Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 00:28
Behavioral task
behavioral1
Sample
JaffaCakes118_c5775316755148c1ef1649f010cf560a1aa0a61455470cc4a4081fcb90541ec3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c5775316755148c1ef1649f010cf560a1aa0a61455470cc4a4081fcb90541ec3.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_c5775316755148c1ef1649f010cf560a1aa0a61455470cc4a4081fcb90541ec3.exe
-
Size
1.3MB
-
MD5
b06e5273a5b927e2bb0ec418593825f0
-
SHA1
6783c78181fa0d3cce62eabcad7625bc4ba99960
-
SHA256
c5775316755148c1ef1649f010cf560a1aa0a61455470cc4a4081fcb90541ec3
-
SHA512
da0d71abb833e373671ac49223e06d22aa269f4e6b47c74ef1eac359e27fa687cbb87d35e4edacd295ad7b46c36f2636fcd34ac878959ae96c2d11b04792470b
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 580 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1212 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1832 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 704 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2248 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1316 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1416 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 352 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 276 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2812 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2300 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 892 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2568 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 828 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1304 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 356 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 912 2668 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 2668 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0007000000019273-9.dat dcrat behavioral1/memory/2096-13-0x0000000000EB0000-0x0000000000FC0000-memory.dmp dcrat behavioral1/memory/1832-210-0x00000000013E0000-0x00000000014F0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 26 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1412 powershell.exe 1484 powershell.exe 2212 powershell.exe 1896 powershell.exe 916 powershell.exe 3068 powershell.exe 2512 powershell.exe 1636 powershell.exe 2152 powershell.exe 668 powershell.exe 1556 powershell.exe 1860 powershell.exe 588 powershell.exe 1580 powershell.exe 316 powershell.exe 400 powershell.exe 3052 powershell.exe 2904 powershell.exe 1356 powershell.exe 1688 powershell.exe 2580 powershell.exe 2100 powershell.exe 2268 powershell.exe 1216 powershell.exe 616 powershell.exe 1648 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2096 DllCommonsvc.exe 2880 DllCommonsvc.exe 1832 powershell.exe 1316 powershell.exe 1964 powershell.exe 2052 powershell.exe 2528 powershell.exe 2628 powershell.exe 1536 powershell.exe 2436 powershell.exe 2496 powershell.exe 3052 powershell.exe -
Loads dropped DLL 2 IoCs
pid Process 3064 cmd.exe 3064 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 4 raw.githubusercontent.com 9 raw.githubusercontent.com 13 raw.githubusercontent.com 20 raw.githubusercontent.com 23 raw.githubusercontent.com 5 raw.githubusercontent.com 16 raw.githubusercontent.com 26 raw.githubusercontent.com 29 raw.githubusercontent.com 32 raw.githubusercontent.com -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\DVD Maker\smss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Google\Temp\24dbde2999530e DllCommonsvc.exe File created C:\Program Files\DVD Maker\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\lsass.exe DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\it-IT\winlogon.exe DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\it-IT\cc11b995f2a76d DllCommonsvc.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\inf\TermService\0409\spoolsv.exe DllCommonsvc.exe File opened for modification C:\Windows\inf\TermService\0409\spoolsv.exe DllCommonsvc.exe File created C:\Windows\inf\TermService\0409\f3b6ecef712a24 DllCommonsvc.exe File created C:\Windows\Offline Web Pages\schtasks.exe DllCommonsvc.exe File created C:\Windows\Offline Web Pages\3a6fe29a7ceee6 DllCommonsvc.exe File created C:\Windows\Speech\Engines\csrss.exe DllCommonsvc.exe File created C:\Windows\Speech\Engines\886983d96e3d3e DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c5775316755148c1ef1649f010cf560a1aa0a61455470cc4a4081fcb90541ec3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1832 schtasks.exe 1316 schtasks.exe 1524 schtasks.exe 1416 schtasks.exe 828 schtasks.exe 1568 schtasks.exe 1304 schtasks.exe 1664 schtasks.exe 2584 schtasks.exe 2028 schtasks.exe 2248 schtasks.exe 1968 schtasks.exe 1444 schtasks.exe 2360 schtasks.exe 580 schtasks.exe 2396 schtasks.exe 3056 schtasks.exe 1760 schtasks.exe 2652 schtasks.exe 2508 schtasks.exe 2500 schtasks.exe 1752 schtasks.exe 3012 schtasks.exe 2564 schtasks.exe 1912 schtasks.exe 2764 schtasks.exe 2196 schtasks.exe 2932 schtasks.exe 2824 schtasks.exe 2112 schtasks.exe 2700 schtasks.exe 1212 schtasks.exe 2812 schtasks.exe 2696 schtasks.exe 2496 schtasks.exe 2940 schtasks.exe 356 schtasks.exe 2544 schtasks.exe 2296 schtasks.exe 2396 schtasks.exe 904 schtasks.exe 2536 schtasks.exe 2568 schtasks.exe 704 schtasks.exe 1652 schtasks.exe 1560 schtasks.exe 2820 schtasks.exe 2976 schtasks.exe 1968 schtasks.exe 276 schtasks.exe 1544 schtasks.exe 1740 schtasks.exe 1932 schtasks.exe 852 schtasks.exe 2928 schtasks.exe 2268 schtasks.exe 352 schtasks.exe 2300 schtasks.exe 3060 schtasks.exe 1736 schtasks.exe 2804 schtasks.exe 2836 schtasks.exe 1692 schtasks.exe 2676 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 2096 DllCommonsvc.exe 1356 powershell.exe 1648 powershell.exe 1636 powershell.exe 316 powershell.exe 1412 powershell.exe 1688 powershell.exe 2880 DllCommonsvc.exe 2880 DllCommonsvc.exe 2880 DllCommonsvc.exe 2880 DllCommonsvc.exe 2880 DllCommonsvc.exe 2880 DllCommonsvc.exe 2880 DllCommonsvc.exe 2880 DllCommonsvc.exe 2880 DllCommonsvc.exe 2880 DllCommonsvc.exe 2880 DllCommonsvc.exe 2880 DllCommonsvc.exe 2880 DllCommonsvc.exe 2880 DllCommonsvc.exe 2880 DllCommonsvc.exe 2880 DllCommonsvc.exe 2880 DllCommonsvc.exe 2880 DllCommonsvc.exe 2880 DllCommonsvc.exe 2880 DllCommonsvc.exe 2880 DllCommonsvc.exe 2880 DllCommonsvc.exe 2880 DllCommonsvc.exe 2880 DllCommonsvc.exe 2880 DllCommonsvc.exe 1484 powershell.exe 2904 powershell.exe 616 powershell.exe 2152 powershell.exe 1556 powershell.exe 1896 powershell.exe 916 powershell.exe 2100 powershell.exe 1580 powershell.exe 3052 powershell.exe 2212 powershell.exe 2268 powershell.exe 2512 powershell.exe 2580 powershell.exe 588 powershell.exe 1216 powershell.exe 400 powershell.exe 668 powershell.exe 3068 powershell.exe 1860 powershell.exe 1832 powershell.exe 1316 powershell.exe 1964 powershell.exe 2052 powershell.exe 2528 powershell.exe 2628 powershell.exe 1536 powershell.exe 2436 powershell.exe 2496 powershell.exe 3052 powershell.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
description pid Process Token: SeDebugPrivilege 2096 DllCommonsvc.exe Token: SeDebugPrivilege 2880 DllCommonsvc.exe Token: SeDebugPrivilege 1356 powershell.exe Token: SeDebugPrivilege 1648 powershell.exe Token: SeDebugPrivilege 1636 powershell.exe Token: SeDebugPrivilege 316 powershell.exe Token: SeDebugPrivilege 1412 powershell.exe Token: SeDebugPrivilege 1688 powershell.exe Token: SeDebugPrivilege 1484 powershell.exe Token: SeDebugPrivilege 2904 powershell.exe Token: SeDebugPrivilege 616 powershell.exe Token: SeDebugPrivilege 2152 powershell.exe Token: SeDebugPrivilege 1556 powershell.exe Token: SeDebugPrivilege 1896 powershell.exe Token: SeDebugPrivilege 916 powershell.exe Token: SeDebugPrivilege 2100 powershell.exe Token: SeDebugPrivilege 1580 powershell.exe Token: SeDebugPrivilege 3052 powershell.exe Token: SeDebugPrivilege 2212 powershell.exe Token: SeDebugPrivilege 2268 powershell.exe Token: SeDebugPrivilege 2512 powershell.exe Token: SeDebugPrivilege 2580 powershell.exe Token: SeDebugPrivilege 588 powershell.exe Token: SeDebugPrivilege 1216 powershell.exe Token: SeDebugPrivilege 400 powershell.exe Token: SeDebugPrivilege 668 powershell.exe Token: SeDebugPrivilege 3068 powershell.exe Token: SeDebugPrivilege 1860 powershell.exe Token: SeDebugPrivilege 1832 powershell.exe Token: SeDebugPrivilege 1316 powershell.exe Token: SeDebugPrivilege 1964 powershell.exe Token: SeDebugPrivilege 2052 powershell.exe Token: SeDebugPrivilege 2528 powershell.exe Token: SeDebugPrivilege 2628 powershell.exe Token: SeDebugPrivilege 1536 powershell.exe Token: SeDebugPrivilege 2436 powershell.exe Token: SeDebugPrivilege 2496 powershell.exe Token: SeDebugPrivilege 3052 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 276 wrote to memory of 1344 276 JaffaCakes118_c5775316755148c1ef1649f010cf560a1aa0a61455470cc4a4081fcb90541ec3.exe 31 PID 276 wrote to memory of 1344 276 JaffaCakes118_c5775316755148c1ef1649f010cf560a1aa0a61455470cc4a4081fcb90541ec3.exe 31 PID 276 wrote to memory of 1344 276 JaffaCakes118_c5775316755148c1ef1649f010cf560a1aa0a61455470cc4a4081fcb90541ec3.exe 31 PID 276 wrote to memory of 1344 276 JaffaCakes118_c5775316755148c1ef1649f010cf560a1aa0a61455470cc4a4081fcb90541ec3.exe 31 PID 1344 wrote to memory of 3064 1344 WScript.exe 32 PID 1344 wrote to memory of 3064 1344 WScript.exe 32 PID 1344 wrote to memory of 3064 1344 WScript.exe 32 PID 1344 wrote to memory of 3064 1344 WScript.exe 32 PID 3064 wrote to memory of 2096 3064 cmd.exe 34 PID 3064 wrote to memory of 2096 3064 cmd.exe 34 PID 3064 wrote to memory of 2096 3064 cmd.exe 34 PID 3064 wrote to memory of 2096 3064 cmd.exe 34 PID 2096 wrote to memory of 1648 2096 DllCommonsvc.exe 51 PID 2096 wrote to memory of 1648 2096 DllCommonsvc.exe 51 PID 2096 wrote to memory of 1648 2096 DllCommonsvc.exe 51 PID 2096 wrote to memory of 316 2096 DllCommonsvc.exe 52 PID 2096 wrote to memory of 316 2096 DllCommonsvc.exe 52 PID 2096 wrote to memory of 316 2096 DllCommonsvc.exe 52 PID 2096 wrote to memory of 1356 2096 DllCommonsvc.exe 54 PID 2096 wrote to memory of 1356 2096 DllCommonsvc.exe 54 PID 2096 wrote to memory of 1356 2096 DllCommonsvc.exe 54 PID 2096 wrote to memory of 1412 2096 DllCommonsvc.exe 55 PID 2096 wrote to memory of 1412 2096 DllCommonsvc.exe 55 PID 2096 wrote to memory of 1412 2096 DllCommonsvc.exe 55 PID 2096 wrote to memory of 1688 2096 DllCommonsvc.exe 56 PID 2096 wrote to memory of 1688 2096 DllCommonsvc.exe 56 PID 2096 wrote to memory of 1688 2096 DllCommonsvc.exe 56 PID 2096 wrote to memory of 1636 2096 DllCommonsvc.exe 57 PID 2096 wrote to memory of 1636 2096 DllCommonsvc.exe 57 PID 2096 wrote to memory of 1636 2096 DllCommonsvc.exe 57 PID 2096 wrote to memory of 2880 2096 DllCommonsvc.exe 63 PID 2096 wrote to memory of 2880 2096 DllCommonsvc.exe 63 PID 2096 wrote to memory of 2880 2096 DllCommonsvc.exe 63 PID 2880 wrote to memory of 1484 2880 DllCommonsvc.exe 121 PID 2880 wrote to memory of 1484 2880 DllCommonsvc.exe 121 PID 2880 wrote to memory of 1484 2880 DllCommonsvc.exe 121 PID 2880 wrote to memory of 2580 2880 DllCommonsvc.exe 122 PID 2880 wrote to memory of 2580 2880 DllCommonsvc.exe 122 PID 2880 wrote to memory of 2580 2880 DllCommonsvc.exe 122 PID 2880 wrote to memory of 1580 2880 DllCommonsvc.exe 123 PID 2880 wrote to memory of 1580 2880 DllCommonsvc.exe 123 PID 2880 wrote to memory of 1580 2880 DllCommonsvc.exe 123 PID 2880 wrote to memory of 1556 2880 DllCommonsvc.exe 124 PID 2880 wrote to memory of 1556 2880 DllCommonsvc.exe 124 PID 2880 wrote to memory of 1556 2880 DllCommonsvc.exe 124 PID 2880 wrote to memory of 2212 2880 DllCommonsvc.exe 125 PID 2880 wrote to memory of 2212 2880 DllCommonsvc.exe 125 PID 2880 wrote to memory of 2212 2880 DllCommonsvc.exe 125 PID 2880 wrote to memory of 400 2880 DllCommonsvc.exe 126 PID 2880 wrote to memory of 400 2880 DllCommonsvc.exe 126 PID 2880 wrote to memory of 400 2880 DllCommonsvc.exe 126 PID 2880 wrote to memory of 3052 2880 DllCommonsvc.exe 127 PID 2880 wrote to memory of 3052 2880 DllCommonsvc.exe 127 PID 2880 wrote to memory of 3052 2880 DllCommonsvc.exe 127 PID 2880 wrote to memory of 2904 2880 DllCommonsvc.exe 128 PID 2880 wrote to memory of 2904 2880 DllCommonsvc.exe 128 PID 2880 wrote to memory of 2904 2880 DllCommonsvc.exe 128 PID 2880 wrote to memory of 1896 2880 DllCommonsvc.exe 129 PID 2880 wrote to memory of 1896 2880 DllCommonsvc.exe 129 PID 2880 wrote to memory of 1896 2880 DllCommonsvc.exe 129 PID 2880 wrote to memory of 1860 2880 DllCommonsvc.exe 130 PID 2880 wrote to memory of 1860 2880 DllCommonsvc.exe 130 PID 2880 wrote to memory of 1860 2880 DllCommonsvc.exe 130 PID 2880 wrote to memory of 916 2880 DllCommonsvc.exe 131 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c5775316755148c1ef1649f010cf560a1aa0a61455470cc4a4081fcb90541ec3.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c5775316755148c1ef1649f010cf560a1aa0a61455470cc4a4081fcb90541ec3.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\TermService\0409\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\it-IT\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\WmiPrvSE.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\schtasks.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\schtasks.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\smss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech\Engines\csrss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:616
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TtorTJJJT1.bat"6⤵PID:1228
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2488
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SK7IuFDp7o.bat"8⤵PID:960
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1412
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat"10⤵PID:2116
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2628
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nc51i3GWIc.bat"12⤵PID:2056
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2924
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RaUzDWAd8R.bat"14⤵PID:2144
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1596
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mJIFszAWFu.bat"16⤵PID:696
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1580
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat"18⤵PID:580
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2932
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kQw8FYVnXF.bat"20⤵PID:1664
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:484
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Db0hEHdXHW.bat"22⤵PID:1628
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1016
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wLA3izB53h.bat"24⤵PID:1868
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1800
-
-
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\inf\TermService\0409\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\inf\TermService\0409\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\inf\TermService\0409\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\providercommon\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\it-IT\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\it-IT\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\it-IT\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\providercommon\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Local Settings\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Local Settings\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe'" /f1⤵
- Process spawned unexpected child process
PID:892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\schtasks.exe'" /f1⤵
- Process spawned unexpected child process
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\schtasks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\schtasks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\providercommon\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 13 /tr "'C:\Windows\Offline Web Pages\schtasks.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\schtasks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\schtasks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\smss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\smss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech\Engines\csrss.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Speech\Engines\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe'" /rl HIGHEST /f1⤵PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\schtasks.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:852
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
797B
MD5297937623fea081eabd4dc4cef747315
SHA11aef54e791d5b40fd6330b2639c7574aa84bd6c9
SHA256495a4ddd497d35134f7f900803a3c62b6f372da99c227c73c4b839d83257fe99
SHA5123acb4a79dfc9c26fa9069d7e8ecc9b55a3f19e1634a58f299894063a13645ae917bdf4deaeba468524f9c5ad6147a1ae1a0956c3bc0e02cca3f3fef5baec295d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54afd1f4067ac8e6585c86c95894311fd
SHA11e6efeccd2c995897aa1b85c2876f61ec4d0791c
SHA256a9215619013ab0ebda4f53afd7aa83133b1a7b09d35f09c997c63429668ad761
SHA512909e70e3c28a1388cb5efc9dbfc57ddd909f928de3cee46213a803a0f9a8c409f43d616bcb8af9e4e1b9b98e2337c07456c04f105239192bf7eac66ad7f98efb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57ea6c6a1c5766d49806c122053095c47
SHA1ed2e952a562d1e719af459cbd9e2957a023098b5
SHA256115a752a14878f24eb1b35c44c4a6223e9907cfd77aca1ff30cadcb4d0cbe89a
SHA51219cacde35ce4f0e61c406114a6dc55d3794d5d640947551ad210acee0543bb398663704b13ff02f900334c88547c68520acf61930b470f5e586eb4194d9f011d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c30d68f6da60497375441d371c264bd3
SHA1419e12d54d2a6a86c7b82e3e9b118b551f99bfad
SHA2568734c2b93c1cbadecae62640b46a6cae11f97dcb55a1ebaa41dcc3045c5e7f81
SHA512c80e874a5d169d5a9f442abf10e8ee34526c0a44a474b2f6007c698664c9d1c3cfde076b3e43539a52d2b5ea4796eef538e98c3f1287985748de5c0f331b7866
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51f1707146b6bc7363273dda6096319eb
SHA1166aaaefd93046db6c878396e69b34bbf2dd2665
SHA25663a37aff48308b98513095c50be7260b8e3e8b1830ca0c225aaeeb00cf93d68e
SHA5129a913f2d41f2349bfad880fa6c51d4119585b1861a97480e21b85a44a236501e0b15afe9556c0950ad3280581651782305b56e1bdb52996613a3ce235b75e652
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ec287c644b52d87f6c71aebd5a411cde
SHA1fdbd889acdd14ea4d836764e70010c983c289101
SHA256fdde7951f38b90cf77f452ac5fa74d98f462b1f6ee607837d2bb62b59de1f808
SHA512b8e0ad1cf0266bb7d27534f032c6edbaaef0c029eedf2043fc42ddc2778cddd10e16376db35bbb164f94c9803b76e7ba0ca2a14088d490acd50d0a121c622a05
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52aad25428de0865b013b9fbf75d17898
SHA19a39c94932bb970408f6c5a077178d9ad9f06af7
SHA256245842c91cb0d68a968e1b1c51f2603c3bc241b9112ea846514bc8903c477688
SHA512ec64b88148a1af620ceb07de2b9fa57cb3997debe4c649385c7d83a262c492cbff9c13b4f61b88998d11f8b925df38fbe520f4180280acaddb9ab25f32f1a581
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e29197c3eb7497fcb7262731632cb0c2
SHA1a9146e8f5dcb8cb4b8f75df27d46972bbc631921
SHA25683f152069edd899c6900b6466fc002ff07a540d7c8eb34e71a134ff9b5812006
SHA512734c4434235ce96fa3e528270e24e5e49068d3113d739491165fb6c1a5241a9fd92bbbe37d201f8d5dbe2e099f7b9a534579daf14828eff97be0e7ed2b94bf6d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c13bbb7a92f9bbc7b676c1b4d016c963
SHA1530ae46d59c3678e99353ba75b4b1f38bba136ce
SHA256e4ba96ab0c0c44d60c184a0a3031a1b8aeb694272dcd1cd6e4f8c66eefefd4ce
SHA5127d7008c881afc9b08d07e477536e36687f775d6fdea8504dff596dfc825f15b523fd78354dd84fbcc4c17ba51ad5d11e75cf64f007aa513a2c34444ba48ce5cb
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
228B
MD5692746246498a6b24b24863ec621b5d4
SHA122da34a80191ac84a951251f8130cb0fd000793b
SHA256836e26a14c644753db2797699246ed6b7750a885a7a4943b819d2ad4cd7c90d2
SHA512c3a95a3faa4109d41f3e77b3ada06c5988aaa15e1a7da05523d51e14eb8bdd94150611cd3693962f204de4eefaaed77a9067e9ccda6941a781af1b37d1c521aa
-
Filesize
228B
MD590216e36ebef85f39006c30d1c38881c
SHA12f330789f588be4d6a59b72ecd9c2efa7f959dd7
SHA25690d7a65602b5c4a87204fcfad4187bdb38a79c426d79f396cd19173c62c9d3e8
SHA5124edb9df1964e259e25207dd123adce1c3cc9baebf2f31006d2649cc7f12c7d81c4b4cd4a93ebd8f575155093db5d98695ab98ad25001db99d2a813ff6178b8cb
-
Filesize
228B
MD5854031f1c5e676d7f1e19b26d3d88a88
SHA17435c8aab0d49df71043e42e7e28fdf48bf6d102
SHA256e424abba72886415ab3089aadf038a2679164abf48bd9452b8389ae4e2737539
SHA51227913d9c477f8aea727f2adaaf995580954da034377c5bf2fa7e98a07315d23cd2f7c5b77b0e74534476d55a06d89cdb93bcb80699ce55212bf0cc7f4132eca1
-
Filesize
228B
MD5c4a700b0075ba3dd2050bbe3c80305be
SHA1f5e75834a0efca863bdc30e7cecb965bd463bf1a
SHA2563799e613fc0db0f4782a15a8c084c156d48923ccdfef52f377cde03e88c40c01
SHA5127a9d74e91b01ca7fe3f84d432ba5cc978ba391b8b9a6ad0d673c961d13a07584f99cc942a484df80d8dbe35f8a932724c2df950344c90d8808d0e89958cf0867
-
Filesize
228B
MD55dd9ac85159decacedafe337e52f93b5
SHA1f477f2acdfe9d60ffab37d5ea7b4f8410eab768c
SHA2568fb9f3e575e04470be2a2e0b7db1b8497b3f149a0949d255cb1fbbc5d63e6d65
SHA512e62f258d4ebe31daf7006a6b98a00b04d705e3afa1b7354fae3fcfc9348731645591f0394b655d8d3c3b734b7f93d73114102a61c1e68aecff07658673cb565b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
228B
MD5c6ea9035e23a56d5540a74f5390cef71
SHA126d6688ece79b5f242830d6afc63eb7bf35f2bf9
SHA256fd6cb32d4c41d8e11b7b73bebc5a51ecdb528d4fe682e3e0881f1f1bdd81e889
SHA512572763a13c8c918c412e17928a5510ecaa080b79a5146d9179f006dc05b9bb60da5789ce6bfb56ca68e5ed1c1c8720f4f4ecb72f6f7acc252acf3ec242197dd5
-
Filesize
228B
MD5941346b9f2ae5a3f9eec76cde06da940
SHA17e0d1a2e0daf32f3f980c7f990b74b3e806ff854
SHA256582b7186ac967aefab10f199310dcfafa2360412c08568365645c3716da64812
SHA5124a5cf5a67f67f1de8397ab5403d27219fb095949216f8ed24d2e18d5326d6e8b270bb226ee811a584703bbab4fd841e7e2e5aecfcd2039dc105c8aad2b696668
-
Filesize
228B
MD5d7b33d32a4e376a3ef244d6737290a59
SHA1e84f3b88c638e6223a0b029890bd2ee5648a2345
SHA256f8e06c38b9bf03daa8468e0e0000fd6350563df88951663a25a99c70cfba6b86
SHA512caa6a6c791e17bc9e608285d00835544d056a2126968e9612ceb17c8936af20d0b026232e98bc47605b15f397d675451a5f1cb6761d08b8381f1b0427812d6b9
-
Filesize
228B
MD5d41f815a43d3dcccbe3758e57dfbd748
SHA1a0030fcf6b1aa046b310da35fad44e9e52346ab9
SHA256606e1f32ce184c29419bbfdf787094915c61a0f9a82337cdcef3e5d5ab8f1f46
SHA512b9b3062a17959d21fa0d3cc7740f43be9cdff4b37dd5ae7049b93271f184281438d9061657b9ed0693c34d9c7c68959543d9de77e9dfbbbddd9d72b01a286843
-
Filesize
228B
MD53dcf11df5525ec34038d7bb3aeeaa2d0
SHA10444cd55e8cc87ae8891d15b9edc7535b7450b60
SHA25605a2b3f87f8b54e414f022d585942a9b294546e0e7e7547ae3d3cecdee001d54
SHA5127ec43ee17522619694c0c96b9a7c4c840001743c116e155bba478fe07ad1267f55e326ff17bb3318bae45a25e471b565efc8707b60d050cfebfae96880b055f7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b584a580b4abdc5513ff32e65f80fba6
SHA10b1c102e4b3022f4b8c5ab39be627a0e6a80399f
SHA25673ad0a14fb8efcc53089473f68747dcf8badf9160ec7e857fcd60fd5cd219a83
SHA512f46d70ed6d275e65cffe7c7682054c0c99d3f8d4e46d45e3927742bd9c5ffbaf84ac44eb95d597a6ae4d7d9460bddebd93ccabe54787e8baac0fe90a96046f6a
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394