0e1ba36e5ff3d34e7e011c
SHA256d2916aa3db050d514c4c217c9a32e9d22a629ff94f14ed47b7aa111d86197ca2
SHA5124998498169131ac202ec830e7c9db925c103724a528c3cb79dbbd63657b1a522bedf0c60046cc212260d857b51f5b595a4a5acbef389ac6d7ae8c085ee741eab
-
Filesize
224B
MD5d734814447d1b3ee070eb5ffc551e83e
SHA14b8fdd0d3555f417eded18c0e4840d3a16286eee
SHA2568f6859d20883fa6b6bbd89b95dbb419f4716e15deca2dcca5b6f084e46968b40
SHA5127c1f69b3c9c788e336697b3efb08d6869187e1f59ac4ebc3c94ccb9c8778c9e7be53ac50044dee2e184cf80fec8c9297851fbd41377be300217f8a5edb9dc345
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
224B
MD5b02e127420b6ed04bc6df52824ab41f0
SHA142c6ee11e991ce0f9d211615afd3e80b57fea3a0
SHA2562cc042406b0cd7a0293ba2aed3b5ea5a740017ef5635b828ed50f68f45634cdf
SHA512f7c106bec7880b3d4f426a90045fdc9da81cc0119115110475cdd1938aed0239f07c1109d68c5bf77cd77bddae670cfe97c04c1d4b49102fb32171e15b9835c2
-
Filesize
224B
MD5c91b977681e6d192c029c06f82b067e7
SHA17253c2a6b696560667319b923a2f0a75723398d7
SHA2568b7ea82e28ddeba1099c3a8154d86f8645b689e7e342186f07bd84e725e1fd67
SHA512e5505d9140830d09981b72ba2e6754b8e9dc2188bd6ce04298697d747a932ceb98bdbaf1f6fd1838edad723828941071fbb366a84c1679eaeba98d0575e9c26c
-
Filesize
224B
MD5634d76a9351e14c31b796fde65aba53f
SHA11b5a19ac20c1fe37a2dc1101bbfbdd55ca5d4ecf
SHA256047fff8ce244d30902e68432cf2d1eede790c77889b6aeb6ac78a3a3f09caaee
SHA512533d3099f1f52b4a2f3a45becfe1953833b22da44ffeb91c974091bfb1d2752405d85355b24f4078062908d3b3ea4a703b07e8672f55942ce502ce0dc0d417cf
-
Filesize
224B
MD56ec90b71cb0aa1f05d71d264180a529e
SHA165e21bca0d38378e864f943ab7bf8b19ba444653
SHA256ee736e85a233c71a88075d4f1a898562ecb536e031d7450fc0be122cb7e22f3b
SHA5121efa465870c1a7cb975c3ad29f3e7c2c8405096472284afbf646e1acecea0ead3a0c49c61d9a53bfc9642cb6e679336b40352a86ee34e687965aee2685c282b3
-
Filesize
224B
MD5de4cfa21f10d01cc5b6c5364c5084507
SHA1e5fe475232f5b87850ef2e3988a4eda01b910148
SHA256f6f900211c1133df0539c0066047aa1d654ad7d53f4cd45fe4919c2ae5c955c0
SHA512d2b9a2b7910243de1a4bb15226387b2ba48942043720b5f81b725d875af980dbe01fea0eeabc2e9d9b0cac686369be6bb066da63ed1e26d0b861cd857c80824b
-
Filesize
224B
MD591bf647bbd7007eb8d7d6e2035dbd243
SHA11feee9b7e3f8034e498d918e619ebf9cf1d4c0f1
SHA256cb7f88b4dd72ae3da392120e4494443aac4a3f4a642e4a214bca5f74c7a6a033
SHA512cb0f2c578e098e27394afab8b4dd916f28fc92dec769a852285b09544ca73f6198ff14c190f7bbe68c3ecfc1963cacdefa8f12e0aab5bc3a9c536c5152cf668a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD57e116134ab8dfc6c29d9f036451cbfd7
SHA10b9dfcb82356de77b9fe22a87189cad3bf48944d
SHA256dfbe5678764043150a0cd8cc5db3f5d915e0fea43211f6c7ddc4c0479e445954
SHA5127d1a0e7890fa100bc34762e604fa3386cda35dcb26dbbae82ff44fbd3faf4f479e2d40b5291f083ddcda8545248b702899b178206651ba201cc6de40bfc08d80
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394