Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 19:26
Behavioral task
behavioral1
Sample
JaffaCakes118_ff48aed2349d516fdb48004d22b9a566f4e399019898ed561330658ad1137138.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_ff48aed2349d516fdb48004d22b9a566f4e399019898ed561330658ad1137138.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_ff48aed2349d516fdb48004d22b9a566f4e399019898ed561330658ad1137138.exe
-
Size
1.3MB
-
MD5
1ba91bf9dd57860a1c06b74732e50ea8
-
SHA1
7d1307ff0d4af4a37c69a5feffd54aaf9c590376
-
SHA256
ff48aed2349d516fdb48004d22b9a566f4e399019898ed561330658ad1137138
-
SHA512
51308f98be76dcc1e1ac3234121098e34c13871560b12a0d44316d9ebc5acccbff7f0896ed461c2c141f88d679808e985f0642369e7fe6ec98dee1e719ad14fe
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1356 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1480 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 568 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1128 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2248 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 884 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 852 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2264 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 700 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2300 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1112 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 760 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 580 2944 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000016d54-12.dat dcrat behavioral1/memory/2772-13-0x0000000000E90000-0x0000000000FA0000-memory.dmp dcrat behavioral1/memory/2780-188-0x00000000003D0000-0x00000000004E0000-memory.dmp dcrat behavioral1/memory/2096-247-0x0000000000AC0000-0x0000000000BD0000-memory.dmp dcrat behavioral1/memory/1512-307-0x0000000000BF0000-0x0000000000D00000-memory.dmp dcrat behavioral1/memory/3060-367-0x0000000000D30000-0x0000000000E40000-memory.dmp dcrat behavioral1/memory/3052-486-0x0000000000FD0000-0x00000000010E0000-memory.dmp dcrat behavioral1/memory/1044-605-0x00000000000B0000-0x00000000001C0000-memory.dmp dcrat behavioral1/memory/1508-665-0x0000000000DC0000-0x0000000000ED0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2420 powershell.exe 1544 powershell.exe 2492 powershell.exe 3056 powershell.exe 264 powershell.exe 1676 powershell.exe 848 powershell.exe 2424 powershell.exe 1988 powershell.exe 1564 powershell.exe 1012 powershell.exe 1260 powershell.exe 764 powershell.exe 1956 powershell.exe 1124 powershell.exe 1532 powershell.exe 1988 powershell.exe 1980 powershell.exe 2484 powershell.exe 1744 powershell.exe 1980 powershell.exe 1812 powershell.exe 2864 powershell.exe 2440 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2772 DllCommonsvc.exe 920 DllCommonsvc.exe 2780 dwm.exe 2096 dwm.exe 1512 dwm.exe 3060 dwm.exe 3032 dwm.exe 3052 dwm.exe 1608 dwm.exe 1044 dwm.exe 1508 dwm.exe 2640 dwm.exe -
Loads dropped DLL 2 IoCs
pid Process 2108 cmd.exe 2108 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 29 raw.githubusercontent.com 32 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 22 raw.githubusercontent.com 12 raw.githubusercontent.com 25 raw.githubusercontent.com -
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\Office14\1033\Idle.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\OSPPSVC.exe DllCommonsvc.exe File created C:\Program Files\Windows Journal\it-IT\sppsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Program Files\Windows Journal\it-IT\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\dwm.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\886983d96e3d3e DllCommonsvc.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\Prefetch\ReadyBoot\csrss.exe DllCommonsvc.exe File created C:\Windows\Prefetch\ReadyBoot\886983d96e3d3e DllCommonsvc.exe File created C:\Windows\Boot\Fonts\csrss.exe DllCommonsvc.exe File created C:\Windows\PLA\System\WmiPrvSE.exe DllCommonsvc.exe File created C:\Windows\PLA\System\24dbde2999530e DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_ff48aed2349d516fdb48004d22b9a566f4e399019898ed561330658ad1137138.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3004 schtasks.exe 1708 schtasks.exe 2300 schtasks.exe 540 schtasks.exe 1356 schtasks.exe 2328 schtasks.exe 1972 schtasks.exe 2216 schtasks.exe 2816 schtasks.exe 2684 schtasks.exe 2376 schtasks.exe 2856 schtasks.exe 1484 schtasks.exe 2188 schtasks.exe 2264 schtasks.exe 2796 schtasks.exe 568 schtasks.exe 1620 schtasks.exe 1720 schtasks.exe 1968 schtasks.exe 2312 schtasks.exe 1524 schtasks.exe 700 schtasks.exe 2404 schtasks.exe 2748 schtasks.exe 1724 schtasks.exe 2392 schtasks.exe 1952 schtasks.exe 1992 schtasks.exe 2788 schtasks.exe 2648 schtasks.exe 2960 schtasks.exe 1720 schtasks.exe 1112 schtasks.exe 1976 schtasks.exe 2620 schtasks.exe 1932 schtasks.exe 3064 schtasks.exe 2104 schtasks.exe 2248 schtasks.exe 3016 schtasks.exe 2992 schtasks.exe 2112 schtasks.exe 2924 schtasks.exe 2820 schtasks.exe 884 schtasks.exe 2940 schtasks.exe 2660 schtasks.exe 580 schtasks.exe 1480 schtasks.exe 1652 schtasks.exe 1964 schtasks.exe 2652 schtasks.exe 2244 schtasks.exe 2744 schtasks.exe 2952 schtasks.exe 760 schtasks.exe 2284 schtasks.exe 2856 schtasks.exe 2728 schtasks.exe 2184 schtasks.exe 1128 schtasks.exe 1792 schtasks.exe 852 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 2772 DllCommonsvc.exe 2772 DllCommonsvc.exe 2772 DllCommonsvc.exe 1744 powershell.exe 2420 powershell.exe 1980 powershell.exe 2424 powershell.exe 1956 powershell.exe 1988 powershell.exe 920 DllCommonsvc.exe 1532 powershell.exe 1544 powershell.exe 264 powershell.exe 1260 powershell.exe 3056 powershell.exe 2440 powershell.exe 2492 powershell.exe 1012 powershell.exe 1980 powershell.exe 1676 powershell.exe 2864 powershell.exe 848 powershell.exe 764 powershell.exe 1812 powershell.exe 1988 powershell.exe 1124 powershell.exe 1564 powershell.exe 2484 powershell.exe 2780 dwm.exe 2096 dwm.exe 1512 dwm.exe 3060 dwm.exe 3032 dwm.exe 3052 dwm.exe 1608 dwm.exe 1044 dwm.exe 1508 dwm.exe 2640 dwm.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 2772 DllCommonsvc.exe Token: SeDebugPrivilege 1744 powershell.exe Token: SeDebugPrivilege 2420 powershell.exe Token: SeDebugPrivilege 1980 powershell.exe Token: SeDebugPrivilege 2424 powershell.exe Token: SeDebugPrivilege 1956 powershell.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeDebugPrivilege 920 DllCommonsvc.exe Token: SeDebugPrivilege 1532 powershell.exe Token: SeDebugPrivilege 1544 powershell.exe Token: SeDebugPrivilege 264 powershell.exe Token: SeDebugPrivilege 1260 powershell.exe Token: SeDebugPrivilege 3056 powershell.exe Token: SeDebugPrivilege 2440 powershell.exe Token: SeDebugPrivilege 2492 powershell.exe Token: SeDebugPrivilege 1012 powershell.exe Token: SeDebugPrivilege 1980 powershell.exe Token: SeDebugPrivilege 1676 powershell.exe Token: SeDebugPrivilege 2864 powershell.exe Token: SeDebugPrivilege 848 powershell.exe Token: SeDebugPrivilege 764 powershell.exe Token: SeDebugPrivilege 1812 powershell.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeDebugPrivilege 1124 powershell.exe Token: SeDebugPrivilege 1564 powershell.exe Token: SeDebugPrivilege 2484 powershell.exe Token: SeDebugPrivilege 2780 dwm.exe Token: SeDebugPrivilege 2096 dwm.exe Token: SeDebugPrivilege 1512 dwm.exe Token: SeDebugPrivilege 3060 dwm.exe Token: SeDebugPrivilege 3032 dwm.exe Token: SeDebugPrivilege 3052 dwm.exe Token: SeDebugPrivilege 1608 dwm.exe Token: SeDebugPrivilege 1044 dwm.exe Token: SeDebugPrivilege 1508 dwm.exe Token: SeDebugPrivilege 2640 dwm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2416 wrote to memory of 2380 2416 JaffaCakes118_ff48aed2349d516fdb48004d22b9a566f4e399019898ed561330658ad1137138.exe 30 PID 2416 wrote to memory of 2380 2416 JaffaCakes118_ff48aed2349d516fdb48004d22b9a566f4e399019898ed561330658ad1137138.exe 30 PID 2416 wrote to memory of 2380 2416 JaffaCakes118_ff48aed2349d516fdb48004d22b9a566f4e399019898ed561330658ad1137138.exe 30 PID 2416 wrote to memory of 2380 2416 JaffaCakes118_ff48aed2349d516fdb48004d22b9a566f4e399019898ed561330658ad1137138.exe 30 PID 2380 wrote to memory of 2108 2380 WScript.exe 31 PID 2380 wrote to memory of 2108 2380 WScript.exe 31 PID 2380 wrote to memory of 2108 2380 WScript.exe 31 PID 2380 wrote to memory of 2108 2380 WScript.exe 31 PID 2108 wrote to memory of 2772 2108 cmd.exe 33 PID 2108 wrote to memory of 2772 2108 cmd.exe 33 PID 2108 wrote to memory of 2772 2108 cmd.exe 33 PID 2108 wrote to memory of 2772 2108 cmd.exe 33 PID 2772 wrote to memory of 1988 2772 DllCommonsvc.exe 50 PID 2772 wrote to memory of 1988 2772 DllCommonsvc.exe 50 PID 2772 wrote to memory of 1988 2772 DllCommonsvc.exe 50 PID 2772 wrote to memory of 1744 2772 DllCommonsvc.exe 51 PID 2772 wrote to memory of 1744 2772 DllCommonsvc.exe 51 PID 2772 wrote to memory of 1744 2772 DllCommonsvc.exe 51 PID 2772 wrote to memory of 2424 2772 DllCommonsvc.exe 52 PID 2772 wrote to memory of 2424 2772 DllCommonsvc.exe 52 PID 2772 wrote to memory of 2424 2772 DllCommonsvc.exe 52 PID 2772 wrote to memory of 1980 2772 DllCommonsvc.exe 53 PID 2772 wrote to memory of 1980 2772 DllCommonsvc.exe 53 PID 2772 wrote to memory of 1980 2772 DllCommonsvc.exe 53 PID 2772 wrote to memory of 1956 2772 DllCommonsvc.exe 54 PID 2772 wrote to memory of 1956 2772 DllCommonsvc.exe 54 PID 2772 wrote to memory of 1956 2772 DllCommonsvc.exe 54 PID 2772 wrote to memory of 2420 2772 DllCommonsvc.exe 55 PID 2772 wrote to memory of 2420 2772 DllCommonsvc.exe 55 PID 2772 wrote to memory of 2420 2772 DllCommonsvc.exe 55 PID 2772 wrote to memory of 1592 2772 DllCommonsvc.exe 59 PID 2772 wrote to memory of 1592 2772 DllCommonsvc.exe 59 PID 2772 wrote to memory of 1592 2772 DllCommonsvc.exe 59 PID 1592 wrote to memory of 1640 1592 cmd.exe 64 PID 1592 wrote to memory of 1640 1592 cmd.exe 64 PID 1592 wrote to memory of 1640 1592 cmd.exe 64 PID 1592 wrote to memory of 920 1592 cmd.exe 65 PID 1592 wrote to memory of 920 1592 cmd.exe 65 PID 1592 wrote to memory of 920 1592 cmd.exe 65 PID 920 wrote to memory of 1544 920 DllCommonsvc.exe 117 PID 920 wrote to memory of 1544 920 DllCommonsvc.exe 117 PID 920 wrote to memory of 1544 920 DllCommonsvc.exe 117 PID 920 wrote to memory of 1124 920 DllCommonsvc.exe 118 PID 920 wrote to memory of 1124 920 DllCommonsvc.exe 118 PID 920 wrote to memory of 1124 920 DllCommonsvc.exe 118 PID 920 wrote to memory of 1532 920 DllCommonsvc.exe 119 PID 920 wrote to memory of 1532 920 DllCommonsvc.exe 119 PID 920 wrote to memory of 1532 920 DllCommonsvc.exe 119 PID 920 wrote to memory of 1564 920 DllCommonsvc.exe 120 PID 920 wrote to memory of 1564 920 DllCommonsvc.exe 120 PID 920 wrote to memory of 1564 920 DllCommonsvc.exe 120 PID 920 wrote to memory of 1012 920 DllCommonsvc.exe 121 PID 920 wrote to memory of 1012 920 DllCommonsvc.exe 121 PID 920 wrote to memory of 1012 920 DllCommonsvc.exe 121 PID 920 wrote to memory of 1812 920 DllCommonsvc.exe 122 PID 920 wrote to memory of 1812 920 DllCommonsvc.exe 122 PID 920 wrote to memory of 1812 920 DllCommonsvc.exe 122 PID 920 wrote to memory of 1988 920 DllCommonsvc.exe 124 PID 920 wrote to memory of 1988 920 DllCommonsvc.exe 124 PID 920 wrote to memory of 1988 920 DllCommonsvc.exe 124 PID 920 wrote to memory of 264 920 DllCommonsvc.exe 125 PID 920 wrote to memory of 264 920 DllCommonsvc.exe 125 PID 920 wrote to memory of 264 920 DllCommonsvc.exe 125 PID 920 wrote to memory of 2484 920 DllCommonsvc.exe 126 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ff48aed2349d516fdb48004d22b9a566f4e399019898ed561330658ad1137138.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ff48aed2349d516fdb48004d22b9a566f4e399019898ed561330658ad1137138.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L5E7ua4yvn.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1640
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\Idle.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\it-IT\sppsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\System\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\NetHood\services.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\dwm.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\System.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\Idle.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\smss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e7C8pmPDNU.bat"7⤵PID:1040
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2852
-
-
C:\Program Files (x86)\Windows Sidebar\dwm.exe"C:\Program Files (x86)\Windows Sidebar\dwm.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\moqrXfpsIj.bat"9⤵PID:440
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1848
-
-
C:\Program Files (x86)\Windows Sidebar\dwm.exe"C:\Program Files (x86)\Windows Sidebar\dwm.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2096 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat"11⤵PID:676
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2464
-
-
C:\Program Files (x86)\Windows Sidebar\dwm.exe"C:\Program Files (x86)\Windows Sidebar\dwm.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat"13⤵PID:372
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2528
-
-
C:\Program Files (x86)\Windows Sidebar\dwm.exe"C:\Program Files (x86)\Windows Sidebar\dwm.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat"15⤵PID:2472
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2236
-
-
C:\Program Files (x86)\Windows Sidebar\dwm.exe"C:\Program Files (x86)\Windows Sidebar\dwm.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9BpIS9nw5f.bat"17⤵PID:2600
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2728
-
-
C:\Program Files (x86)\Windows Sidebar\dwm.exe"C:\Program Files (x86)\Windows Sidebar\dwm.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ezzJRb6cS.bat"19⤵PID:2484
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:3068
-
-
C:\Program Files (x86)\Windows Sidebar\dwm.exe"C:\Program Files (x86)\Windows Sidebar\dwm.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat"21⤵PID:2780
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2472
-
-
C:\Program Files (x86)\Windows Sidebar\dwm.exe"C:\Program Files (x86)\Windows Sidebar\dwm.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1044 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nb2ryfxXmZ.bat"23⤵PID:2660
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2696
-
-
C:\Program Files (x86)\Windows Sidebar\dwm.exe"C:\Program Files (x86)\Windows Sidebar\dwm.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XIQ15LoDrx.bat"25⤵PID:2140
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2892
-
-
C:\Program Files (x86)\Windows Sidebar\dwm.exe"C:\Program Files (x86)\Windows Sidebar\dwm.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\it-IT\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\it-IT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\providercommon\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\providercommon\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\System\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\PLA\System\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\PLA\System\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\NetHood\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\NetHood\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Documents\System.exe'" /f1⤵
- Process spawned unexpected child process
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Documents\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Documents\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\providercommon\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\1033\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office14\1033\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\Sample Music\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\Sample Music\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2284
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD564217dfd0c73366fe50257687dfe6c9a
SHA13184da3282b056bc4f7d3a72fa791e88084b02b8
SHA256a35825a8ef2fc9b18f3b4cf2c1dba0573eafcd4d0a568d9ed7bdcf325f44e3c7
SHA512ab88bbde6c2f096b85c087fa1574bebd1ef126b6c34bb7ee4bdd52826b0e6b7cc4e6a6b6708290c4d13d6fabebdad0664f341924014960b4aeea9461dd313d7f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD512fdb4e9b53b617fe69a946f7711cd1c
SHA1b6d294a23ffa518a7d3b896849c88b8f0d9c8dda
SHA2562a829ba15592115efda0d31e98b42f82633a06e3d93a937415e2304ff9397b3e
SHA512f0220dc8a045910191a6944f42d2ff6acbbe29583785a99d9fd03b2b91541a97b1905bb6160a27a5ebd832f09b730d3696153157a6ac74fb1be2bdc7e336afb2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5df495b60d7798ba1ba812d5e2d7ef1c1
SHA185848b71f69196ac8d371e6a41c08fcabaefdbc7
SHA256259c0c36ca0f4c7b48088df5d89b0da09b322a09ae450426a6b24e28b75ae8c9
SHA5121183e7c4aedc6dd388a15857d0c2940d22f7f177df55b8f3a83f46739c15c9755d3e3cc4b3ec043e4747dc5a52a3e87c195d6f8be8d135ef163771a9e0db9da5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e24c7fbbf5389eb70627407955ce4d75
SHA1eecd15cc60eb843f8ce12fe7e682644ed39a7b91
SHA2560dfb0cb27ae84807d5934906f194b02f53bcd1d02b93e7de4969825162d7206b
SHA512e95455407b0c846a181c25fa99872161ad6cfa85fc9fc2e563b5461f5589cc3fbeb36e6b3e4e96d5a7fb48c4ae7154f073d8b1e1b3d4539f3e04f05d2cd392f3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59dbea3d478a23e55d31b190289612c71
SHA1a4141392316dfaa7564a7ecbbaea2573e8124b0a
SHA256fa1b159156a2a46e601080f69b0dd9d488ac6b6ef7941fcc9a2bd7590cb1bed0
SHA512f6e2cf0088f95ec4fd8955fa396e0fc343b04bea808a076eaeb1f2a904184926c68cdf33d2f750aa96fa18d90327734a8e361c4205be4bd5acea1874b44cfda8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD574f973c3e41b1edbb80fbd58a861d85d
SHA12e108f06c61ac7b93af0b2ac767cf4c4bc2f17ce
SHA2565d74e0256aa04b4e294d6d3218e28c75f91431b6d7ebca570c5c33da7d6f66de
SHA512c1541510d9ed34792b11536e8059889f7d72c8be465b0df331cd16742c6c5d6a6f3e2223c193a7e837abe0b32027d2966335fd05d847f073c1a251f0543b6ea0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e1569af4b48f7af32c10592f765e7e7d
SHA1c389400a9a43d8ccf579a54857949a5b33061d58
SHA25621793281ffa411f4daccc4d3d85a119205da1fedb1e10a4f66918c484fb78e4f
SHA512b0cd420edffd29061ea6fc698df56825c9f9cf00d13299375dc16e6870b332d055db5e7773f8822d1b1d7e4db3b9b44a27e51e6e46899f1dc55bddd98610a47b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b8eb72674f3d61b88536dd6383d6d5eb
SHA1d61096555205769051d9d9595f2e59dcf9dac959
SHA2569f0e9fda9d32d6240d381c9a0c69cf933a371c86a0877bfc247cb77556ac1a51
SHA51211d368d36dfbdd35296adc9866bccf15cf419ab225a83a58f79fa6c6956f6883a7ee790368697be258f05fcef934abb4f941f5b0324c1c46be24b30d17350075
-
Filesize
211B
MD57e96bfd489418d7bbe11b5003ade11f4
SHA1fb059a12b5ea7101cb2ef527d18099436d749f43
SHA2565c97cf1349bc09828d39be933a397d62a5a43648bdcd6e55ebf2e00c6d60270b
SHA512b6013be16aeb9c4b0be5bd6d17e69132f810ee17481b99f3a347b862f58cc78339e724533abd5e3308eb6e1f4f95825b1a84fa504737eb62601e379357a0ea10
-
Filesize
211B
MD56c4e3ea59a89fff4e5b4e2642017463e
SHA1c9a09160b51ac9e48207f41804f3829a15ed7c20
SHA2560beb3df0078a1f526dfd176dde21f4474c69927cb8575893cc94f0c8a730345f
SHA5124fe2f7a822354ae0cf019333ea352a4c43617cd196172fa8e2ca9d7250eb433377a8bcce750c25d89100986c0f2b25b5da51a486c21bc3053a4bb4f03ce10e4c
-
Filesize
211B
MD59ee833286dff138c53d8d76bb73635f3
SHA1ef3f142c0a04449ad963488d963c4bb41b306888
SHA256c78d544715dfc7bbad9c136c4aca84ba206205732db5e69e0b43d7949a81de27
SHA512a8bdeeedee39b638d29519e8a1ead359c7091e70678aeaa996ea85bffdde403b007b17ce90d340ef266884bb1d3846089d718d00c0d30a3d25492a3e105febdd
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
211B
MD5eb7bdb983adcf4cbcb02c4361487f3b1
SHA1de4a07257266eaa059e45bb8083e7cb8220157b9
SHA2569dbc40bd111a6591492f0588bbec654ae3b7eebfb19c93e35876dc68304c1511
SHA5122ee00347a1db37a5cbd0c004671f195212dbf50e2b7dcff1172e2bc0a7377ac411f5286e22cc555bd1ede62feec585e4dd826621ca551db861c69ed20aaeb83d
-
Filesize
199B
MD5cd8f1b605f7aa7366eee07cae31da9d9
SHA118ba286330deebde26b0b1932f75e4e03b408a26
SHA256b45c229507d1a3fca1ea08115aee561c04c1b0bc596de92372fbe2a95b2ef41f
SHA512d77be1bbe3eec9f2183da4acafb8336935d9d387a33590173e35900dc3a137e1d16f4911f22f955516c6ebef90730ba7f81bafb75cf419f67d92bd22ede1e5f6
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
211B
MD54c87b36df382bf9e6dd8d6da8233a88f
SHA13dd147bb353d6c59a4ea7413ff62ddf5cfa24dea
SHA25601bbf3b7d7f475f833c2a43854c6d51a1c9b943942ad8e827a022029a28ccabc
SHA51293f62eae48b96d2ca95574cd2ec002d8cdf2488266bd8015fe5678ca4a1d97148a796d7551bb273ff79cfe4eb66c3a5d74a4095b5b6405963913422349f77493
-
Filesize
211B
MD50b19aab0243749970fb2037c92365785
SHA15143b3075f1544dcc2ee98a3992b6f64da4d9e22
SHA256f79bdb1fedfe9f4595082c6dc3b2f18fab288d0e90a8aa7d22d26ae5e69ba04b
SHA5127bdfd98cae9008fd78c0de5b8b5297fa3d2531018b56f2ac285c91e5160f0dd05c464dcce60f930df02f02e237d651cde4f6cc5221ca7753cd821c809a132db5
-
Filesize
211B
MD5dac8984fab67529344c282d70f1f034e
SHA1b47d2ca380cd4fdab836fff3705cf922532a1d1b
SHA256689b49a1f93ea715b0aff7145c090d0a81b9ed8d06bc40c68aef448182b5b8c4
SHA51211fd670d3d561052de5f6d242e8cc2cf5691d78f735bbd82c6a45562a1332eb6acff2135a651135ed65185e388a0951b2c67529a198892bf0672ffc202802bc9
-
Filesize
211B
MD5f118078da06fc2129a9802bbb1a2c638
SHA1918f69c7630afe63fc1c4aabe14c517e9301b709
SHA25664d45e46576f636dfd02556ff1261434d6a5bfab453a3f59dd36f3c8fb3a68fa
SHA512b4933c8823b1980f5b1a082d4104208bff72f9488f8fe786741cf82bbbef9f811c7d00fa9b13411d29ddf2bdbf601acca7582cf7fb22cf67a83fd33da02bd6be
-
Filesize
211B
MD5a28e7e9e17a4cba0a5e2aad7b4edc4a5
SHA18c0edbd3c32201f15c4e103e71d843ed6a25db54
SHA256f788c188c3dce7ebe372f043ed02d6756505be1bc6121b827d2da8254fb4aeb7
SHA5122f4492d01ef8e800936811591045bc2cc245dc5203b87eba59cb5a68f109d03de04e5329f9c766327e0a527f981418416898fee51d912b68db20291b9cf54303
-
Filesize
211B
MD5d6766f744bc99fdf992fdbd12387e6ce
SHA13918e38c265d490a2edc86c3f6bb6d1151ae33ea
SHA2568a29020136f31d85c1b0a23da76239bfd1d886d6c9de34e3656395a575c8cf08
SHA51225d9a8da63e9d6be363d589f8f3b30aa676af69e931d34515b7aff964c4b372acfaf51124273a3b6f2f5e74d8c50d40719a3d2ce5a72806ff7ce1802146d011b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD52c0cc177dd0b13af9551ade64fe3b33c
SHA1078a2186dc7754e35863c26a3f6ed6cb347895d6
SHA25636fca29b4012bf200813c1f636b859dbcac0495e2a451b5f7fff4f223c3b42a4
SHA5128cdcd553ec4c800ff9c516e45e08b6ad9f18a52636009fe242ce000d819cf780fa1473b708bccb29f65db940c8f1b793ab153946b01c248d268f6a500979e3a7
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478