Analysis
-
max time kernel
145s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 20:07
Behavioral task
behavioral1
Sample
JaffaCakes118_714db34e8628cd69be90dc3f7d9667ead56cf36cc905953619be1a720339398d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_714db34e8628cd69be90dc3f7d9667ead56cf36cc905953619be1a720339398d.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_714db34e8628cd69be90dc3f7d9667ead56cf36cc905953619be1a720339398d.exe
-
Size
1.3MB
-
MD5
44463f70262232632b8df6fe85bedaa6
-
SHA1
8d768325f168d80e73c473fa0379b2515913bbc4
-
SHA256
714db34e8628cd69be90dc3f7d9667ead56cf36cc905953619be1a720339398d
-
SHA512
b72eb57add3789d0932886e050ffb9b032d7ed5931b799d118ccc30d87108e10d06cb8a16c753a41521bee0d5b1c078cdbb5607c68bf87d0ccd823c900d664f8
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1048 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1328 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 280 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 484 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1356 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1444 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 864 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2068 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 784 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 560 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2808 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1328 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 344 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 280 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1576 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2388 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1948 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1200 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 784 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2068 2916 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 2916 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x00070000000192f0-9.dat dcrat behavioral1/memory/2884-13-0x0000000000E80000-0x0000000000F90000-memory.dmp dcrat behavioral1/memory/1664-152-0x0000000000B20000-0x0000000000C30000-memory.dmp dcrat behavioral1/memory/1808-283-0x0000000000230000-0x0000000000340000-memory.dmp dcrat behavioral1/memory/1044-343-0x0000000001030000-0x0000000001140000-memory.dmp dcrat behavioral1/memory/1636-403-0x0000000001300000-0x0000000001410000-memory.dmp dcrat behavioral1/memory/1360-640-0x0000000000040000-0x0000000000150000-memory.dmp dcrat behavioral1/memory/2712-701-0x0000000000DC0000-0x0000000000ED0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 29 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2464 powershell.exe 2960 powershell.exe 404 powershell.exe 2288 powershell.exe 2712 powershell.exe 2988 powershell.exe 2440 powershell.exe 912 powershell.exe 1808 powershell.exe 3056 powershell.exe 2392 powershell.exe 1284 powershell.exe 1628 powershell.exe 2232 powershell.exe 1084 powershell.exe 1812 powershell.exe 672 powershell.exe 2304 powershell.exe 2376 powershell.exe 1868 powershell.exe 2728 powershell.exe 2540 powershell.exe 2856 powershell.exe 548 powershell.exe 1084 powershell.exe 1140 powershell.exe 1988 powershell.exe 2900 powershell.exe 1652 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2884 DllCommonsvc.exe 1692 DllCommonsvc.exe 1664 schtasks.exe 1808 schtasks.exe 1044 schtasks.exe 1636 schtasks.exe 2456 schtasks.exe 1928 schtasks.exe 1432 schtasks.exe 1360 schtasks.exe 2712 schtasks.exe 1948 schtasks.exe -
Loads dropped DLL 2 IoCs
pid Process 2772 cmd.exe 2772 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 22 raw.githubusercontent.com 29 raw.githubusercontent.com 32 raw.githubusercontent.com 4 raw.githubusercontent.com 18 raw.githubusercontent.com 25 raw.githubusercontent.com 15 raw.githubusercontent.com -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\wininit.exe DllCommonsvc.exe File created C:\Program Files\Windows Journal\it-IT\Idle.exe DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\088424020bedd6 DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\wininit.exe DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\56085415360792 DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\de-DE\101b941d020240 DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\it-IT\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\powershell.exe DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\de-DE\lsm.exe DllCommonsvc.exe File created C:\Program Files\Windows Journal\it-IT\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\e978f868350d50 DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\en-US\conhost.exe DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\en-US\088424020bedd6 DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\conhost.exe DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\LiveKernelReports\smss.exe DllCommonsvc.exe File created C:\Windows\LiveKernelReports\69ddcba757bf72 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_714db34e8628cd69be90dc3f7d9667ead56cf36cc905953619be1a720339398d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1444 schtasks.exe 2372 schtasks.exe 3000 schtasks.exe 784 schtasks.exe 2288 schtasks.exe 1804 schtasks.exe 1240 schtasks.exe 1752 schtasks.exe 784 schtasks.exe 1940 schtasks.exe 2852 schtasks.exe 2792 schtasks.exe 2708 schtasks.exe 2112 schtasks.exe 2052 schtasks.exe 1620 schtasks.exe 1612 schtasks.exe 2796 schtasks.exe 2360 schtasks.exe 2808 schtasks.exe 280 schtasks.exe 2564 schtasks.exe 1372 schtasks.exe 484 schtasks.exe 1356 schtasks.exe 1384 schtasks.exe 780 schtasks.exe 1328 schtasks.exe 892 schtasks.exe 2764 schtasks.exe 1152 schtasks.exe 2268 schtasks.exe 2408 schtasks.exe 556 schtasks.exe 2664 schtasks.exe 3008 schtasks.exe 1676 schtasks.exe 1672 schtasks.exe 1720 schtasks.exe 2064 schtasks.exe 344 schtasks.exe 1708 schtasks.exe 2068 schtasks.exe 1804 schtasks.exe 2388 schtasks.exe 3028 schtasks.exe 2236 schtasks.exe 2984 schtasks.exe 864 schtasks.exe 2940 schtasks.exe 1044 schtasks.exe 1712 schtasks.exe 1948 schtasks.exe 2692 schtasks.exe 2124 schtasks.exe 2688 schtasks.exe 1160 schtasks.exe 2068 schtasks.exe 2720 schtasks.exe 280 schtasks.exe 1200 schtasks.exe 2944 schtasks.exe 2868 schtasks.exe 1656 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2884 DllCommonsvc.exe 1084 powershell.exe 2288 powershell.exe 1808 powershell.exe 1988 powershell.exe 3056 powershell.exe 2540 powershell.exe 404 powershell.exe 1140 powershell.exe 912 powershell.exe 1652 powershell.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe 1692 DllCommonsvc.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2884 DllCommonsvc.exe Token: SeDebugPrivilege 1084 powershell.exe Token: SeDebugPrivilege 2288 powershell.exe Token: SeDebugPrivilege 1808 powershell.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeDebugPrivilege 3056 powershell.exe Token: SeDebugPrivilege 1692 DllCommonsvc.exe Token: SeDebugPrivilege 2540 powershell.exe Token: SeDebugPrivilege 404 powershell.exe Token: SeDebugPrivilege 1140 powershell.exe Token: SeDebugPrivilege 912 powershell.exe Token: SeDebugPrivilege 1652 powershell.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 2988 powershell.exe Token: SeDebugPrivilege 2900 powershell.exe Token: SeDebugPrivilege 2960 powershell.exe Token: SeDebugPrivilege 1284 powershell.exe Token: SeDebugPrivilege 1084 powershell.exe Token: SeDebugPrivilege 2440 powershell.exe Token: SeDebugPrivilege 2464 powershell.exe Token: SeDebugPrivilege 2728 powershell.exe Token: SeDebugPrivilege 2232 powershell.exe Token: SeDebugPrivilege 2856 powershell.exe Token: SeDebugPrivilege 1812 powershell.exe Token: SeDebugPrivilege 1628 powershell.exe Token: SeDebugPrivilege 1664 schtasks.exe Token: SeDebugPrivilege 2376 powershell.exe Token: SeDebugPrivilege 548 powershell.exe Token: SeDebugPrivilege 672 powershell.exe Token: SeDebugPrivilege 1868 powershell.exe Token: SeDebugPrivilege 2304 powershell.exe Token: SeDebugPrivilege 2392 powershell.exe Token: SeDebugPrivilege 1808 schtasks.exe Token: SeDebugPrivilege 1044 schtasks.exe Token: SeDebugPrivilege 1636 schtasks.exe Token: SeDebugPrivilege 2456 schtasks.exe Token: SeDebugPrivilege 1928 schtasks.exe Token: SeDebugPrivilege 1432 schtasks.exe Token: SeDebugPrivilege 1360 schtasks.exe Token: SeDebugPrivilege 2712 schtasks.exe Token: SeDebugPrivilege 1948 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2612 wrote to memory of 3024 2612 JaffaCakes118_714db34e8628cd69be90dc3f7d9667ead56cf36cc905953619be1a720339398d.exe 30 PID 2612 wrote to memory of 3024 2612 JaffaCakes118_714db34e8628cd69be90dc3f7d9667ead56cf36cc905953619be1a720339398d.exe 30 PID 2612 wrote to memory of 3024 2612 JaffaCakes118_714db34e8628cd69be90dc3f7d9667ead56cf36cc905953619be1a720339398d.exe 30 PID 2612 wrote to memory of 3024 2612 JaffaCakes118_714db34e8628cd69be90dc3f7d9667ead56cf36cc905953619be1a720339398d.exe 30 PID 3024 wrote to memory of 2772 3024 WScript.exe 31 PID 3024 wrote to memory of 2772 3024 WScript.exe 31 PID 3024 wrote to memory of 2772 3024 WScript.exe 31 PID 3024 wrote to memory of 2772 3024 WScript.exe 31 PID 2772 wrote to memory of 2884 2772 cmd.exe 33 PID 2772 wrote to memory of 2884 2772 cmd.exe 33 PID 2772 wrote to memory of 2884 2772 cmd.exe 33 PID 2772 wrote to memory of 2884 2772 cmd.exe 33 PID 2884 wrote to memory of 1652 2884 DllCommonsvc.exe 62 PID 2884 wrote to memory of 1652 2884 DllCommonsvc.exe 62 PID 2884 wrote to memory of 1652 2884 DllCommonsvc.exe 62 PID 2884 wrote to memory of 1988 2884 DllCommonsvc.exe 63 PID 2884 wrote to memory of 1988 2884 DllCommonsvc.exe 63 PID 2884 wrote to memory of 1988 2884 DllCommonsvc.exe 63 PID 2884 wrote to memory of 912 2884 DllCommonsvc.exe 64 PID 2884 wrote to memory of 912 2884 DllCommonsvc.exe 64 PID 2884 wrote to memory of 912 2884 DllCommonsvc.exe 64 PID 2884 wrote to memory of 1084 2884 DllCommonsvc.exe 65 PID 2884 wrote to memory of 1084 2884 DllCommonsvc.exe 65 PID 2884 wrote to memory of 1084 2884 DllCommonsvc.exe 65 PID 2884 wrote to memory of 1808 2884 DllCommonsvc.exe 66 PID 2884 wrote to memory of 1808 2884 DllCommonsvc.exe 66 PID 2884 wrote to memory of 1808 2884 DllCommonsvc.exe 66 PID 2884 wrote to memory of 404 2884 DllCommonsvc.exe 67 PID 2884 wrote to memory of 404 2884 DllCommonsvc.exe 67 PID 2884 wrote to memory of 404 2884 DllCommonsvc.exe 67 PID 2884 wrote to memory of 1140 2884 DllCommonsvc.exe 68 PID 2884 wrote to memory of 1140 2884 DllCommonsvc.exe 68 PID 2884 wrote to memory of 1140 2884 DllCommonsvc.exe 68 PID 2884 wrote to memory of 3056 2884 DllCommonsvc.exe 69 PID 2884 wrote to memory of 3056 2884 DllCommonsvc.exe 69 PID 2884 wrote to memory of 3056 2884 DllCommonsvc.exe 69 PID 2884 wrote to memory of 2288 2884 DllCommonsvc.exe 70 PID 2884 wrote to memory of 2288 2884 DllCommonsvc.exe 70 PID 2884 wrote to memory of 2288 2884 DllCommonsvc.exe 70 PID 2884 wrote to memory of 2540 2884 DllCommonsvc.exe 71 PID 2884 wrote to memory of 2540 2884 DllCommonsvc.exe 71 PID 2884 wrote to memory of 2540 2884 DllCommonsvc.exe 71 PID 2884 wrote to memory of 1692 2884 DllCommonsvc.exe 82 PID 2884 wrote to memory of 1692 2884 DllCommonsvc.exe 82 PID 2884 wrote to memory of 1692 2884 DllCommonsvc.exe 82 PID 1692 wrote to memory of 2712 1692 DllCommonsvc.exe 137 PID 1692 wrote to memory of 2712 1692 DllCommonsvc.exe 137 PID 1692 wrote to memory of 2712 1692 DllCommonsvc.exe 137 PID 1692 wrote to memory of 1812 1692 DllCommonsvc.exe 138 PID 1692 wrote to memory of 1812 1692 DllCommonsvc.exe 138 PID 1692 wrote to memory of 1812 1692 DllCommonsvc.exe 138 PID 1692 wrote to memory of 2392 1692 DllCommonsvc.exe 140 PID 1692 wrote to memory of 2392 1692 DllCommonsvc.exe 140 PID 1692 wrote to memory of 2392 1692 DllCommonsvc.exe 140 PID 1692 wrote to memory of 2988 1692 DllCommonsvc.exe 141 PID 1692 wrote to memory of 2988 1692 DllCommonsvc.exe 141 PID 1692 wrote to memory of 2988 1692 DllCommonsvc.exe 141 PID 1692 wrote to memory of 2376 1692 DllCommonsvc.exe 142 PID 1692 wrote to memory of 2376 1692 DllCommonsvc.exe 142 PID 1692 wrote to memory of 2376 1692 DllCommonsvc.exe 142 PID 1692 wrote to memory of 2304 1692 DllCommonsvc.exe 143 PID 1692 wrote to memory of 2304 1692 DllCommonsvc.exe 143 PID 1692 wrote to memory of 2304 1692 DllCommonsvc.exe 143 PID 1692 wrote to memory of 1284 1692 DllCommonsvc.exe 144 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_714db34e8628cd69be90dc3f7d9667ead56cf36cc905953619be1a720339398d.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_714db34e8628cd69be90dc3f7d9667ead56cf36cc905953619be1a720339398d.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\dllhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\de-DE\lsm.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Assistance\Client\1.0\csrss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1284
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\en-US\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\it-IT\Idle.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\schtasks.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\WmiPrvSE.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\schtasks.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\lsm.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1664 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat"7⤵PID:1384
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2228
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1808 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVUt9EuWwA.bat"9⤵PID:1788
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2744
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1044 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat"11⤵PID:1148
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2948
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1636 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat"13⤵PID:2780
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:3036
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2456 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0uTXzTWsAa.bat"15⤵PID:3008
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1608
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1928 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat"17⤵PID:2392
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1364
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1lJXnITmE.bat"19⤵PID:304
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2292
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1360 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yaFjl1awzE.bat"21⤵PID:1336
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2832
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2712 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat"23⤵PID:2620
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2156
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\wininit.exe'" /f1⤵
- Process spawned unexpected child process
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\LiveKernelReports\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\LiveKernelReports\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Application Data\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft\Assistance\Client\1.0\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Assistance\Client\1.0\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft\Assistance\Client\1.0\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\en-US\conhost.exe'" /f1⤵
- Process spawned unexpected child process
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\en-US\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\en-US\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /f1⤵
- Process spawned unexpected child process
PID:1576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\it-IT\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\it-IT\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe'" /f1⤵
- Process spawned unexpected child process
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Application Data\schtasks.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\schtasks.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Application Data\schtasks.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f1⤵PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Favorites\schtasks.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Users\Default\Favorites\schtasks.exe'" /rl HIGHEST /f1⤵PID:1324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Favorites\schtasks.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\conhost.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\conhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\conhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Default\PrintHood\lsm.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\lsm.exe'" /rl HIGHEST /f1⤵PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Default\PrintHood\lsm.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:780
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58923978079ca2fdcde06b7ef79079f8e
SHA19ce35e3accec667162a182785c792e42da05e59c
SHA2567d40ca513814bd530e857952a97a97213218de080b30cedf9c23997381fef89c
SHA512e71d3adc7f1a8fdd461fcb3334073bf3e5c92b1f5623dd94b6b0c7565abfdf90c191d28a9d7aa1aaef5f60e0582b986c698005874cadb428366aa52d3970e26e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56306165e543a62165fba5e3ac5a71e8b
SHA15068d678f8f4d7a8abea79cc552b2bb185dafa5a
SHA256598d6c4e5bb6a4628cec40806f610e125fbba78ef64459c39a00cfd4ab5eebc6
SHA512ead0ec2078fe3e87398ccaeaa08645b08174e76655850d7fae928b394ea4802e6b910f3db3770cd9fe0a396c089cf1393b690de929d932e541b1c7a84103bb80
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52fb6a275ba617769c26df51ea513dc4f
SHA1175dc83b82ff58cd28be36927129d1e9ccad827c
SHA256cbc5ad920a1aaf4f09326af32839df963315ca4fb514a3928cd9a56d57b5f8ed
SHA512137eaa011abbff9c098e423133d6b397dd4f2d7f2598668a57fd6c9c82babf774bb82678c5ffaf640ac8bb53e2a6749572f3533290770b26678b9f538ecd6882
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50c9113a9433c0123cfe4d5ebe0730014
SHA12c3bc0fb69db0819e662d50f74e7bdb47d400a38
SHA256bc9b2613d37ff1742b86d3cf64bf40c4807a597e39da3bb17be84c1febc25759
SHA5128b0d70b74f38e83d071ea45cbf3c129d3421bd49ca49ebd3b268f1ce1ede9640f49ef575ae934cae65e55be43ddf62bd450ad7ad7717494c34a3b42cd6d46f2b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fb7c9b796d9ed3ad43369e7c66e1adbd
SHA1ed0960c2912c9e08497d00dcd86fcfa921881a6d
SHA256e8e4d0bcef4a9f7ff14e1c68b3469028fba733fa32a8a1b2793cfea1e32a7858
SHA512529ef11fde775b1e9b0d9545623927918c862711cd5622e553ff47f8d0795ad1c7125c974252f76d9db067285ab6c134641cf317463ab764b09dc48b1318738a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5991f6b8b5f770a9e32288cf907b6c70a
SHA10fa72721577d08bc990b812a165e274052735e53
SHA256cf795060fedee17a84cd2a76f5a76a9ef9851bff421667e85b84140796c02354
SHA512898867b367bc8f9d7ffef98907ea095348ca03ecd47a9f5f8a1321a204ced2677f2864a07069c9ce1441a2c31875f195b45b978f3b6e12d5bba6dc6741a1c6aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b918ad6d2f30846f0bd32f69a4ef9643
SHA1786ef7fb11b85d430aa00ceb6d0a09a0aced6929
SHA256cf6b1ba3e1743c3ed0543895538254aa3e27ede0e0d91dfdbb9978f85c582235
SHA51225128e5a2533065c0e84933964663fa99bc1db80071ed8a9e9efc09648f8397bdb35e770d524339ca814e4a77736b0185b33d3e3ada7f23de39ab1a2ae440c22
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57d1da2a199c16b07645abfaaa0eadaea
SHA17225df8db01ab317c3312ffa5ce9ccbcb210119e
SHA2565bb39bd0a0be86f736eb3ba89cd244620468c9b6ed99eb1f93a21912f8f66558
SHA512cd89ef007a654cb3bbd5073395085dc3a3758fb0be4ff614418c6d780f515cc41083e00aab15c20bec8eb6b7bac6ffba36e52e653c9010c168606d22259ae8e2
-
Filesize
226B
MD5889b5adff70b39dae91aecdede7eeb12
SHA1ede5dc283dade7e5aecb641324bdee69c9911882
SHA256a4281bc9acbd5f2a128eaa72868e102ff44292f0ec51c84681762a53a83900a2
SHA5121b3f41e8f0ba5bc3d53d042d3f7e9cfec881345475cc83bcd56c3ac89774c512047a70b5b0833133dbf4ba9afbfd8c54eff81bb997066dcc15e78da22488455d
-
Filesize
226B
MD59bb9b3d69a9674a9fb6a219b8a5a8806
SHA138c906a723a673e99f7cbe276a5bda5972aeb83f
SHA256f8b39b7e9952aaea3a6381c1e7c715febc2c2fe53e4dbaae7422a236aa6a182e
SHA512d9d19e8c64963aa589cdf48a0205192816b3bc6daf3ebf5404c5141bd4d6b0ffb519ed1693a1ca797c5595b64424ce0fe48f10b5602d64b4cf375853dd00a753
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
226B
MD5ddeeca7fbec6b47b46a4c283e5dee373
SHA1c88908ae64353b192817e6f9d27c056d9c8f35c0
SHA2562fe62a06597f14dec529264ad951702e159f84d55fd61b3216e8c6e07a09fcdc
SHA512597e3a96a6924a5112bb2d2ec3307b1a50378fd62ee9033905153da6e6ad389958cdd854a9de747750c3355090c3dd3fe7066e9b4b7fef66f345aa270992b075
-
Filesize
226B
MD559435549eb60be39624e1a09508d9388
SHA12d86ba8deea68df146f86836e9c1981e5853eca2
SHA256693c16794c2a4a33f647d19de359d04327c227cbf78ee74a1a6e22ac98b316b2
SHA512454b8af2e02785421d150087f9d91545297e99ae3939526af0a41b1930cc3812c6c8a946a2fcb1b2cbe523a3d75b8c3c3f036128ea92967bba69ae428acd424c
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
226B
MD54939a74e08decaab58f4e116db3ffc68
SHA19c816318df02b2a9615e90c5c7ecde56568ca06f
SHA256dd1687a0c8b2295fa7e005ee511da379dc12ff63de9880ed72a54a53a2bb247e
SHA5126a6d7cbc15442391b0454035888d4f84a0dde6f8e60a6c1789fa79834eddbc6c5a021665f0ab9f229621064d382b27c0ecaae5e6811eb35e7e4dc692d4d1ea34
-
Filesize
226B
MD57fcc1fad2432f57e4bf1ced7f0b29ea1
SHA1fab1c5a54beb4aaba8544f8803509efbf786168e
SHA256964698e6396773714043e19a825a93500d2dc88a4752ef3953fc6113776b0c38
SHA512c22c3e6543dc74d96ea8770a10ba68b57a3fd81cd387822d180818f8ba983f205082e70ecbaceb0ac75a4ac7a67b28cbbda81948e8a26833cc935655f529bb46
-
Filesize
226B
MD53515df03746acd24dddb9cc2e94f679e
SHA11fabc40318857583f7abc6d7f835181deb801433
SHA2562be4e256361bd79d6fd6bca8cd64fc19e07f98be45c5392c72eab445b162ba5e
SHA512f7fc4a2d9f5f75ed4c569c072d3c1507a2913e48c0390ad9878aa2651a67fa62daa5a6e15cfdfee6f908786dc84b9f945dc28ae5826598e2aa3fb02ae3e29094
-
Filesize
226B
MD51003f4dc17015e038df19de32974f85b
SHA12aca46dc99405ddb8b9a21dfe5e8ecf846afd929
SHA25637f0318cb2cf51447ef65832ec90db17fc7d51325b6feb792d74876e02758c1e
SHA512fe94b03b90a9a2cb7a33579a2ff7e871720f32e4d35857bba1e91d3734a0a1739ff2feefcfe366cfa90d205b63e82d8675afd293717c017e53de3f61160dbd82
-
Filesize
226B
MD583f0829f817013ed22a32d5ca2b9d2ee
SHA16d603f63867041defdf9ea1eb9c4a1bb32c653ea
SHA256312f8a89f2a22c283bd4e0dc5074b435658e60362c7da2b9f48b559af495b7ce
SHA512188982560179d078b995c8263df6cb9c4ce70430ac70900c2b2bdd72b750f181fd1fc35a49f9528a8cde409065cbff8e1c3c84784fd7b8e6f4cb45fbe5de430c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD539ff4e3cd3b1cd2c0e02b9b4c16d6afe
SHA16b84a391444da3ce5637e0771f534bc550c146e9
SHA256087b329f887365d8821e2d19518d021232ac73c5e1b186e907fbdb7a91e97b56
SHA512a8089fb65dce906749ed7474c98c81b1184782fe6b26edbb25b96cd853bc7a0f5d88f3ad8a1a7e87dba63a050ac99d83d6740af7533cfdb1f15f1d1f18c54d51
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD514887623ea4723bad5c833c1d18d9b8b
SHA1f64c22a324257b5eff7759b6430e2f269d13d210
SHA256c1ff2386a79de4ea186911cbff8d251ddd813c8ed6ad53d7303e7b331e8aae05
SHA512f400f6ba8d2fa387f5a58c78aa5f18e045f14870aa2121bd4656554c87a1ecd03b148e76d9d61d869f09c3682013286b23a6c0e50dcaeaa626ab25447f71d976
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394