Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 21:20
Behavioral task
behavioral1
Sample
JaffaCakes118_eda1fbfb5980293e042c9086976e1f9669e9a9efbdd06ff0e89ab1354120c560.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_eda1fbfb5980293e042c9086976e1f9669e9a9efbdd06ff0e89ab1354120c560.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_eda1fbfb5980293e042c9086976e1f9669e9a9efbdd06ff0e89ab1354120c560.exe
-
Size
1.3MB
-
MD5
732feb348deab0790fffe8c519942e99
-
SHA1
608f37e9e72eef830a498e159d03c383056190ec
-
SHA256
eda1fbfb5980293e042c9086976e1f9669e9a9efbdd06ff0e89ab1354120c560
-
SHA512
8c888f1f43430ec5616a3dc299aa1408f6942f32a4715d56ba3542a69656616a5d6224e9522f0fdeb55afbb56e54b1b1f23f17cca299918bc686a8a9fed13263
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 576 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 540 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 484 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 400 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 616 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 988 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 752 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1904 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2220 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 324 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1000 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 876 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 112 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1352 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1360 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 652 2920 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x00070000000193d9-12.dat dcrat behavioral1/memory/2756-13-0x0000000000190000-0x00000000002A0000-memory.dmp dcrat behavioral1/memory/2860-76-0x0000000001090000-0x00000000011A0000-memory.dmp dcrat behavioral1/memory/2500-113-0x0000000000080000-0x0000000000190000-memory.dmp dcrat behavioral1/memory/1840-255-0x0000000000A80000-0x0000000000B90000-memory.dmp dcrat behavioral1/memory/2136-315-0x0000000001050000-0x0000000001160000-memory.dmp dcrat behavioral1/memory/2536-493-0x0000000000A50000-0x0000000000B60000-memory.dmp dcrat behavioral1/memory/1304-553-0x0000000000C60000-0x0000000000D70000-memory.dmp dcrat behavioral1/memory/2000-613-0x00000000003A0000-0x00000000004B0000-memory.dmp dcrat behavioral1/memory/2968-673-0x00000000003C0000-0x00000000004D0000-memory.dmp dcrat behavioral1/memory/1036-734-0x00000000001E0000-0x00000000002F0000-memory.dmp dcrat behavioral1/memory/1652-793-0x00000000011C0000-0x00000000012D0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1624 powershell.exe 3028 powershell.exe 316 powershell.exe 2764 powershell.exe 2300 powershell.exe 3028 powershell.exe 2248 powershell.exe 1588 powershell.exe 2228 powershell.exe 1112 powershell.exe 1108 powershell.exe 2180 powershell.exe 2712 powershell.exe 916 powershell.exe 2916 powershell.exe 948 powershell.exe 1052 powershell.exe 2912 powershell.exe 2836 powershell.exe 3044 powershell.exe 2992 powershell.exe 880 powershell.exe 1592 powershell.exe 1304 powershell.exe -
Executes dropped EXE 13 IoCs
pid Process 2756 DllCommonsvc.exe 2860 DllCommonsvc.exe 2500 System.exe 1840 System.exe 2136 System.exe 2912 System.exe 2292 System.exe 2536 System.exe 1304 System.exe 2000 System.exe 2968 System.exe 1036 System.exe 1652 System.exe -
Loads dropped DLL 2 IoCs
pid Process 2752 cmd.exe 2752 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 12 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 23 raw.githubusercontent.com 26 raw.githubusercontent.com 30 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 36 raw.githubusercontent.com 4 raw.githubusercontent.com 33 raw.githubusercontent.com -
Drops file in Program Files directory 21 IoCs
description ioc Process File created C:\Program Files\DVD Maker\es-ES\dllhost.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\TableTextService\OSPPSVC.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\TableTextService\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Program Files\Java\jre7\bin\winlogon.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\Visualizations\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\defaults\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files\Windows Mail\es-ES\24dbde2999530e DllCommonsvc.exe File created C:\Program Files\DVD Maker\es-ES\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\Adobe\Updater6\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files\Java\jre7\bin\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe DllCommonsvc.exe File created C:\Program Files\DVD Maker\es-ES\5940a34987c991 DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\Adobe\Updater6\24dbde2999530e DllCommonsvc.exe File created C:\Program Files\DVD Maker\de-DE\lsm.exe DllCommonsvc.exe File created C:\Program Files\DVD Maker\de-DE\101b941d020240 DllCommonsvc.exe File created C:\Program Files\Windows Mail\es-ES\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\defaults\Idle.exe DllCommonsvc.exe File created C:\Program Files\DVD Maker\es-ES\Idle.exe DllCommonsvc.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\Branding\ShellBrd\wininit.exe DllCommonsvc.exe File created C:\Windows\Branding\ShellBrd\56085415360792 DllCommonsvc.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\System.exe DllCommonsvc.exe File created C:\Windows\ehome\de-DE\OSPPSVC.exe DllCommonsvc.exe File created C:\Windows\ehome\de-DE\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Windows\PCHEALTH\ERRORREP\dwm.exe DllCommonsvc.exe File created C:\Windows\PCHEALTH\ERRORREP\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Windows\Offline Web Pages\WmiPrvSE.exe DllCommonsvc.exe File opened for modification C:\Windows\Offline Web Pages\WmiPrvSE.exe DllCommonsvc.exe File created C:\Windows\Offline Web Pages\24dbde2999530e DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_eda1fbfb5980293e042c9086976e1f9669e9a9efbdd06ff0e89ab1354120c560.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1352 schtasks.exe 2772 schtasks.exe 1748 schtasks.exe 108 schtasks.exe 2256 schtasks.exe 1728 schtasks.exe 2584 schtasks.exe 540 schtasks.exe 484 schtasks.exe 3036 schtasks.exe 1664 schtasks.exe 2280 schtasks.exe 1360 schtasks.exe 2116 schtasks.exe 1000 schtasks.exe 2976 schtasks.exe 652 schtasks.exe 1632 schtasks.exe 400 schtasks.exe 2220 schtasks.exe 576 schtasks.exe 2876 schtasks.exe 1648 schtasks.exe 1956 schtasks.exe 616 schtasks.exe 2268 schtasks.exe 1632 schtasks.exe 1856 schtasks.exe 2624 schtasks.exe 2896 schtasks.exe 1036 schtasks.exe 3036 schtasks.exe 1904 schtasks.exe 2744 schtasks.exe 2588 schtasks.exe 1616 schtasks.exe 1980 schtasks.exe 2972 schtasks.exe 752 schtasks.exe 1732 schtasks.exe 324 schtasks.exe 1652 schtasks.exe 536 schtasks.exe 988 schtasks.exe 2516 schtasks.exe 2336 schtasks.exe 2876 schtasks.exe 2768 schtasks.exe 2392 schtasks.exe 876 schtasks.exe 1700 schtasks.exe 2908 schtasks.exe 2352 schtasks.exe 2820 schtasks.exe 1964 schtasks.exe 2564 schtasks.exe 2636 schtasks.exe 2452 schtasks.exe 1684 schtasks.exe 1988 schtasks.exe 112 schtasks.exe 1992 schtasks.exe 1980 schtasks.exe 2040 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 2756 DllCommonsvc.exe 3028 powershell.exe 2180 powershell.exe 916 powershell.exe 2712 powershell.exe 2248 powershell.exe 2992 powershell.exe 3044 powershell.exe 2836 powershell.exe 2860 DllCommonsvc.exe 2860 DllCommonsvc.exe 2860 DllCommonsvc.exe 1592 powershell.exe 2300 powershell.exe 2764 powershell.exe 2500 System.exe 316 powershell.exe 1108 powershell.exe 3028 powershell.exe 1624 powershell.exe 948 powershell.exe 1052 powershell.exe 1304 powershell.exe 880 powershell.exe 2228 powershell.exe 2916 powershell.exe 1588 powershell.exe 1112 powershell.exe 2912 powershell.exe 1840 System.exe 2136 System.exe 2912 System.exe 2292 System.exe 2536 System.exe 1304 System.exe 2000 System.exe 2968 System.exe 1036 System.exe 1652 System.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 2756 DllCommonsvc.exe Token: SeDebugPrivilege 3028 powershell.exe Token: SeDebugPrivilege 2180 powershell.exe Token: SeDebugPrivilege 916 powershell.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 2248 powershell.exe Token: SeDebugPrivilege 2992 powershell.exe Token: SeDebugPrivilege 3044 powershell.exe Token: SeDebugPrivilege 2836 powershell.exe Token: SeDebugPrivilege 2860 DllCommonsvc.exe Token: SeDebugPrivilege 1592 powershell.exe Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 2764 powershell.exe Token: SeDebugPrivilege 2500 System.exe Token: SeDebugPrivilege 316 powershell.exe Token: SeDebugPrivilege 1108 powershell.exe Token: SeDebugPrivilege 3028 powershell.exe Token: SeDebugPrivilege 1624 powershell.exe Token: SeDebugPrivilege 948 powershell.exe Token: SeDebugPrivilege 1052 powershell.exe Token: SeDebugPrivilege 1304 powershell.exe Token: SeDebugPrivilege 880 powershell.exe Token: SeDebugPrivilege 2228 powershell.exe Token: SeDebugPrivilege 2916 powershell.exe Token: SeDebugPrivilege 1588 powershell.exe Token: SeDebugPrivilege 1112 powershell.exe Token: SeDebugPrivilege 2912 powershell.exe Token: SeDebugPrivilege 1840 System.exe Token: SeDebugPrivilege 2136 System.exe Token: SeDebugPrivilege 2912 System.exe Token: SeDebugPrivilege 2292 System.exe Token: SeDebugPrivilege 2536 System.exe Token: SeDebugPrivilege 1304 System.exe Token: SeDebugPrivilege 2000 System.exe Token: SeDebugPrivilege 2968 System.exe Token: SeDebugPrivilege 1036 System.exe Token: SeDebugPrivilege 1652 System.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2132 wrote to memory of 2688 2132 JaffaCakes118_eda1fbfb5980293e042c9086976e1f9669e9a9efbdd06ff0e89ab1354120c560.exe 30 PID 2132 wrote to memory of 2688 2132 JaffaCakes118_eda1fbfb5980293e042c9086976e1f9669e9a9efbdd06ff0e89ab1354120c560.exe 30 PID 2132 wrote to memory of 2688 2132 JaffaCakes118_eda1fbfb5980293e042c9086976e1f9669e9a9efbdd06ff0e89ab1354120c560.exe 30 PID 2132 wrote to memory of 2688 2132 JaffaCakes118_eda1fbfb5980293e042c9086976e1f9669e9a9efbdd06ff0e89ab1354120c560.exe 30 PID 2688 wrote to memory of 2752 2688 WScript.exe 31 PID 2688 wrote to memory of 2752 2688 WScript.exe 31 PID 2688 wrote to memory of 2752 2688 WScript.exe 31 PID 2688 wrote to memory of 2752 2688 WScript.exe 31 PID 2752 wrote to memory of 2756 2752 cmd.exe 33 PID 2752 wrote to memory of 2756 2752 cmd.exe 33 PID 2752 wrote to memory of 2756 2752 cmd.exe 33 PID 2752 wrote to memory of 2756 2752 cmd.exe 33 PID 2756 wrote to memory of 2836 2756 DllCommonsvc.exe 56 PID 2756 wrote to memory of 2836 2756 DllCommonsvc.exe 56 PID 2756 wrote to memory of 2836 2756 DllCommonsvc.exe 56 PID 2756 wrote to memory of 2180 2756 DllCommonsvc.exe 57 PID 2756 wrote to memory of 2180 2756 DllCommonsvc.exe 57 PID 2756 wrote to memory of 2180 2756 DllCommonsvc.exe 57 PID 2756 wrote to memory of 3044 2756 DllCommonsvc.exe 58 PID 2756 wrote to memory of 3044 2756 DllCommonsvc.exe 58 PID 2756 wrote to memory of 3044 2756 DllCommonsvc.exe 58 PID 2756 wrote to memory of 3028 2756 DllCommonsvc.exe 59 PID 2756 wrote to memory of 3028 2756 DllCommonsvc.exe 59 PID 2756 wrote to memory of 3028 2756 DllCommonsvc.exe 59 PID 2756 wrote to memory of 2992 2756 DllCommonsvc.exe 60 PID 2756 wrote to memory of 2992 2756 DllCommonsvc.exe 60 PID 2756 wrote to memory of 2992 2756 DllCommonsvc.exe 60 PID 2756 wrote to memory of 2248 2756 DllCommonsvc.exe 61 PID 2756 wrote to memory of 2248 2756 DllCommonsvc.exe 61 PID 2756 wrote to memory of 2248 2756 DllCommonsvc.exe 61 PID 2756 wrote to memory of 2712 2756 DllCommonsvc.exe 62 PID 2756 wrote to memory of 2712 2756 DllCommonsvc.exe 62 PID 2756 wrote to memory of 2712 2756 DllCommonsvc.exe 62 PID 2756 wrote to memory of 916 2756 DllCommonsvc.exe 63 PID 2756 wrote to memory of 916 2756 DllCommonsvc.exe 63 PID 2756 wrote to memory of 916 2756 DllCommonsvc.exe 63 PID 2756 wrote to memory of 1344 2756 DllCommonsvc.exe 72 PID 2756 wrote to memory of 1344 2756 DllCommonsvc.exe 72 PID 2756 wrote to memory of 1344 2756 DllCommonsvc.exe 72 PID 1344 wrote to memory of 3064 1344 cmd.exe 74 PID 1344 wrote to memory of 3064 1344 cmd.exe 74 PID 1344 wrote to memory of 3064 1344 cmd.exe 74 PID 1344 wrote to memory of 2860 1344 cmd.exe 75 PID 1344 wrote to memory of 2860 1344 cmd.exe 75 PID 1344 wrote to memory of 2860 1344 cmd.exe 75 PID 2860 wrote to memory of 1112 2860 DllCommonsvc.exe 121 PID 2860 wrote to memory of 1112 2860 DllCommonsvc.exe 121 PID 2860 wrote to memory of 1112 2860 DllCommonsvc.exe 121 PID 2860 wrote to memory of 1108 2860 DllCommonsvc.exe 122 PID 2860 wrote to memory of 1108 2860 DllCommonsvc.exe 122 PID 2860 wrote to memory of 1108 2860 DllCommonsvc.exe 122 PID 2860 wrote to memory of 2300 2860 DllCommonsvc.exe 123 PID 2860 wrote to memory of 2300 2860 DllCommonsvc.exe 123 PID 2860 wrote to memory of 2300 2860 DllCommonsvc.exe 123 PID 2860 wrote to memory of 2912 2860 DllCommonsvc.exe 124 PID 2860 wrote to memory of 2912 2860 DllCommonsvc.exe 124 PID 2860 wrote to memory of 2912 2860 DllCommonsvc.exe 124 PID 2860 wrote to memory of 316 2860 DllCommonsvc.exe 125 PID 2860 wrote to memory of 316 2860 DllCommonsvc.exe 125 PID 2860 wrote to memory of 316 2860 DllCommonsvc.exe 125 PID 2860 wrote to memory of 3028 2860 DllCommonsvc.exe 126 PID 2860 wrote to memory of 3028 2860 DllCommonsvc.exe 126 PID 2860 wrote to memory of 3028 2860 DllCommonsvc.exe 126 PID 2860 wrote to memory of 1592 2860 DllCommonsvc.exe 127 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eda1fbfb5980293e042c9086976e1f9669e9a9efbdd06ff0e89ab1354120c560.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eda1fbfb5980293e042c9086976e1f9669e9a9efbdd06ff0e89ab1354120c560.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\de-DE\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6AAlqGeUwh.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:3064
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\es-ES\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\bin\winlogon.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\defaults\Idle.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\ShellBrd\wininit.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\es-ES\dllhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\es-ES\Idle.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe\Updater6\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\System.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\de-DE\lsm.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\reports\taskhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sppsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe"C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uGRILFBWR.bat"8⤵PID:1664
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2468
-
-
C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe"C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1840 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V3SaMhi525.bat"10⤵PID:2404
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:916
-
-
C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe"C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rcE1qBYVKA.bat"12⤵PID:572
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:276
-
-
C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe"C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z9xTb8lNHs.bat"14⤵PID:836
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2608
-
-
C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe"C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j2qd1ZwTnL.bat"16⤵PID:2744
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:892
-
-
C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe"C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kOAwrWovpT.bat"18⤵PID:2824
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1660
-
-
C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe"C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1304 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat"20⤵PID:1728
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1260
-
-
C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe"C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat"22⤵PID:2444
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2384
-
-
C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe"C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TBzEQtkdDl.bat"24⤵PID:1616
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1360
-
-
C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe"C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z7AIE64VZ5.bat"26⤵PID:2356
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:2856
-
-
C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe"C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe"27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\ehome\de-DE\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\ehome\de-DE\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\ehome\de-DE\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\PCHEALTH\ERRORREP\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\PCHEALTH\ERRORREP\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\Offline Web Pages\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\Offline Web Pages\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\es-ES\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\bin\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\bin\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\defaults\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\defaults\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\Branding\ShellBrd\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\Branding\ShellBrd\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\es-ES\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\es-ES\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\es-ES\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\es-ES\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\es-ES\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\es-ES\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Adobe\Updater6\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Updater6\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Adobe\Updater6\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\de-DE\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\de-DE\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\de-DE\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\Crashpad\reports\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\Temp\Crashpad\reports\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5345740528d171e801371874aa4a0be67
SHA1fc205247bbd7f43f52d2638361dd530dcda5df2d
SHA256ae37dc61d2d92177a1502d8f91271d2abbd626c68047be3cbc8762ce093642c6
SHA512f4994765da7bdf65805c1feeb5ab9cf9d1ccf8aa3692f7300df034731e0ceed67a85ff75e7c4c6f37cdba6f8eba2c119d76a534640ee64d94791e882b54c2cc0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5022830545fb2f664ab2486fc73e61cfb
SHA14caf1884d8b2e7fa5fc8fa7ba9cfc73b4f7538e2
SHA25669735dccb708d77f2fbbc31198ba74e20a3ee13c0fdfeb45236ab6f9880a558c
SHA512d4820abda8a3b1e00cb81957778caeb3b7e1194497c353cbbb093ba4e033a581b7ce0451173325b4d204f37b1f04ef06e70bfe03e5e2cdf4c7c9274d0eea858c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5efd0a551bb89e26d6107623a7842a6a2
SHA1b9ace17068f79f24c0a3736d3c90a09b1ef35e9a
SHA256f430746a11b14c5977c5f47057bf2a0a755f64324adc44b42a185ba8135e9373
SHA512be7429dd8f3db7544e2fadfdbe4b02a03251629e68d7de86fbac01f0caa241493fb6f40cbb4c386d324725634b5fd4539dd2a724fd932803aa2fa8981967ae49
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51eb80401981892e529cdfb5c4a000d6a
SHA191444fe7e667936f4803d70edb2daea2e22d3ead
SHA25667c8e9a1781a964deabfe357f8cc7acc2c7d3f31d36eb608ffcf4e69f4ddec67
SHA512c41792bd2ac8502c4cbec09fdd6ace81c53369ea9ec521edba0809b01b1134a4302d83a168788e9f0f319b32ba43b0d41e44e3130951a4a7aafff8e73da27d26
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57e3b4e410d2565ce4f154bb909184b30
SHA128cdcdb71233a2d10260dd43e00ba9068316cf7d
SHA2567cdd549d1147ea07a54942ae61323214b587c8bbb7849f1ecba2cd5021900648
SHA51245003fc6c535990c8d777de47905c96c7c9da70f1a6d5f7c632962b735f88042e8109264ba489f615a8138e94401fe31300f082e7a109f44ad9b14b931bf3ed4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5436eb64667ef16cae8554cd9687def67
SHA183350d4ff5141544416a50d3dd7b9462a080abb0
SHA256d84c0f9df08c357e12707204369da7dd1ae78462b2696f557adfdc6868465450
SHA512e7b0a696509323aac7679202664e08b7bbf799c59924430425749e28dbaeeb6dc89a8473e1e998e88cd310f942a74bdb76b4efa77e22759a6aeed63e6b498425
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56a6b8a22bf7aceda6fd7eb0cd16ea00e
SHA158919bf84e1e20bfaf2b6431d7ea59790af432f5
SHA25639f8496ab3f221bf070ef517082e62eb2bde6e8bf13de77bc83a75adb68212cd
SHA512ab8cd0419831d61a26eebe585c8fc252e6cbab4d8c5a5559760d1d46b6b7ca538d1ea8f2435dd6a4579b67ccc60d6f2d6c74116fd1066a9b6889fc98a9c77552
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e728c0154214c8abd5c2d631bea94d69
SHA14578c12fd1f4ba5750689d6d65686657f7f369e7
SHA256f40234edfe78350198f532a48261bb2fccecc3f72be2325fd1b2b0e1efb359dd
SHA51293e3caa21a23015de8409ee4d78e1e4e0978085c907b31e5c1b24766d958afc7552d90bc44fa9ef348378248c421359bcdd505e3107dd73730f7c75b6a0a0fc6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55dc3024f67ae1d1d32642134b210ca9d
SHA1bcfcb9070a20372358a8d96a8ca8878e761d18e5
SHA25679c6e6ff215bfc5bf78d8029cc5692e4749517eb0b9321b89a5a7eb4cea49fab
SHA512b3046981a2709e64e5a70f3bc0ef7397e05501a15209d5a0db0d88470967a450759423e87cd0078b96dedd08dc41430cadc4a58effd11e33dea3b9db1af2b48e
-
Filesize
199B
MD53510e87fac5805f1db548a89a040842e
SHA10ecae8068c62a76fe34547c89bb420bafb6b5d69
SHA2564f63e9b9ac21745c8925d8e336f543a051f9150f9adf498d3a57de62dbada568
SHA51285e185950606a1a48f8e63a25780b6f0b959fa5ae45cf8cfa879323ea34fc76d966b9d67ed36b9f923240228ffed501280ce19eee79ab4129a98c29001063498
-
Filesize
234B
MD543a20c9b2457db379d5f526c77de7d53
SHA199422bc6bcb8e3dbe758d553a0d5c80be71d97d5
SHA256294b7c9318a39ccbea96caea1cb92729bd2be146d1eb64bbeeb6cb99107ac34c
SHA5125383fecb15fa22cb6b61ff47eceeff3e50dd85fbe95cc3378d7dd98bd1f1553ac5aeaee02a4fcb5981dc4589d3a4a7619f622aec8878ef7878db57441124940d
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
234B
MD5abd9f014f89dd0865f55c2613ee4155e
SHA1843eb3e4f710ea393b5dc2d9c15472f2de46d520
SHA25605228ae3f81125e6f630ee45e1ed4dabe1d4f254cbb64d4156f59bd6ec306234
SHA5129a932f02e0f50f1d758fc519ae9752a34ec4ebdf643c99cf004aad7b82e2532ae28bd3bbda8e33ecf62f8d23c6bdae1424d2e95d7f4d5a32debee6b51e3e8efd
-
Filesize
234B
MD5c26498252ef0a63bd96e6e532d8b5143
SHA19aa999c5bdffaedaf390519052423fe2a5dc9229
SHA25694278efe20ecf6dcd256b5cdbfda3f0f93243a527733ce2f3588d95b8c09617a
SHA512364aa0113d3d18ed9c71ea1ce4875656f2eefb69fc16e2cfb40087b63f0ccdb275b8873c8f7e9edf216442cdb4c30fbb32943a8ba90188a7d4291e9e7755e95c
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
234B
MD510160ecbbeb2c4053c41a3aab0cd985e
SHA11d6247e456c51f67a910b9e04cb838fb154c41ea
SHA256e267355a563dc79fae38344e80646c84c1b607b53a030213fcfbc8a02d0654a6
SHA512d62dac10be8bd20ebbcee5cd868534c249b9150f17022860a5d1e79ed11d005308d1ce5fc1930012e55591ccdf1b03215ea3b12b98156856142f53cdd6528f8f
-
Filesize
234B
MD568d42bc9976fb1226b5350ce997f43db
SHA1237de44fc4e294488c7053c21247ca66c8ee7339
SHA25667daa2cbf2484de2376b6d05723589052a9807a9a0eaaf664644970834970f8a
SHA5126c52f8bfa91308418b90bf8e7278a9c0bd087603d2a6c6967d2e8323c13cef5b2713d3ad2e66ca87b12fc2db38272c5671658893f62132a4687618443d861de5
-
Filesize
234B
MD535b60d9f023f84bd846bf77b52572133
SHA13cb196db7fdd612c612767e48d6539e0285629b3
SHA256d20c62eb3a351421d3ff68a9fe743ced4227f76f44d9dcfcc6bc7e9176c915e2
SHA51212fb30d198f20ee4751f7f0125cf07dda856aceea46fb69941c98edaeb6010ca9dd230677138174ee31e0d82e401a6790061c9ad320e031ba1c574e7e61397e8
-
Filesize
234B
MD5e1642450f1468ff2d58265b25efb340d
SHA1068ff98f32600cbbe5d6ec111921145726c890bb
SHA2569a4eeef4da577a94a806f36953e4ac2f7ae10943747cf9d8e0d1000a81710fdb
SHA5125b6fa409c1ca648bbb265bed604ef256c0d868aafdb7d5184a7ff9f51e20a1e3a5caaff9fe08e8923fca9d12f7537c8c0cbd53746aeba30669a21f73eae919bd
-
Filesize
234B
MD50aeaba7e40e3eed21fded7db996d3df5
SHA13b82b2899fbbf0e749c1c677c7531cd67bec63c3
SHA2562fa0246001ac03c60e4a598bf38f911047e34844b87e0e949774a46f80414662
SHA512c16676772d178ce010c4e924d1f9ce055a1989360dd5a8bf2f88b0aa6ef7018342ceaa0adeeaf8d3763c17a12eb52437dca6619d1aad22e5ed87aecaba0fb3f0
-
Filesize
234B
MD587e8c029b065c0f6dba175890e9739d2
SHA145f1246e5819946f124aab5d39ef4e6c3b733372
SHA2568e247bf8848a643f3f6af9f2db1ae1e33173784810691e2b088411446c492c9f
SHA51245be9d9b044a5776f3aa6ea1c718c60507825b8235e26fbed2210212c4630b203f996ca261c8eb9e62b6ed3a87ae369652a1cd2df41788e809b21734b04ab802
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD532409b0c8877890c7a001f15da0878c6
SHA1c9a8532cf3252cd75504b3823768e390a15f2db5
SHA25627d44e80d76cb809e233dad52aa8aca164a364dff5c56d076590478ef3233a22
SHA5129487ad222bfe5905c25ef5f4de7a2b8768dc79e2bbf2118103c345218ca6e6deb40b5b18a36f8545b81b39639a512841f1d3f548849aaaeee905b0ee69f08f96
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478