Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 20:15
Behavioral task
behavioral1
Sample
JaffaCakes118_c63ae4c4dcfdd38a6d640df3e2690418450a01044e002401109ceffe59115f73.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c63ae4c4dcfdd38a6d640df3e2690418450a01044e002401109ceffe59115f73.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_c63ae4c4dcfdd38a6d640df3e2690418450a01044e002401109ceffe59115f73.exe
-
Size
1.3MB
-
MD5
379b61eb87d6a4bad33cf07bfdfad5b5
-
SHA1
cee4ff3948e36c4e51d7b075d177ab2b4ab0e403
-
SHA256
c63ae4c4dcfdd38a6d640df3e2690418450a01044e002401109ceffe59115f73
-
SHA512
7af42f2486111fc14ceffe8805746f49826f05fe267171caa161228166be19f194da877c15b056f5ea3588826060c70cd76a42de6824f95b70a6a8766aec1402
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1880 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 656 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1200 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1280 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 812 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1776 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 796 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 980 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1824 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 376 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1480 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1268 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1504 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 904 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1104 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 780 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 956 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 2712 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 2712 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0006000000019284-9.dat dcrat behavioral1/memory/2640-13-0x0000000000AA0000-0x0000000000BB0000-memory.dmp dcrat behavioral1/memory/2720-151-0x0000000000310000-0x0000000000420000-memory.dmp dcrat behavioral1/memory/1248-270-0x00000000002A0000-0x00000000003B0000-memory.dmp dcrat behavioral1/memory/1672-330-0x0000000000E90000-0x0000000000FA0000-memory.dmp dcrat behavioral1/memory/1824-391-0x00000000000D0000-0x00000000001E0000-memory.dmp dcrat behavioral1/memory/2528-452-0x0000000000CD0000-0x0000000000DE0000-memory.dmp dcrat behavioral1/memory/2544-572-0x00000000010A0000-0x00000000011B0000-memory.dmp dcrat behavioral1/memory/2904-806-0x0000000000270000-0x0000000000380000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 26 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2900 powershell.exe 2064 powershell.exe 1948 powershell.exe 2800 powershell.exe 1588 powershell.exe 2220 powershell.exe 356 powershell.exe 536 powershell.exe 1592 powershell.exe 1400 powershell.exe 696 powershell.exe 952 powershell.exe 1636 powershell.exe 2408 powershell.exe 2512 powershell.exe 2516 powershell.exe 2200 powershell.exe 2192 powershell.exe 3012 powershell.exe 1576 powershell.exe 1548 powershell.exe 356 powershell.exe 2784 powershell.exe 2516 powershell.exe 2160 powershell.exe 2492 powershell.exe -
Executes dropped EXE 13 IoCs
pid Process 2640 DllCommonsvc.exe 3060 DllCommonsvc.exe 2720 dllhost.exe 1248 dllhost.exe 1672 dllhost.exe 1824 dllhost.exe 2528 dllhost.exe 1720 dllhost.exe 2544 dllhost.exe 1916 dllhost.exe 2828 dllhost.exe 1896 dllhost.exe 2904 dllhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2568 cmd.exe 2568 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 4 raw.githubusercontent.com 19 raw.githubusercontent.com 22 raw.githubusercontent.com 33 raw.githubusercontent.com 36 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 26 raw.githubusercontent.com 29 raw.githubusercontent.com -
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Defender\de-DE\dwm.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\conhost.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\powershell.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\it-IT\audiodg.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\it-IT\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\e978f868350d50 DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\services.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\de-DE\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\088424020bedd6 DllCommonsvc.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\es-ES\winlogon.exe DllCommonsvc.exe File created C:\Windows\Boot\DVD\EFI\en-US\conhost.exe DllCommonsvc.exe File created C:\Windows\Help\Windows\en-US\powershell.exe DllCommonsvc.exe File created C:\Windows\Resources\Themes\Aero\en-US\101b941d020240 DllCommonsvc.exe File created C:\Windows\Tasks\services.exe DllCommonsvc.exe File created C:\Windows\Tasks\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Windows\addins\OSPPSVC.exe DllCommonsvc.exe File opened for modification C:\Windows\addins\OSPPSVC.exe DllCommonsvc.exe File created C:\Windows\addins\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Windows\es-ES\cc11b995f2a76d DllCommonsvc.exe File created C:\Windows\Help\Windows\en-US\e978f868350d50 DllCommonsvc.exe File created C:\Windows\Resources\Themes\Aero\en-US\lsm.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c63ae4c4dcfdd38a6d640df3e2690418450a01044e002401109ceffe59115f73.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2616 schtasks.exe 1504 schtasks.exe 1060 schtasks.exe 3020 schtasks.exe 1500 schtasks.exe 1680 schtasks.exe 2580 schtasks.exe 1104 schtasks.exe 2456 schtasks.exe 2336 schtasks.exe 2168 schtasks.exe 2860 schtasks.exe 2096 schtasks.exe 3048 schtasks.exe 2164 schtasks.exe 1992 schtasks.exe 780 schtasks.exe 1796 schtasks.exe 2772 schtasks.exe 1480 schtasks.exe 2848 schtasks.exe 2788 schtasks.exe 2880 schtasks.exe 2664 schtasks.exe 1908 schtasks.exe 1880 schtasks.exe 1268 schtasks.exe 2252 schtasks.exe 904 schtasks.exe 2208 schtasks.exe 1364 schtasks.exe 2364 schtasks.exe 956 schtasks.exe 1652 schtasks.exe 1200 schtasks.exe 980 schtasks.exe 2696 schtasks.exe 1760 schtasks.exe 2268 schtasks.exe 2636 schtasks.exe 1836 schtasks.exe 2044 schtasks.exe 1952 schtasks.exe 1736 schtasks.exe 656 schtasks.exe 2968 schtasks.exe 1776 schtasks.exe 1824 schtasks.exe 1876 schtasks.exe 2824 schtasks.exe 776 schtasks.exe 860 schtasks.exe 2040 schtasks.exe 2876 schtasks.exe 2968 schtasks.exe 2356 schtasks.exe 2628 schtasks.exe 376 schtasks.exe 2552 schtasks.exe 2820 schtasks.exe 2056 schtasks.exe 2060 schtasks.exe 2504 schtasks.exe 2124 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2640 DllCommonsvc.exe 536 powershell.exe 2512 powershell.exe 1592 powershell.exe 2516 powershell.exe 1400 powershell.exe 2900 powershell.exe 356 powershell.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 3060 DllCommonsvc.exe 2220 powershell.exe 952 powershell.exe 696 powershell.exe 2200 powershell.exe 2492 powershell.exe 1548 powershell.exe 1588 powershell.exe 1636 powershell.exe 2800 powershell.exe 2516 powershell.exe 2192 powershell.exe 1948 powershell.exe 2408 powershell.exe 1576 powershell.exe 2720 dllhost.exe 2064 powershell.exe 2160 powershell.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
description pid Process Token: SeDebugPrivilege 2640 DllCommonsvc.exe Token: SeDebugPrivilege 536 powershell.exe Token: SeDebugPrivilege 2512 powershell.exe Token: SeDebugPrivilege 3060 DllCommonsvc.exe Token: SeDebugPrivilege 1592 powershell.exe Token: SeDebugPrivilege 2516 powershell.exe Token: SeDebugPrivilege 1400 powershell.exe Token: SeDebugPrivilege 2900 powershell.exe Token: SeDebugPrivilege 356 powershell.exe Token: SeDebugPrivilege 2220 powershell.exe Token: SeDebugPrivilege 952 powershell.exe Token: SeDebugPrivilege 696 powershell.exe Token: SeDebugPrivilege 2200 powershell.exe Token: SeDebugPrivilege 2492 powershell.exe Token: SeDebugPrivilege 1548 powershell.exe Token: SeDebugPrivilege 1588 powershell.exe Token: SeDebugPrivilege 1636 powershell.exe Token: SeDebugPrivilege 2800 powershell.exe Token: SeDebugPrivilege 2516 powershell.exe Token: SeDebugPrivilege 2192 powershell.exe Token: SeDebugPrivilege 1948 powershell.exe Token: SeDebugPrivilege 2720 dllhost.exe Token: SeDebugPrivilege 2408 powershell.exe Token: SeDebugPrivilege 1576 powershell.exe Token: SeDebugPrivilege 2064 powershell.exe Token: SeDebugPrivilege 2160 powershell.exe Token: SeDebugPrivilege 3012 powershell.exe Token: SeDebugPrivilege 356 powershell.exe Token: SeDebugPrivilege 2784 powershell.exe Token: SeDebugPrivilege 1248 dllhost.exe Token: SeDebugPrivilege 1672 dllhost.exe Token: SeDebugPrivilege 1824 dllhost.exe Token: SeDebugPrivilege 2528 dllhost.exe Token: SeDebugPrivilege 1720 dllhost.exe Token: SeDebugPrivilege 2544 dllhost.exe Token: SeDebugPrivilege 1916 dllhost.exe Token: SeDebugPrivilege 2828 dllhost.exe Token: SeDebugPrivilege 1896 dllhost.exe Token: SeDebugPrivilege 2904 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2084 wrote to memory of 2696 2084 JaffaCakes118_c63ae4c4dcfdd38a6d640df3e2690418450a01044e002401109ceffe59115f73.exe 31 PID 2084 wrote to memory of 2696 2084 JaffaCakes118_c63ae4c4dcfdd38a6d640df3e2690418450a01044e002401109ceffe59115f73.exe 31 PID 2084 wrote to memory of 2696 2084 JaffaCakes118_c63ae4c4dcfdd38a6d640df3e2690418450a01044e002401109ceffe59115f73.exe 31 PID 2084 wrote to memory of 2696 2084 JaffaCakes118_c63ae4c4dcfdd38a6d640df3e2690418450a01044e002401109ceffe59115f73.exe 31 PID 2696 wrote to memory of 2568 2696 WScript.exe 32 PID 2696 wrote to memory of 2568 2696 WScript.exe 32 PID 2696 wrote to memory of 2568 2696 WScript.exe 32 PID 2696 wrote to memory of 2568 2696 WScript.exe 32 PID 2568 wrote to memory of 2640 2568 cmd.exe 34 PID 2568 wrote to memory of 2640 2568 cmd.exe 34 PID 2568 wrote to memory of 2640 2568 cmd.exe 34 PID 2568 wrote to memory of 2640 2568 cmd.exe 34 PID 2640 wrote to memory of 536 2640 DllCommonsvc.exe 54 PID 2640 wrote to memory of 536 2640 DllCommonsvc.exe 54 PID 2640 wrote to memory of 536 2640 DllCommonsvc.exe 54 PID 2640 wrote to memory of 2512 2640 DllCommonsvc.exe 55 PID 2640 wrote to memory of 2512 2640 DllCommonsvc.exe 55 PID 2640 wrote to memory of 2512 2640 DllCommonsvc.exe 55 PID 2640 wrote to memory of 356 2640 DllCommonsvc.exe 56 PID 2640 wrote to memory of 356 2640 DllCommonsvc.exe 56 PID 2640 wrote to memory of 356 2640 DllCommonsvc.exe 56 PID 2640 wrote to memory of 1400 2640 DllCommonsvc.exe 58 PID 2640 wrote to memory of 1400 2640 DllCommonsvc.exe 58 PID 2640 wrote to memory of 1400 2640 DllCommonsvc.exe 58 PID 2640 wrote to memory of 1592 2640 DllCommonsvc.exe 60 PID 2640 wrote to memory of 1592 2640 DllCommonsvc.exe 60 PID 2640 wrote to memory of 1592 2640 DllCommonsvc.exe 60 PID 2640 wrote to memory of 2900 2640 DllCommonsvc.exe 61 PID 2640 wrote to memory of 2900 2640 DllCommonsvc.exe 61 PID 2640 wrote to memory of 2900 2640 DllCommonsvc.exe 61 PID 2640 wrote to memory of 2516 2640 DllCommonsvc.exe 62 PID 2640 wrote to memory of 2516 2640 DllCommonsvc.exe 62 PID 2640 wrote to memory of 2516 2640 DllCommonsvc.exe 62 PID 2640 wrote to memory of 3060 2640 DllCommonsvc.exe 68 PID 2640 wrote to memory of 3060 2640 DllCommonsvc.exe 68 PID 2640 wrote to memory of 3060 2640 DllCommonsvc.exe 68 PID 3060 wrote to memory of 696 3060 DllCommonsvc.exe 123 PID 3060 wrote to memory of 696 3060 DllCommonsvc.exe 123 PID 3060 wrote to memory of 696 3060 DllCommonsvc.exe 123 PID 3060 wrote to memory of 952 3060 DllCommonsvc.exe 124 PID 3060 wrote to memory of 952 3060 DllCommonsvc.exe 124 PID 3060 wrote to memory of 952 3060 DllCommonsvc.exe 124 PID 3060 wrote to memory of 2784 3060 DllCommonsvc.exe 125 PID 3060 wrote to memory of 2784 3060 DllCommonsvc.exe 125 PID 3060 wrote to memory of 2784 3060 DllCommonsvc.exe 125 PID 3060 wrote to memory of 1588 3060 DllCommonsvc.exe 126 PID 3060 wrote to memory of 1588 3060 DllCommonsvc.exe 126 PID 3060 wrote to memory of 1588 3060 DllCommonsvc.exe 126 PID 3060 wrote to memory of 2220 3060 DllCommonsvc.exe 127 PID 3060 wrote to memory of 2220 3060 DllCommonsvc.exe 127 PID 3060 wrote to memory of 2220 3060 DllCommonsvc.exe 127 PID 3060 wrote to memory of 2516 3060 DllCommonsvc.exe 128 PID 3060 wrote to memory of 2516 3060 DllCommonsvc.exe 128 PID 3060 wrote to memory of 2516 3060 DllCommonsvc.exe 128 PID 3060 wrote to memory of 356 3060 DllCommonsvc.exe 129 PID 3060 wrote to memory of 356 3060 DllCommonsvc.exe 129 PID 3060 wrote to memory of 356 3060 DllCommonsvc.exe 129 PID 3060 wrote to memory of 1636 3060 DllCommonsvc.exe 130 PID 3060 wrote to memory of 1636 3060 DllCommonsvc.exe 130 PID 3060 wrote to memory of 1636 3060 DllCommonsvc.exe 130 PID 3060 wrote to memory of 2160 3060 DllCommonsvc.exe 131 PID 3060 wrote to memory of 2160 3060 DllCommonsvc.exe 131 PID 3060 wrote to memory of 2160 3060 DllCommonsvc.exe 131 PID 3060 wrote to memory of 1948 3060 DllCommonsvc.exe 132 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c63ae4c4dcfdd38a6d640df3e2690418450a01044e002401109ceffe59115f73.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c63ae4c4dcfdd38a6d640df3e2690418450a01044e002401109ceffe59115f73.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\it-IT\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\de-DE\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\DllCommonsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\Windows\en-US\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\smss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\Aero\en-US\lsm.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\services.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\services.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dekjrv1PTF.bat"7⤵PID:1800
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2392
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1248 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QY0o5k1hVk.bat"9⤵PID:1328
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1900
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1672 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat"11⤵PID:1884
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1868
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1824 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cU7BGbiaqd.bat"13⤵PID:2144
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2816
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2528 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat"15⤵PID:2164
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1520
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1720 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PliZKNaLvF.bat"17⤵PID:2200
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1608
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2544 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDWALPrpmL.bat"19⤵PID:1668
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1636
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1916 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat"21⤵PID:1648
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2756
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2828 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat"23⤵PID:1876
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:380
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1896 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat"25⤵PID:2912
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2588
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\addins\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
PID:1280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
PID:812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\es-ES\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\powershell.exe'" /f1⤵
- Process spawned unexpected child process
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\providercommon\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\1033\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Windows\Help\Windows\en-US\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\Help\Windows\en-US\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\Windows\en-US\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\Themes\Aero\en-US\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\en-US\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\Themes\Aero\en-US\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Tasks\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\providercommon\conhost.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\powershell.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\powershell.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\powershell.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2124
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
395B
MD550134e4c947e3402fd0bcf98f88a16e6
SHA16c78fab2decc11a562935fbc5bcd63bf466899a4
SHA25699b293a9d9644ec854a5c3e36c76406b94b3aa0cae3036fa35aef62a335fdcd8
SHA5122bac6230ffc0c58a216dcd4b4b642f03a2ff5acb6177d38fc8421009c9f5e5325c4748438a8235441488ab276cd4cc76793e067d59da480df22be5582c4e0693
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5394fb8a980e573bceb62b89d94f218a9
SHA1d68b41a07fc455b749b8ddfc37b1e3f1c007ee2c
SHA2560af6d74eef2d88d081e4ec77c3c5643ab1c2dfd75ddc42ba8211e01f82ef159a
SHA51251119339898d10a0441842d7d1acad5e66136824299c9e6fcbb187a625638a12139f4226d374b04c74522eaf9b13c007af1187a0621d79d91aca52d139319a67
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5161083f6042951c1a373dcd4e9133ab4
SHA15fffe4b7b6eeff78eef1442006787edfc9b38cd3
SHA25633dda7dc41a21c0cfc024b04869627a675e73a563a847f8aebddf662386881d3
SHA51207862a2dbaa02e9f8666cf5357a5bf171cc7672c5f2e619b8109ee66b64035ed9b1c38619c78d918f0170a82654b4d6d389972d48b2a57081f7b8eec28bec6f2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5004f0cad44a6bdf784fbf0d3c26dea19
SHA1dcd7a5af9cbabe0e064cc594bfe5b5eb6a7f4f96
SHA2568dd42d739d2d749c61b0c7351d482a37b353edd955647ba4e6f1d7099231cbea
SHA512736e082e2844e9b2ee0614c4f1e53b19051155bc1a96856a3593857cb117d7e4c80e67e5f5fdac07eb66420aa8d6df93b10c5fc844e8bd86feefc4bc5bf397ad
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55dade110371e3db51310568c67e3b68e
SHA126545cd396028ffb8b8e181b57dad547d47e225e
SHA256da6c1da82844452877e4f5014e2e9da10c43964054445d0a956bdd9771d60749
SHA51242f8409f4cbb7c2feb38d887557ba3249804e65879ddd5a7ea7234f4d2bfc5e64e096d69c735a71168d89f9a0526e3bd21198ca0d23abcb8dcea6770d38e25d8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a081b786b6195c06d80d3760ae7fb4aa
SHA1af276b61fe78deba4d452b7d1ca76b125ae56064
SHA25610ee6c286d7577316cd9ab2d7d47f8f69001c44ccadfab578a3e6e6babdc471e
SHA512afd98024abc528369f9f927c4e0aea43a742917da3c9118cb92ace8b21b52c70eca3b4e667228166921737d3869365f520eecbe2e3a1334f19ee9dee9589e6bf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD548e3684406ee0dbaef4902090a5acd07
SHA1e91046c81f6b7abd9c1148722a2c805976d29509
SHA256f0c231de377fa48f5a0a08a1d3687c7a0b8865c4456bf6dd0335087340d1d446
SHA5124befed4ec5e8d9091d4a6fe7484489b5a2f90142cbb242ccd52197e6c0bf4350d138e3e296b343b77741e7bd9cd7b25d53361969e635d4fb5969245cb77d21cd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fafe80d9b70e7b746bfc792a2f593dfb
SHA16aca96af41c14f163507e09afe096fd41500e9e5
SHA2566b8d584b11ab1eedd4fcbc90431b545278a3f29c145b85b5d039ff96f5ec6bb8
SHA51282157c0ee555e597bc4c23a335bc4112040ea8bba0a2427985f5ce9a6bd4adf936047ae8a48981e75e535be4e4a50fa18ac29f42fd50318925f3681533d76dc7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59c611fef017eff828d4d0ea90ee6dee5
SHA1a57aae95e062dc49184d115e801302fcdde9e7fc
SHA2569203f1f368adbf151d4ea5b08e4a994a4cd9fb0a2bbe946006161d8bcc1d29ee
SHA51293ed0a998c9841f8c2f88c46cdc62a45a3ede38aa247c2f00c882df7cd1bb72b102158904a0f9e6fb4145edf9993b940044d2709ba1727247794901d9eb776f3
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
225B
MD5cac56f3a663e635dde196eca51a66707
SHA1640faaf7e01742fd991f90020d6848fca4373b5e
SHA256794d57efe9dc494fe5a27cf810a0eb647507328400335ea7681c020df860f6ad
SHA51206264d6e502ed498c7b2e0218718cd36d67a071eaa542c52f3b3a0e0f8ac1450cb5a29361355c8d579feb5cf8c95b78b6127b2da8a376494b937b404da34e03b
-
Filesize
225B
MD57e860b459ed16d8ab72f7fc001a24539
SHA15c0204d4bca44c81df34a10cd68f6a2c9b65c179
SHA2561295948ae5b3aae97d9c1051e892665c5c7ff4c569f75d2f794d1de12d07fd6f
SHA51252f3ba179e683804c31a2d778e3faf35b4aa248573f1cfd2f7b88ad79311fbb832df6cdf9797ef5b1a47726468cdc6c8fd9178fed7df9c98c3b644a66c6a7016
-
Filesize
225B
MD52084b578dff7b3bb82b76baebd03ee56
SHA13a00731c25dea5cb7bf160cd31fc71fdcb1ed09a
SHA256d035863e95b356a563a91e5e02f3f76fbf8d8fa85f6ce32bf77256e68bfb8fce
SHA5121a4f4b68608d033b7336c2c7498afacb8fadf7602c654c5a2afaf5dbae141c53a71795394fa2460e4a8c12b9c3c68444d360b90dc4aafd8aedb65af0951d8017
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
225B
MD52899349e2670c0dc507c66edeb65ce34
SHA1dfa07d7d2ed98493521ee6e85e3ee8bc2ed8a99c
SHA2569c17043d6968ead32aab02e6449e2761961a1ece5a3f3e5ed93737e954c77c2b
SHA5127b04ab68aca603aa78fc69d0940eb2a8885ffab3d0b28be9565189f7f7551bd8109614f7bc9aeb1ae61bb24c7ad7e22097e3e693aae1c3e2584dbfcf358a6523
-
Filesize
225B
MD594e21149702d129a168cb8e41986056d
SHA123ee3778b4e6e1b23a388918506355a016416b9d
SHA2562ac186827a929e4fc3f8c4a56f60d5036a1a2e51bc057b447c49435e5cd5f7fb
SHA512b0c61edf5c841b4def5d71be7a06132847a826acb3b2cea9e46744694cd4193f867e9b67220c26e534a040cf4ceba81fec6959e724efaa9bcb44dff0ab86892c
-
Filesize
225B
MD543ccdcafa5e1a90c15f5255698453dbb
SHA16ce18ccb4ad90867edf050862b102055151f8190
SHA25640f5d052d993da344099f13c2830eede1e53c6dee70a92bf027ab77e832b66b3
SHA5122773be536cb530eb49c55a4e1c863ad2243adb69df0a183bf45612b17411f7f39f59514a92c54a8cf4e1b890d2273198d4b63eb87654237433bbbf6ac3a0f5a7
-
Filesize
225B
MD5fbf03a46cfe5ab249649cf4b1f2653c3
SHA1e2fe2d16abd2d9c969b587e91db50e92364a8bf3
SHA25681d3401cf67ef0545582ed08e1f9d595152fbf77dfc31d80745548538fea09a4
SHA51292dfa5483f98d6f2016a73d1d28f207c56e6eb84c5f834e95c1815666d68b68cbce0ea4126b9f273881884c34305953b1bc8d8f12ddc89dae2a91e52792c5b56
-
Filesize
225B
MD52bd120cddeec4d637c05253b51a7f4f4
SHA141c7073a999df7059f8365bca4a4c110c2657875
SHA256b9696efa1aef4b35a6e56a3b2d84266d6427965bdd3b00c97c717ea20198fe0c
SHA5126dc1529b3b0a6b2584e6242b81eee0e719988612d9fe90fc14b1a20d748e552c20d814d56b2a67ea09ad68309028b39b1e15edccb333ef3821c17239b241c8bf
-
Filesize
225B
MD5081da8ea43e45a75e2c85e8c2c9100bb
SHA1dfb76e151d29a1fbc8253a7c6bf57cc28bcb9bc1
SHA25616112a469ff0f9c6b3cb274f49fa054d8c31c8acc83f9787675c33c9f0880326
SHA512717d592da31911e5bf35023aaec6559cd73fad07139e614390574b7e8d188e22fdaee05ddae001a938453e712991f77be68c4a3cfae4458310ffbf5a8e161cb0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD532dd12cc58b583ded64787d6075ae992
SHA1dacded7e1e1d7c9a0c20c5f082ed1c92e49131c9
SHA256752086b9b09776bec69f56c6663172f6f95f8edef943616b4803ebb8c40b4296
SHA512139427c38ce5054ca015bb9738ed38d53e231860b1b8e119be25e864fdb4e5bfa70520e05bd1c07cc03650387cce2f54a6b8048aea41b0851c57ed0c84654c6e
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394