Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 19:51
Behavioral task
behavioral1
Sample
JaffaCakes118_c7dd53cd25b84341bab18041779ebbeba904e6b57882a0363dfa753f379ddfdb.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c7dd53cd25b84341bab18041779ebbeba904e6b57882a0363dfa753f379ddfdb.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_c7dd53cd25b84341bab18041779ebbeba904e6b57882a0363dfa753f379ddfdb.exe
-
Size
1.3MB
-
MD5
2dcf50553b85232a9b945cd6cba51948
-
SHA1
d95edd641d22ba757a62e2e95944bb7ed9d5fd7f
-
SHA256
c7dd53cd25b84341bab18041779ebbeba904e6b57882a0363dfa753f379ddfdb
-
SHA512
ac47089aa076c56f770eea97071bd33fb07def65eced5e6f9aa98bd345aa947650dc1e00bf6b733d8337c0548b7d5dd7b0f63660cb01f4b8c55073a2828075cf
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 828 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1096 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1548 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 300 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1364 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2304 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1400 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 348 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 836 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 964 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 960 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 884 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1140 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 788 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 572 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 876 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 2780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 2780 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x000700000001920f-9.dat dcrat behavioral1/memory/2604-13-0x0000000000200000-0x0000000000310000-memory.dmp dcrat behavioral1/memory/1720-84-0x0000000000C90000-0x0000000000DA0000-memory.dmp dcrat behavioral1/memory/1404-212-0x0000000000260000-0x0000000000370000-memory.dmp dcrat behavioral1/memory/2636-272-0x0000000001240000-0x0000000001350000-memory.dmp dcrat behavioral1/memory/1608-331-0x0000000001290000-0x00000000013A0000-memory.dmp dcrat behavioral1/memory/2364-391-0x0000000000330000-0x0000000000440000-memory.dmp dcrat behavioral1/memory/2864-451-0x0000000000A70000-0x0000000000B80000-memory.dmp dcrat behavioral1/memory/2236-512-0x0000000001320000-0x0000000001430000-memory.dmp dcrat behavioral1/memory/1496-572-0x0000000000380000-0x0000000000490000-memory.dmp dcrat behavioral1/memory/2980-632-0x0000000001040000-0x0000000001150000-memory.dmp dcrat behavioral1/memory/1120-692-0x0000000000020000-0x0000000000130000-memory.dmp dcrat behavioral1/memory/980-752-0x0000000000D40000-0x0000000000E50000-memory.dmp dcrat behavioral1/memory/2540-871-0x0000000000FF0000-0x0000000001100000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1644 powershell.exe 2292 powershell.exe 2776 powershell.exe 2400 powershell.exe 2804 powershell.exe 284 powershell.exe 2840 powershell.exe 3060 powershell.exe 2364 powershell.exe 2988 powershell.exe 2772 powershell.exe 2720 powershell.exe 2460 powershell.exe 2540 powershell.exe 2744 powershell.exe 2664 powershell.exe 2712 powershell.exe 2632 powershell.exe 2728 powershell.exe -
Executes dropped EXE 14 IoCs
pid Process 2604 DllCommonsvc.exe 1720 sppsvc.exe 1404 sppsvc.exe 2636 sppsvc.exe 1608 sppsvc.exe 2364 sppsvc.exe 2864 sppsvc.exe 2236 sppsvc.exe 1496 sppsvc.exe 2980 sppsvc.exe 1120 sppsvc.exe 980 sppsvc.exe 904 sppsvc.exe 2540 sppsvc.exe -
Loads dropped DLL 2 IoCs
pid Process 2336 cmd.exe 2336 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 27 raw.githubusercontent.com 37 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 13 raw.githubusercontent.com 16 raw.githubusercontent.com 20 raw.githubusercontent.com 44 raw.githubusercontent.com 4 raw.githubusercontent.com 23 raw.githubusercontent.com 30 raw.githubusercontent.com 34 raw.githubusercontent.com 41 raw.githubusercontent.com -
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\en-US\dllhost.exe DllCommonsvc.exe File created C:\Program Files\Google\Chrome\Application\lsm.exe DllCommonsvc.exe File created C:\Program Files\Google\Chrome\Application\101b941d020240 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\TableTextService\it-IT\explorer.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\TableTextService\it-IT\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\en-US\5940a34987c991 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Games\Minesweeper\ja-JP\0a1fd5f707cd16 DllCommonsvc.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\debug\WIA\spoolsv.exe DllCommonsvc.exe File created C:\Windows\debug\WIA\f3b6ecef712a24 DllCommonsvc.exe File created C:\Windows\assembly\GAC_MSIL\conhost.exe DllCommonsvc.exe File created C:\Windows\assembly\GAC_MSIL\088424020bedd6 DllCommonsvc.exe File created C:\Windows\Migration\WTR\csrss.exe DllCommonsvc.exe File created C:\Windows\Migration\WTR\886983d96e3d3e DllCommonsvc.exe File created C:\Windows\Offline Web Pages\csrss.exe DllCommonsvc.exe File created C:\Windows\Offline Web Pages\886983d96e3d3e DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c7dd53cd25b84341bab18041779ebbeba904e6b57882a0363dfa753f379ddfdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1932 schtasks.exe 1652 schtasks.exe 1728 schtasks.exe 2940 schtasks.exe 2992 schtasks.exe 1712 schtasks.exe 2280 schtasks.exe 876 schtasks.exe 1632 schtasks.exe 2680 schtasks.exe 1972 schtasks.exe 348 schtasks.exe 2344 schtasks.exe 1140 schtasks.exe 1400 schtasks.exe 1600 schtasks.exe 1500 schtasks.exe 2864 schtasks.exe 1096 schtasks.exe 1548 schtasks.exe 2444 schtasks.exe 2012 schtasks.exe 2952 schtasks.exe 1604 schtasks.exe 1840 schtasks.exe 2372 schtasks.exe 828 schtasks.exe 836 schtasks.exe 964 schtasks.exe 960 schtasks.exe 2532 schtasks.exe 1364 schtasks.exe 2176 schtasks.exe 2224 schtasks.exe 2088 schtasks.exe 2512 schtasks.exe 2500 schtasks.exe 2340 schtasks.exe 2636 schtasks.exe 1892 schtasks.exe 788 schtasks.exe 3020 schtasks.exe 884 schtasks.exe 2676 schtasks.exe 1976 schtasks.exe 1560 schtasks.exe 300 schtasks.exe 2920 schtasks.exe 2600 schtasks.exe 2456 schtasks.exe 572 schtasks.exe 2304 schtasks.exe 1916 schtasks.exe 2820 schtasks.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 11 IoCs
pid Process 1404 sppsvc.exe 2636 sppsvc.exe 2364 sppsvc.exe 2864 sppsvc.exe 2236 sppsvc.exe 1496 sppsvc.exe 2980 sppsvc.exe 1120 sppsvc.exe 980 sppsvc.exe 904 sppsvc.exe 2540 sppsvc.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 2604 DllCommonsvc.exe 2604 DllCommonsvc.exe 2604 DllCommonsvc.exe 2604 DllCommonsvc.exe 2604 DllCommonsvc.exe 2604 DllCommonsvc.exe 2604 DllCommonsvc.exe 3060 powershell.exe 2364 powershell.exe 2804 powershell.exe 2664 powershell.exe 284 powershell.exe 2292 powershell.exe 1644 powershell.exe 2632 powershell.exe 2720 powershell.exe 2744 powershell.exe 2712 powershell.exe 2776 powershell.exe 2400 powershell.exe 2772 powershell.exe 2840 powershell.exe 2988 powershell.exe 2540 powershell.exe 2728 powershell.exe 2460 powershell.exe 1720 sppsvc.exe 1404 sppsvc.exe 2636 sppsvc.exe 1608 sppsvc.exe 2364 sppsvc.exe 2864 sppsvc.exe 2236 sppsvc.exe 1496 sppsvc.exe 2980 sppsvc.exe 1120 sppsvc.exe 980 sppsvc.exe 904 sppsvc.exe 2540 sppsvc.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 2604 DllCommonsvc.exe Token: SeDebugPrivilege 3060 powershell.exe Token: SeDebugPrivilege 2364 powershell.exe Token: SeDebugPrivilege 2804 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 284 powershell.exe Token: SeDebugPrivilege 1720 sppsvc.exe Token: SeDebugPrivilege 2292 powershell.exe Token: SeDebugPrivilege 1644 powershell.exe Token: SeDebugPrivilege 2632 powershell.exe Token: SeDebugPrivilege 2720 powershell.exe Token: SeDebugPrivilege 2744 powershell.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 2776 powershell.exe Token: SeDebugPrivilege 2400 powershell.exe Token: SeDebugPrivilege 2772 powershell.exe Token: SeDebugPrivilege 2840 powershell.exe Token: SeDebugPrivilege 2988 powershell.exe Token: SeDebugPrivilege 2540 powershell.exe Token: SeDebugPrivilege 2728 powershell.exe Token: SeDebugPrivilege 2460 powershell.exe Token: SeDebugPrivilege 1404 sppsvc.exe Token: SeDebugPrivilege 2636 sppsvc.exe Token: SeDebugPrivilege 1608 sppsvc.exe Token: SeDebugPrivilege 2364 sppsvc.exe Token: SeDebugPrivilege 2864 sppsvc.exe Token: SeDebugPrivilege 2236 sppsvc.exe Token: SeDebugPrivilege 1496 sppsvc.exe Token: SeDebugPrivilege 2980 sppsvc.exe Token: SeDebugPrivilege 1120 sppsvc.exe Token: SeDebugPrivilege 980 sppsvc.exe Token: SeDebugPrivilege 904 sppsvc.exe Token: SeDebugPrivilege 2540 sppsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1840 wrote to memory of 2804 1840 JaffaCakes118_c7dd53cd25b84341bab18041779ebbeba904e6b57882a0363dfa753f379ddfdb.exe 30 PID 1840 wrote to memory of 2804 1840 JaffaCakes118_c7dd53cd25b84341bab18041779ebbeba904e6b57882a0363dfa753f379ddfdb.exe 30 PID 1840 wrote to memory of 2804 1840 JaffaCakes118_c7dd53cd25b84341bab18041779ebbeba904e6b57882a0363dfa753f379ddfdb.exe 30 PID 1840 wrote to memory of 2804 1840 JaffaCakes118_c7dd53cd25b84341bab18041779ebbeba904e6b57882a0363dfa753f379ddfdb.exe 30 PID 2804 wrote to memory of 2336 2804 WScript.exe 31 PID 2804 wrote to memory of 2336 2804 WScript.exe 31 PID 2804 wrote to memory of 2336 2804 WScript.exe 31 PID 2804 wrote to memory of 2336 2804 WScript.exe 31 PID 2336 wrote to memory of 2604 2336 cmd.exe 33 PID 2336 wrote to memory of 2604 2336 cmd.exe 33 PID 2336 wrote to memory of 2604 2336 cmd.exe 33 PID 2336 wrote to memory of 2604 2336 cmd.exe 33 PID 2604 wrote to memory of 2460 2604 DllCommonsvc.exe 89 PID 2604 wrote to memory of 2460 2604 DllCommonsvc.exe 89 PID 2604 wrote to memory of 2460 2604 DllCommonsvc.exe 89 PID 2604 wrote to memory of 2804 2604 DllCommonsvc.exe 90 PID 2604 wrote to memory of 2804 2604 DllCommonsvc.exe 90 PID 2604 wrote to memory of 2804 2604 DllCommonsvc.exe 90 PID 2604 wrote to memory of 2400 2604 DllCommonsvc.exe 91 PID 2604 wrote to memory of 2400 2604 DllCommonsvc.exe 91 PID 2604 wrote to memory of 2400 2604 DllCommonsvc.exe 91 PID 2604 wrote to memory of 2364 2604 DllCommonsvc.exe 92 PID 2604 wrote to memory of 2364 2604 DllCommonsvc.exe 92 PID 2604 wrote to memory of 2364 2604 DllCommonsvc.exe 92 PID 2604 wrote to memory of 3060 2604 DllCommonsvc.exe 93 PID 2604 wrote to memory of 3060 2604 DllCommonsvc.exe 93 PID 2604 wrote to memory of 3060 2604 DllCommonsvc.exe 93 PID 2604 wrote to memory of 2720 2604 DllCommonsvc.exe 94 PID 2604 wrote to memory of 2720 2604 DllCommonsvc.exe 94 PID 2604 wrote to memory of 2720 2604 DllCommonsvc.exe 94 PID 2604 wrote to memory of 2772 2604 DllCommonsvc.exe 95 PID 2604 wrote to memory of 2772 2604 DllCommonsvc.exe 95 PID 2604 wrote to memory of 2772 2604 DllCommonsvc.exe 95 PID 2604 wrote to memory of 2712 2604 DllCommonsvc.exe 96 PID 2604 wrote to memory of 2712 2604 DllCommonsvc.exe 96 PID 2604 wrote to memory of 2712 2604 DllCommonsvc.exe 96 PID 2604 wrote to memory of 2664 2604 DllCommonsvc.exe 97 PID 2604 wrote to memory of 2664 2604 DllCommonsvc.exe 97 PID 2604 wrote to memory of 2664 2604 DllCommonsvc.exe 97 PID 2604 wrote to memory of 2744 2604 DllCommonsvc.exe 98 PID 2604 wrote to memory of 2744 2604 DllCommonsvc.exe 98 PID 2604 wrote to memory of 2744 2604 DllCommonsvc.exe 98 PID 2604 wrote to memory of 2540 2604 DllCommonsvc.exe 99 PID 2604 wrote to memory of 2540 2604 DllCommonsvc.exe 99 PID 2604 wrote to memory of 2540 2604 DllCommonsvc.exe 99 PID 2604 wrote to memory of 284 2604 DllCommonsvc.exe 100 PID 2604 wrote to memory of 284 2604 DllCommonsvc.exe 100 PID 2604 wrote to memory of 284 2604 DllCommonsvc.exe 100 PID 2604 wrote to memory of 2776 2604 DllCommonsvc.exe 101 PID 2604 wrote to memory of 2776 2604 DllCommonsvc.exe 101 PID 2604 wrote to memory of 2776 2604 DllCommonsvc.exe 101 PID 2604 wrote to memory of 2292 2604 DllCommonsvc.exe 102 PID 2604 wrote to memory of 2292 2604 DllCommonsvc.exe 102 PID 2604 wrote to memory of 2292 2604 DllCommonsvc.exe 102 PID 2604 wrote to memory of 2988 2604 DllCommonsvc.exe 104 PID 2604 wrote to memory of 2988 2604 DllCommonsvc.exe 104 PID 2604 wrote to memory of 2988 2604 DllCommonsvc.exe 104 PID 2604 wrote to memory of 2728 2604 DllCommonsvc.exe 105 PID 2604 wrote to memory of 2728 2604 DllCommonsvc.exe 105 PID 2604 wrote to memory of 2728 2604 DllCommonsvc.exe 105 PID 2604 wrote to memory of 1644 2604 DllCommonsvc.exe 108 PID 2604 wrote to memory of 1644 2604 DllCommonsvc.exe 108 PID 2604 wrote to memory of 1644 2604 DllCommonsvc.exe 108 PID 2604 wrote to memory of 2632 2604 DllCommonsvc.exe 109 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7dd53cd25b84341bab18041779ebbeba904e6b57882a0363dfa753f379ddfdb.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7dd53cd25b84341bab18041779ebbeba904e6b57882a0363dfa753f379ddfdb.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\WIA\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:284
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\en-US\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\GAC_MSIL\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat"6⤵PID:2760
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2012
-
-
C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat"8⤵PID:1972
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2632
-
-
C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vbXk1H8t4K.bat"10⤵PID:2552
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2460
-
-
C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat"12⤵PID:1988
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1724
-
-
C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat"14⤵PID:1968
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2488
-
-
C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat"16⤵PID:2312
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1652
-
-
C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FnVhX1xwia.bat"18⤵PID:1516
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1280
-
-
C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GptcLQn9Ec.bat"20⤵PID:1644
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:884
-
-
C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat"22⤵PID:448
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2876
-
-
C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat"24⤵PID:2532
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2700
-
-
C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rm9ahlPG2t.bat"26⤵PID:2112
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:316
-
-
C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"27⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat"28⤵PID:1884
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:2932
-
-
C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe"29⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\WTR\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\WIA\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\debug\WIA\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\WIA\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Favorites\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Favorites\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\GAC_MSIL\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_MSIL\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\assembly\GAC_MSIL\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e14ff7b9fb61c32eef40e44c612e4b9e
SHA12d33b109618c15dc36be7e9253a68f5499d1e561
SHA25628612bfd18aaf226032b4087697f65786b330024bc3b34527569cd2bca818e36
SHA5123df145dd8c9bb51d7a97cbed48ff7f66f5aba362007bb831e27072d7c45780b6ae445dddf84c58adaec87303c9d310fa9793dda2149bf040f5cd23a1dfff39de
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e957c8153f6cf01fddfb1b055d8e13a1
SHA13ba8cf2240841b63ba27bc41c5723fc04a1cc251
SHA256355a96f2f13cffad542c95c5f3c04bbe1fd08df8a53efc597ac47e779ecde7a6
SHA512c7441420026196496244cfb526d3f308e4262d8f1e8674ca0eadea347699220beab7b646fd152fada8aec3dbbd1bbd80098e329a557c16a552a4f98f48e95685
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD516f69d3838dcc18fd901f2128082373d
SHA1aded4e5fbdfb3d11db2f8365d1b86b4123256179
SHA256d1541cf03ce09427092b077e0f3bb8c0d44b04a8427dcb00380be12bb65aafcc
SHA512a5a163e9c0e9baf8e93a9aa503ead23af0949be7f0fae45c083e92501c8f1e5cf289d3aa9e53c9c51b1a6659a277b59a18b3e8e5eae4b38b1dbe7a042b1f9a82
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f85d84bfa91079da013963aef307b93c
SHA1900e9c347abb25a9f344de43f235fc372fb1939c
SHA256d2481682d75d392e0fc55e0e87c18eea21bb9bcca88408aa7774a692f526d2f6
SHA5127a445be5e3b4e921300a98a6c5d7d7b0e050b654665883baccb91dbab78d5d2db7416b947a419068454262ba158f4e65b6424f49a789cf85e945d808fbfc6edf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b30e76830fa0afe9e1ac57e62c80684c
SHA197a8f3c9cb557fa5f4c07749a587b90a2f5fd1b5
SHA2567d676848f699f92957d62d6b4d5f1c7d379e1cb9304e8ba852c86c47861fd2e3
SHA512fcf6cc410916c1452cb224746b49b38efb3fb50864c524566aaf876f3581d2c1382159d374530db6d14bc000312f658e00dc9a5362ecb827ac3f45d478cf7e1c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5060a7a3bd685c81f1b16caab7fab098d
SHA11e7a2bbd8763be1376dc260ad6d6d1253d1acb1b
SHA256cfa67642ca6cce41f6c4d7714d8675ce0e774cae1354e1148c14d6ba4bbca1b4
SHA512de1e8df69ca99be1ff91b2a07ed23d01c8b28d4f022fb3ee6adfaedd2dafa8cef2cde4d066117db1ea7f5b1d4c21bf706b1673a9046397dd23fe74ae7bfc4a5d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cc53e2d75dbae3b2a9b1351113c7e89b
SHA11f9f5933d1ac1e792d99ce6764153b92cebe4cda
SHA25603b7e88fab486d408ce94b708dc93c5554b1513fbf9a7cac046c3048b7a61aa3
SHA512da72aaa6fb4e0c7ec357de5d1f0ec5c7859abc309dfa5b2407b889a191675f982d01065a9a6f30c0db170dfeb00ab1eda269c1bf8b4b6305fce2957432b61b46
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59bfead367d1e73a32fbd0e4e270d2a66
SHA1a8ad7c096bbf97410ced0abf5c8a1f327076e171
SHA25601bba4b5670a171d6d1a29d30d5b49dcb52e214ddcadcf6b7342aca1d03266da
SHA5125c423e1287d3784c3c1a2115e49ac97e0ca563d28730c02c9d461390e45ecb0c818325d4bc26fa71ebad69408bc35b2613fa007ceedba237383fe569ad4f3c61
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b5001310b29122cf222b7dd7cd13e9e1
SHA187a33a213e98fadf783556aeec89783ca74f0d34
SHA256fcfbf1ecfb204753be625c9c038feef0fd92a0f38b7d386678f28bccd69aa6eb
SHA512c551d0751437b496d826f3c42d0da9961018bd3a992d0dc589d20b9079a0ade7cfddab8129ac36f847696be212d33cc1c4b0bcc8cf9b1911c99f4b1c0ac01f3b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52a5b05611adce55823d4bd4afe810a0b
SHA13dae7a4de156605a005583b6e0befdadcfdb3ce3
SHA256df040f99bb0cba732b847a318ac4a1daaa34e721c802ab5bd1e25d620855b45c
SHA51289e267edb4cb5d62a730087f7b477644d53533a73a334d2fd1e5ae351f1bc6c7edbb49bd2a557fd336c4cbe8d54232c0b3e9cec152fd4188c701b0cb28adf3e1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f1fb4947442907cb26436094f68e2127
SHA18a1e8f7461a834f7045a37cde51fdd326d688473
SHA256d1f021916222f27dac72c4ec841ab2fcd41c49f3403e6b60def098d1b561e232
SHA512fc99beb0996112894881cd375eb41eccaa6e6bf9e3831aaea312ace116dd404e7f5221afd80b6e8fd4b420e1afe6e00b724501b5f38cfb589b31f7645f76e848
-
Filesize
226B
MD53cadd4db62d53c7ea3e5086fecc4dec8
SHA156a64d3c2f8ed9c3a2b9692e7059512fc4c9cc5c
SHA25638939b1d47bf9cb728f3cc5bc73bfe597e02f39aed8fe76eda81d7a59082f46a
SHA512066b19c93596a735493912d0cbe576ed44b4bf4e1e883044700c47c798bba89ee18d4e0b4a5bf6e9310aa48834081552ae3d7601429fd0c8ff86303791d03b63
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
226B
MD5e02a08a00f23d82550b767ba3bc92ab7
SHA15a974f2943e5845cbf9123a60c51bdddeeda0957
SHA2562b0c8b7795e6d5af44ace7db80f98a042d8c041baaec00df8dd31f152666138c
SHA512d2cf294000bf06b6b499a55c9047e3c45287ec8b69a968222eef6bb8920bafc9185b05a794e491138304294fa714beb82692d3a9c515ba516284f6e0a2dc5794
-
Filesize
226B
MD507d4280e5365a9d64a9dbc0b4092b71d
SHA1c7b1048a521e12abd6321081b90fdea2c3993bf7
SHA2563f8b346b4acb6343cbe4ed222515bfd5a352d7afec254d2ab8d9bf62b1dbd706
SHA512c317fcf10df54ebd49e5ad4d1c07c5b9bc1e5ed95fae6b2be89f4ca97a602cd318ea2fee4dd6dce0933f5aebf80802945c344a47c78db3d1ba57dcc2495c1a88
-
Filesize
226B
MD5e49e5397b3d1281280f4d8ef9424223a
SHA149294525f280708ce45819250cc6380c97ef3e95
SHA256e199f307cd040291a527f4484928f9166c0e612a9da7c626605debeb8346e26b
SHA5129127d7009ce5ba6c68f2927c840bb81713b6731ea683bcc659c473cb556133141fdfd151561d3aaa9bbf597015eba75f6a65f494facb48364d8d95883fea6e26
-
Filesize
226B
MD5a82357874020e6e7a9ed6dc8f5d9f4cb
SHA1b771c5d00db07e1530d18bd614e63379dfe2631e
SHA256f164d70a7c25e0167c220609d3f4cd78973999abee764238ac8dede5d1f935af
SHA5123d02531b75e8fa56d4d4b24b718dfd2419cf7c291b72e293c896f80ab568b78f7c7ce90f8ebf7c247daa02cae094fc668488665fa3c7678e411550d749579aaf
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
226B
MD58295789218d303f74420bd305b9e9a1f
SHA1c97988b8ba03797f8880254fb663fcafdf6c0098
SHA2564ac0a751166dd3f9b247d1f6be558aec91bed38f79fae3f453e1e284ed603aea
SHA51206e7a6594115a6ac7d3e5df37962f7571c2cddbb9ef52cf1489de1b9f7d2cd167ad4920faaff7aa834399dcaf648613b3efc2163218f4448d579ff27ff3df212
-
Filesize
226B
MD5414ef019b71fb19c914e43ead6e1bc87
SHA1dfb43cf78e93c180882ce711db0fe84f90f56984
SHA256fc29d2f8963161022163646360453440cfe136665b0cd322d521cdc92df74e71
SHA512b7c8b76e2e720f2e0ef2448092ff306d56fe11c0dd5e0480a63b4013e985918093c843bd5b366b63a60bf99b86cea874a7ba7269d8b943fa0a1a9a877463096e
-
Filesize
226B
MD5d209b92dd7ea2778f9250095c179d478
SHA115701f3d89c11961871a58220611e9f1e6947da9
SHA2560e135719f50ac487ef0cfba8c2f06b90cde7bd9c36a0cbf20eba3515ccacb769
SHA5121f737397125356040790766234bf40f2a35985a4a8652b36c5c641fcb31e93e41493da1535695751b76620c6692f3d029b8e3aca7ede47bddcf1e43151f7796c
-
Filesize
226B
MD5700e38675e203db05afee2308a22aa26
SHA16d5b898b7fbb79abcecfff3d7812cf9507984868
SHA25638d2110e22924189530949593de7ab0cc9f6b1d612857f207587710943f66557
SHA5123242ff487128c4205f8a6e3ba7c64af9fac03edb16e9188c589ba3e560555540889c5310cc84cc64e0232691bbb139b37f1495747489f3b5227541ff7a22c15c
-
Filesize
226B
MD5f3ad3d556d1615e22b170e584300ff35
SHA15be5f76a0efb2e99905589ad7400d1a9413b95aa
SHA2567c542bb6b7570f47a1c51b54605b7f681bd10b3e69cff220a45f01d59d316de1
SHA512941d93439546929c77dcc914ffa32d208a56cfcb091ba5cb334725c1bd89282af5858e98459a2f8507755791be963ee02ec8ec3e74f6a39e702da5b0a939c709
-
Filesize
226B
MD5c98cf4f59e25be56a41e85e6250fbc5d
SHA18177830e69913fc0e85207b4752415da474ab5b4
SHA256d60fb138ffde3a32d3bb189bfae6d14b93065610acc56891ae1dafab6eb6de6b
SHA512998b0432a4e9bb7ad35c222f166c17da35dedd4a85c5bcefc47511abf8aa25ea5d67fafb0dae038eb0a1bc83101ea71aca94d4df4893662cec60af81f0d8b2b4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BV2YX4JQ2CUDTMU86ZRY.temp
Filesize7KB
MD54de1668af5721dc142c2b717170ff25c
SHA145c6b4f908187e1041f7a171811605a3902c8855
SHA25635906ce2b24c39cf7246defef87851abc39f9761c763fe3934c4e4fb17b8013e
SHA512e979759e7cd524a5d1620dbecfb887393c2f4ca488521b1f86b4209661f2b75c127c8f7aca974554f6fd9154bcb9e259b17faeee0ed290f72573cfc6b71fa22f
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394