Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 05:18
Behavioral task
behavioral1
Sample
JaffaCakes118_d03bd3fe4f5d640da6b77edae45ce81b0e3f917489175f05dbd6a53f6ee81cd8.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_d03bd3fe4f5d640da6b77edae45ce81b0e3f917489175f05dbd6a53f6ee81cd8.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_d03bd3fe4f5d640da6b77edae45ce81b0e3f917489175f05dbd6a53f6ee81cd8.exe
-
Size
1.3MB
-
MD5
9d9ea18c7c30c7176300da29356132c4
-
SHA1
8a7df16fd4f2f6438ffa52c70527cc7195672faf
-
SHA256
d03bd3fe4f5d640da6b77edae45ce81b0e3f917489175f05dbd6a53f6ee81cd8
-
SHA512
189ebc57db66dcaf44985657cd536ea1a756468ce344f1ef7a754bf11ccdda094b0c28946911048643bac87b66985aa1d2afe60498b17cedac315568a697a8b9
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 284 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1212 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1292 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1456 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1224 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1448 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1468 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1140 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 588 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 876 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1520 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 816 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 344 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 376 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1364 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1868 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1576 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 840 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 672 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1096 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1188 2668 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2668 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x000700000001920f-9.dat dcrat behavioral1/memory/2700-13-0x0000000001230000-0x0000000001340000-memory.dmp dcrat behavioral1/memory/1996-150-0x0000000001390000-0x00000000014A0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 904 powershell.exe 1604 powershell.exe 572 powershell.exe 1844 powershell.exe 2816 powershell.exe 692 powershell.exe 1212 powershell.exe 1504 powershell.exe 1404 powershell.exe 2344 powershell.exe 1456 powershell.exe 580 powershell.exe 880 powershell.exe 1224 powershell.exe 672 powershell.exe 1096 powershell.exe 840 powershell.exe 2916 powershell.exe 1220 powershell.exe 892 powershell.exe 1004 powershell.exe 1968 powershell.exe 1916 powershell.exe 2924 powershell.exe -
Executes dropped EXE 13 IoCs
pid Process 2700 DllCommonsvc.exe 348 DllCommonsvc.exe 1996 lsass.exe 2840 lsass.exe 1692 lsass.exe 2056 lsass.exe 1432 lsass.exe 2860 lsass.exe 1692 lsass.exe 1536 lsass.exe 2540 lsass.exe 1784 lsass.exe 1556 lsass.exe -
Loads dropped DLL 2 IoCs
pid Process 2460 cmd.exe 2460 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 29 raw.githubusercontent.com 9 raw.githubusercontent.com 22 raw.githubusercontent.com 25 raw.githubusercontent.com 32 raw.githubusercontent.com 35 raw.githubusercontent.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\Setup\de-DE\dllhost.exe DllCommonsvc.exe File created C:\Windows\System32\Setup\de-DE\5940a34987c991 DllCommonsvc.exe -
Drops file in Program Files directory 16 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsass.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\101b941d020240 DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\24dbde2999530e DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsass.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\lsm.exe DllCommonsvc.exe File created C:\Program Files (x86)\Uninstall Information\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files\Windows NT\Accessories\csrss.exe DllCommonsvc.exe File created C:\Program Files\Windows NT\Accessories\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\DESIGNER\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\a76d7bf15d8370 DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\lsm.exe DllCommonsvc.exe File created C:\Program Files (x86)\Uninstall Information\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\DESIGNER\smss.exe DllCommonsvc.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\AppCompat\Programs\winlogon.exe DllCommonsvc.exe File created C:\Windows\AppCompat\Programs\cc11b995f2a76d DllCommonsvc.exe File created C:\Windows\Resources\Themes\Aero\fr-FR\System.exe DllCommonsvc.exe File created C:\Windows\Resources\Themes\Aero\fr-FR\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Windows\Vss\Writers\Application\dllhost.exe DllCommonsvc.exe File created C:\Windows\Vss\Writers\Application\5940a34987c991 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_d03bd3fe4f5d640da6b77edae45ce81b0e3f917489175f05dbd6a53f6ee81cd8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2796 schtasks.exe 1720 schtasks.exe 1212 schtasks.exe 1224 schtasks.exe 1448 schtasks.exe 1140 schtasks.exe 1868 schtasks.exe 2108 schtasks.exe 672 schtasks.exe 2940 schtasks.exe 1468 schtasks.exe 2120 schtasks.exe 1968 schtasks.exe 2564 schtasks.exe 1188 schtasks.exe 2620 schtasks.exe 2088 schtasks.exe 376 schtasks.exe 2792 schtasks.exe 2980 schtasks.exe 1292 schtasks.exe 1456 schtasks.exe 2416 schtasks.exe 2920 schtasks.exe 2488 schtasks.exe 876 schtasks.exe 2772 schtasks.exe 1740 schtasks.exe 1520 schtasks.exe 2656 schtasks.exe 1280 schtasks.exe 2672 schtasks.exe 2948 schtasks.exe 1540 schtasks.exe 1988 schtasks.exe 2828 schtasks.exe 2256 schtasks.exe 284 schtasks.exe 2164 schtasks.exe 1980 schtasks.exe 1576 schtasks.exe 840 schtasks.exe 1364 schtasks.exe 2840 schtasks.exe 2556 schtasks.exe 1648 schtasks.exe 1840 schtasks.exe 2508 schtasks.exe 2280 schtasks.exe 344 schtasks.exe 2984 schtasks.exe 1976 schtasks.exe 1096 schtasks.exe 836 schtasks.exe 2732 schtasks.exe 2752 schtasks.exe 1584 schtasks.exe 816 schtasks.exe 2524 schtasks.exe 2744 schtasks.exe 2524 schtasks.exe 2440 schtasks.exe 2624 schtasks.exe 3048 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 2700 DllCommonsvc.exe 672 powershell.exe 1968 powershell.exe 840 powershell.exe 1096 powershell.exe 348 DllCommonsvc.exe 348 DllCommonsvc.exe 348 DllCommonsvc.exe 348 DllCommonsvc.exe 348 DllCommonsvc.exe 348 DllCommonsvc.exe 348 DllCommonsvc.exe 692 powershell.exe 1212 powershell.exe 1004 powershell.exe 1220 powershell.exe 1916 powershell.exe 2916 powershell.exe 1456 powershell.exe 2816 powershell.exe 904 powershell.exe 1504 powershell.exe 2344 powershell.exe 1604 powershell.exe 880 powershell.exe 1996 lsass.exe 1404 powershell.exe 1224 powershell.exe 1844 powershell.exe 892 powershell.exe 2924 powershell.exe 572 powershell.exe 580 powershell.exe 2840 lsass.exe 1692 lsass.exe 2056 lsass.exe 1432 lsass.exe 2860 lsass.exe 1692 lsass.exe 1536 lsass.exe 2540 lsass.exe 1784 lsass.exe 1556 lsass.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 2700 DllCommonsvc.exe Token: SeDebugPrivilege 672 powershell.exe Token: SeDebugPrivilege 1968 powershell.exe Token: SeDebugPrivilege 840 powershell.exe Token: SeDebugPrivilege 1096 powershell.exe Token: SeDebugPrivilege 348 DllCommonsvc.exe Token: SeDebugPrivilege 692 powershell.exe Token: SeDebugPrivilege 1212 powershell.exe Token: SeDebugPrivilege 1004 powershell.exe Token: SeDebugPrivilege 1220 powershell.exe Token: SeDebugPrivilege 1916 powershell.exe Token: SeDebugPrivilege 2916 powershell.exe Token: SeDebugPrivilege 1456 powershell.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 904 powershell.exe Token: SeDebugPrivilege 1504 powershell.exe Token: SeDebugPrivilege 2344 powershell.exe Token: SeDebugPrivilege 1604 powershell.exe Token: SeDebugPrivilege 1996 lsass.exe Token: SeDebugPrivilege 880 powershell.exe Token: SeDebugPrivilege 1404 powershell.exe Token: SeDebugPrivilege 1224 powershell.exe Token: SeDebugPrivilege 1844 powershell.exe Token: SeDebugPrivilege 892 powershell.exe Token: SeDebugPrivilege 2924 powershell.exe Token: SeDebugPrivilege 572 powershell.exe Token: SeDebugPrivilege 580 powershell.exe Token: SeDebugPrivilege 2840 lsass.exe Token: SeDebugPrivilege 1692 lsass.exe Token: SeDebugPrivilege 2056 lsass.exe Token: SeDebugPrivilege 1432 lsass.exe Token: SeDebugPrivilege 2860 lsass.exe Token: SeDebugPrivilege 1692 lsass.exe Token: SeDebugPrivilege 1536 lsass.exe Token: SeDebugPrivilege 2540 lsass.exe Token: SeDebugPrivilege 1784 lsass.exe Token: SeDebugPrivilege 1556 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2088 2156 JaffaCakes118_d03bd3fe4f5d640da6b77edae45ce81b0e3f917489175f05dbd6a53f6ee81cd8.exe 30 PID 2156 wrote to memory of 2088 2156 JaffaCakes118_d03bd3fe4f5d640da6b77edae45ce81b0e3f917489175f05dbd6a53f6ee81cd8.exe 30 PID 2156 wrote to memory of 2088 2156 JaffaCakes118_d03bd3fe4f5d640da6b77edae45ce81b0e3f917489175f05dbd6a53f6ee81cd8.exe 30 PID 2156 wrote to memory of 2088 2156 JaffaCakes118_d03bd3fe4f5d640da6b77edae45ce81b0e3f917489175f05dbd6a53f6ee81cd8.exe 30 PID 2088 wrote to memory of 2460 2088 WScript.exe 31 PID 2088 wrote to memory of 2460 2088 WScript.exe 31 PID 2088 wrote to memory of 2460 2088 WScript.exe 31 PID 2088 wrote to memory of 2460 2088 WScript.exe 31 PID 2460 wrote to memory of 2700 2460 cmd.exe 33 PID 2460 wrote to memory of 2700 2460 cmd.exe 33 PID 2460 wrote to memory of 2700 2460 cmd.exe 33 PID 2460 wrote to memory of 2700 2460 cmd.exe 33 PID 2700 wrote to memory of 672 2700 DllCommonsvc.exe 44 PID 2700 wrote to memory of 672 2700 DllCommonsvc.exe 44 PID 2700 wrote to memory of 672 2700 DllCommonsvc.exe 44 PID 2700 wrote to memory of 840 2700 DllCommonsvc.exe 45 PID 2700 wrote to memory of 840 2700 DllCommonsvc.exe 45 PID 2700 wrote to memory of 840 2700 DllCommonsvc.exe 45 PID 2700 wrote to memory of 1968 2700 DllCommonsvc.exe 46 PID 2700 wrote to memory of 1968 2700 DllCommonsvc.exe 46 PID 2700 wrote to memory of 1968 2700 DllCommonsvc.exe 46 PID 2700 wrote to memory of 1096 2700 DllCommonsvc.exe 47 PID 2700 wrote to memory of 1096 2700 DllCommonsvc.exe 47 PID 2700 wrote to memory of 1096 2700 DllCommonsvc.exe 47 PID 2700 wrote to memory of 1672 2700 DllCommonsvc.exe 52 PID 2700 wrote to memory of 1672 2700 DllCommonsvc.exe 52 PID 2700 wrote to memory of 1672 2700 DllCommonsvc.exe 52 PID 1672 wrote to memory of 1032 1672 cmd.exe 54 PID 1672 wrote to memory of 1032 1672 cmd.exe 54 PID 1672 wrote to memory of 1032 1672 cmd.exe 54 PID 1672 wrote to memory of 348 1672 cmd.exe 57 PID 1672 wrote to memory of 348 1672 cmd.exe 57 PID 1672 wrote to memory of 348 1672 cmd.exe 57 PID 348 wrote to memory of 692 348 DllCommonsvc.exe 115 PID 348 wrote to memory of 692 348 DllCommonsvc.exe 115 PID 348 wrote to memory of 692 348 DllCommonsvc.exe 115 PID 348 wrote to memory of 1212 348 DllCommonsvc.exe 116 PID 348 wrote to memory of 1212 348 DllCommonsvc.exe 116 PID 348 wrote to memory of 1212 348 DllCommonsvc.exe 116 PID 348 wrote to memory of 1004 348 DllCommonsvc.exe 117 PID 348 wrote to memory of 1004 348 DllCommonsvc.exe 117 PID 348 wrote to memory of 1004 348 DllCommonsvc.exe 117 PID 348 wrote to memory of 1504 348 DllCommonsvc.exe 119 PID 348 wrote to memory of 1504 348 DllCommonsvc.exe 119 PID 348 wrote to memory of 1504 348 DllCommonsvc.exe 119 PID 348 wrote to memory of 1916 348 DllCommonsvc.exe 121 PID 348 wrote to memory of 1916 348 DllCommonsvc.exe 121 PID 348 wrote to memory of 1916 348 DllCommonsvc.exe 121 PID 348 wrote to memory of 892 348 DllCommonsvc.exe 125 PID 348 wrote to memory of 892 348 DllCommonsvc.exe 125 PID 348 wrote to memory of 892 348 DllCommonsvc.exe 125 PID 348 wrote to memory of 2816 348 DllCommonsvc.exe 126 PID 348 wrote to memory of 2816 348 DllCommonsvc.exe 126 PID 348 wrote to memory of 2816 348 DllCommonsvc.exe 126 PID 348 wrote to memory of 1220 348 DllCommonsvc.exe 127 PID 348 wrote to memory of 1220 348 DllCommonsvc.exe 127 PID 348 wrote to memory of 1220 348 DllCommonsvc.exe 127 PID 348 wrote to memory of 1224 348 DllCommonsvc.exe 128 PID 348 wrote to memory of 1224 348 DllCommonsvc.exe 128 PID 348 wrote to memory of 1224 348 DllCommonsvc.exe 128 PID 348 wrote to memory of 1844 348 DllCommonsvc.exe 129 PID 348 wrote to memory of 1844 348 DllCommonsvc.exe 129 PID 348 wrote to memory of 1844 348 DllCommonsvc.exe 129 PID 348 wrote to memory of 2344 348 DllCommonsvc.exe 130 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d03bd3fe4f5d640da6b77edae45ce81b0e3f917489175f05dbd6a53f6ee81cd8.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d03bd3fe4f5d640da6b77edae45ce81b0e3f917489175f05dbd6a53f6ee81cd8.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\Aero\fr-FR\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1096
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2z7cUCrWoA.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1032
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\lsm.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\Application\dllhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppCompat\Programs\winlogon.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Setup\de-DE\dllhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\System.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\smss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\DESIGNER\smss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\taskhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\services.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:580
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat"8⤵PID:2996
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2892
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tA3KztjMoN.bat"10⤵PID:2940
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1648
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat"12⤵PID:1844
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2584
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kRqsvBC5Qb.bat"14⤵PID:1732
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2340
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NiQtqM3qVs.bat"16⤵PID:2160
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1948
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wLA3izB53h.bat"18⤵PID:316
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1696
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjtq3MYUh4.bat"20⤵PID:664
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2476
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hbGxgnDDQj.bat"22⤵PID:2292
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:292
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat"24⤵PID:1920
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2876
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat"26⤵PID:2752
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:1220
-
-
C:\providercommon\lsass.exe"C:\providercommon\lsass.exe"27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Desktop\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Desktop\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Themes\Aero\fr-FR\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\fr-FR\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\Themes\Aero\fr-FR\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\Application\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\Application\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
PID:588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\AppCompat\Programs\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\AppCompat\Programs\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\System32\Setup\de-DE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\Setup\de-DE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\System32\Setup\de-DE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Pictures\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Local Settings\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Local Settings\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Documents\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Documents\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Documents\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\DESIGNER\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Cookies\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Cookies\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Default\NetHood\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\NetHood\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Default\NetHood\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1280
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c76e4e8b3e7d2366e566a3793b7e571b
SHA1841e3cb9746a8a6c17752dbe9492eae64d9caf1d
SHA256f2123198f3381a8f61093db59d6ad33b9b746b38372f6f7f2bdedc2b52184f8b
SHA5125d4b6d21ccc08d44dd886fae2478f3f93c1514fb434212e9256faa8124ffab081e5873b6da6b3b46b3f17d2a1789da3e2a4edc6e08d57f15488104e0ef7b6350
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5563e850a2d2d2037a93e76c54e1a0eeb
SHA15e9afd25c6b03d9db12f339209e1588feb2ff0f8
SHA256d27d92fb78eebd0b1d56b6d1503cf84317bdcd0ffa55f76b4162c2ff8fd5e1a2
SHA5122ef1eef713afde6a17d1476eae9239a28fd3c66c5d398fec1a4a20ada2a65296331964cba7b166ef532d6dbf22308d46e8f04dcf20f779b98d0564e8a28bdbbb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5deb4c2a3fdf37e68c93e80084b7f1ee6
SHA1c35b995c6be3644313c16aa18bfcfa888b3088ac
SHA256aa39883c1a558dea2e5dcb811f7360d3454b5894593a4e4878fe58054a7b5e8e
SHA5123347444c541df288d74aa45c0b1beee5b4c7c5e40d2475f2e6f83d7f552f373a4c2b92d0f8ff14b45a9ed131492836bd398ca30adc1e7732f99879dcfc56239c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b335e8dff5ec951c524cc913753b989f
SHA1d9360d9797ca3f4ab771279abcaffb14f98b4c47
SHA2563c944cd0820ea3e8a3e0e9ecfc084ac2ccdb1276691fdaa6c7c99ac17184391b
SHA512ec56b4063096737c8d2456f49f6b865a2a4f96971c20718b479682189b05ce9f1bd0e85dd5c4dd41cf8886e7e45340651727a48deb2b251a6a636734c95acbaf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d9576fb75df804a5954b1b5a040ebbfe
SHA17a29b713a01981c759ace30d011b62443662bab5
SHA256e9692f3425c77b72170515344447889e4aef99a6d06c69c52697c14238832000
SHA512b7271a172706f96614650be881a06b773234f73b179f2c2631282d4d6b01d6758f0a1bb11471e9d7d95a8e2fdf9fe732f3a53f48520a7560cc8d08bde8646eea
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cf05b17237a6d19888165637fbe1c7a8
SHA1186fea6b40976336dbe37c6bbcab6b599f4495d4
SHA25653b31bd987228c070d0eab3ccf2498f4783673a86d4312ae29d09f53b3bc8eff
SHA5120ab838bafda74ee6bb623b9e90baf41855f7b0faf295a8c0e51169f157e83b199a4f7fa7925a595f854091d17312914b8bbb5ba7aeb241f8a6891688c27fd91c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a008a2825bc18d42bac14b0102f52b37
SHA11759dca2c76bdc51d0872c7091b79a4e05a041f1
SHA25690a9f342e75954f51ed9d3b113aead87191287602bd8be5067028ab762ec6af5
SHA5127cf87412b996e693fe368aafb490adf88a4ebb2392e2f17fd8f1bef946de9d0fa5a7fbf114a7626859820bd05dca49cc630c05112fdb4417f97998cbccb6ab89
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD501d6a44a10ec1917587bbb0f41adba3e
SHA194a49456c124b5171befdd7b1e1ea98e8a7ffe50
SHA256ba5efdc43ed86d567b55746d5342f527904bc50e590ed8469ebaec367d7d88e0
SHA512b3fa2db1a7b14aa0947df40f529402914c480d27dd0b7e76cbb213d6f1177a843880697defd9cbb345cd89f05599027603780a391ae2ffd8ee5e816578dbbf3e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e818ca83890330442601a7efd2d064b8
SHA192fb2c1646943fe9e4382e79d61e01f01a68eb6b
SHA25655d1692a5c82b2165e1265e16e9dd374038946ad10fd6d6250202c449cf86851
SHA512ad409db836384fe425056daec51a5ac4e8afc693cd83d5ba147f262848e7e84c6a0f21ec222fcb36746d05de6def16601afb56efb4831dde2b6600b159196b79
-
Filesize
199B
MD5b6717a7cca221ef745a9fbeb750f6401
SHA122ddaac199070d19c916c804e90ef270260ad428
SHA2567c7a9fbab42ba4f977e255b7c09cb1280237db5726c632fd55b48457b20dbf3a
SHA5123ca24ba0bc744b1449c725e1f9ed02972ca906b375ba6dca3b4e54e6ec14119b426f19ea598cd309235241ac84cd2e14fbb033e147cbeb0e3df89072b80b00c4
-
Filesize
192B
MD59321ffedc92c577c0613d585cb46f399
SHA19e26d365a3c8822576bca91f76b18ea59e238017
SHA2567c608ede647cbbc184a54f954b32742cd5a2d22d9d64f769458944a3c7c5c1c1
SHA512ca0cb5197edd04f9769ced9b7c555ba4980bb31e10359736f229eefb25cdb1b0d0cb14b884ee99e89bad7021695535ea4b83f18f3eb24a188059d0457b6c4b0c
-
Filesize
192B
MD54293fe2996faf3277b4d73a691692fc1
SHA1ae53cdebd37ebbc6c0b690619ce52deaefd2ef59
SHA256a8100e84ec4c3e7617b5c7d78b7bccb0d07be842ce755d21ea8c169e7f003e9a
SHA5122011830f80a52ba1a88bcbf60a20cc45d1c0cf4dcffcc6f6694b4555c00b1a7817b9f8fc5800673c73c83106324ecbd1802e2e292b60d4ed361fb5270edef61d
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
192B
MD573fb4a54dabd606bb4f62983666030ad
SHA1f95b88bbb2f5a2a1d2c93753b1aec106187e9b35
SHA2569963fe5d3af743115ce6a0c4cd143535ea845e629e1f2913ef2f985dd87b911c
SHA51298b2516cde353a248961f676a0bd02faed02e5136cf22bbc02928b489e6a0791690d7079b15d336a8d33e4be072649869ec4ba4c2d06f0d413b2a67fc2703182
-
Filesize
192B
MD56e790c0f02bfe55a129cb21f565687f5
SHA16cab5dd3de962bc904ad4f65511e62ac918cf6da
SHA256514c6952eb8ab79e211f298b7921bec73895bf50e77a014253c4e6ce92f274fe
SHA5129b67e08d87c717a9fb9bceb4ff8ab7b6f942e5549aa4816985fa997c8a7f9c254fecd2f61d2f79c75a070ec0f7150a8f3db7e8cf529cd630c67b04b5f3a73c3b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
192B
MD5a60352e6dc5f021b4b6719e97c8a6d36
SHA17489e286fc84e8bc9da4e8ee8e90a5b45a19bf00
SHA25668fcb9a2d5fdc41385c74f1fd8702b27b0aae44d7189e43110a3459179de040a
SHA5122402c234df58520a8971bd52ab33c9cf3b636e0643e1b38122a9ff90d11eb17de47156aa7776742b317ad6a1ca8bfa63e26114b23d18bd75466dcf740299a92e
-
Filesize
192B
MD5567815a0c400c070cdd895886009b129
SHA1914d6705883a279a7f7d1431de69993c8acabe28
SHA256f5ad3b894e40091844ddaf895a8fb40d61e3db7b3befe784ee24218016145f5d
SHA5125f58b9b8175d87cf9a1aaf7fdf664f4c223023ee0ce9a69c0238c785d9b69d09bac443b166c0e65819437efd006545f507eb434c65a2d2d306cc255007f63610
-
Filesize
192B
MD530b91176362da11ba58cfc251e036712
SHA163c5255cc548167eb6e2487b764434b2339d1489
SHA2565647e179a8143b1acbd9eaa69a6a2a047b52c777427ab9e21c7c2f9d0c60569b
SHA512a3cf18fb443201cf6970ce0659df5b2c3baae36a2f4aa1f277ddb64967af711e877ce2e6c2b9c4480bbeb21ae0ad15e7629156b0c902085146d78cdd29031713
-
Filesize
192B
MD527a885b85a5976ff6a0be5557f816410
SHA1920573db88cd8fd315f5c72dd00dfb1cb9ad35a0
SHA256e309ffb014f51f5ecbc82e8a6caf713b02b6c26f86d0718055c25cf144f9fad6
SHA512ccac50da1f2a9e2e6eb62657f6dd10b429d99648ba11f3fcf536cd1a3dd4b3edf8ecac7ec720b841e0cc6cdbdee8d085ca52b34d01f8909c1836359a898409a5
-
Filesize
192B
MD55257d4d6f5d9412006ca0cbf1a8ec59a
SHA1f7c8beaf3f30e7f557961e627f231bdff0795d62
SHA256e5f68136809b40e77629946ce369c9f7e44a3114dacad305acf999d44e0ff6f8
SHA512a14db13c4fc31fb7ffd9739d04622da5133450f4382e8129301e285597e9e8ef67b83eb53c6729bb5c4e0cb6cf3e93da70b6e62c889e2aa2667f26ed88ccf67e
-
Filesize
192B
MD56b1b450aa53ac61cf8925fc80c513ca7
SHA1e9392c670e697be3c801301444f7e059e13363e3
SHA2564cc6696c49c21ec404193095ff85131f5e18ca461261783fa14b2d96206d0526
SHA51273ced311057c0120134798c942f587b2a83fd571713a934614414515b0e23aa0eed48d8735b38ce04cca805647150c4752cfc496bab7bfb95817bf712270fb16
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c52e7b180332147ed5b57c67ae0a14b9
SHA1102b1feb57d443195ac3eb65fe78fc95e9fc21cd
SHA25628e03020048eb92439f8cdc239e85529090fe2dfc9d743d7a6a9f1a4dab95e22
SHA5123c868dc687ca56889e163ca23b20df858359278e2a45e061660c149942d113816428e40fa16c0dc776b730c8226e06c060e879f10c41db0efe126c8f91624d51
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394