Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 05:18
Behavioral task
behavioral1
Sample
JaffaCakes118_40609b7de672d5caba4bc6662eb428dfb3b59acef74300590e854f19aad2e5fe.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_40609b7de672d5caba4bc6662eb428dfb3b59acef74300590e854f19aad2e5fe.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_40609b7de672d5caba4bc6662eb428dfb3b59acef74300590e854f19aad2e5fe.exe
-
Size
1.3MB
-
MD5
a1356bfafb7d4168bd2dbf99517c07e8
-
SHA1
5ad7150d7c05364e7c4fbef2573f74d47e98cecb
-
SHA256
40609b7de672d5caba4bc6662eb428dfb3b59acef74300590e854f19aad2e5fe
-
SHA512
3a911949f87eeecc6e03ea9b075278047ce38f6a8c5ce0eedd3d262a41e285335d1ba38bb0e0f12b8bca224a9ff77bc7cd861801f70a16f7481df0916738b190
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1248 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 976 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1448 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1444 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 924 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1012 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1368 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2148 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1220 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 900 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1496 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 692 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 936 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1176 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2300 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 812 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2304 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 904 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1376 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 860 3064 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 3064 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000016d1f-9.dat dcrat behavioral1/memory/2776-13-0x00000000010C0000-0x00000000011D0000-memory.dmp dcrat behavioral1/memory/2536-51-0x0000000000180000-0x0000000000290000-memory.dmp dcrat behavioral1/memory/2252-104-0x0000000000920000-0x0000000000A30000-memory.dmp dcrat behavioral1/memory/1900-258-0x00000000010B0000-0x00000000011C0000-memory.dmp dcrat behavioral1/memory/2584-377-0x0000000001100000-0x0000000001210000-memory.dmp dcrat behavioral1/memory/1036-496-0x0000000001230000-0x0000000001340000-memory.dmp dcrat behavioral1/memory/1660-675-0x0000000000080000-0x0000000000190000-memory.dmp dcrat behavioral1/memory/2768-735-0x0000000000A00000-0x0000000000B10000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 788 powershell.exe 284 powershell.exe 976 powershell.exe 2212 powershell.exe 2228 powershell.exe 1248 powershell.exe 2604 powershell.exe 2972 powershell.exe 848 powershell.exe 2968 powershell.exe 2200 powershell.exe 1772 powershell.exe 1216 powershell.exe 2044 powershell.exe 3068 powershell.exe 2512 powershell.exe 2168 powershell.exe 2420 powershell.exe 2088 powershell.exe 1684 powershell.exe 1016 powershell.exe 1032 powershell.exe 280 powershell.exe 2700 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2776 DllCommonsvc.exe 2536 DllCommonsvc.exe 2252 WmiPrvSE.exe 1900 WmiPrvSE.exe 2752 WmiPrvSE.exe 2584 WmiPrvSE.exe 2336 WmiPrvSE.exe 1036 WmiPrvSE.exe 1772 WmiPrvSE.exe 2584 WmiPrvSE.exe 1660 WmiPrvSE.exe 2768 WmiPrvSE.exe -
Loads dropped DLL 2 IoCs
pid Process 2580 cmd.exe 2580 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 20 raw.githubusercontent.com 27 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 9 raw.githubusercontent.com 23 raw.githubusercontent.com 31 raw.githubusercontent.com 34 raw.githubusercontent.com -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Media Player\fr-FR\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\fr-FR\WmiPrvSE.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Windows Defender\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\24dbde2999530e DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Esl\explorer.exe DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Esl\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\fr-FR\winlogon.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\fr-FR\24dbde2999530e DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files\Windows Defender\en-US\csrss.exe DllCommonsvc.exe File created C:\Program Files\Windows Defender\en-US\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\winlogon.exe DllCommonsvc.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\LiveKernelReports\101b941d020240 DllCommonsvc.exe File created C:\Windows\CSC\v2.0.6\smss.exe DllCommonsvc.exe File created C:\Windows\RemotePackages\WmiPrvSE.exe DllCommonsvc.exe File created C:\Windows\RemotePackages\24dbde2999530e DllCommonsvc.exe File created C:\Windows\LiveKernelReports\lsm.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_40609b7de672d5caba4bc6662eb428dfb3b59acef74300590e854f19aad2e5fe.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2684 schtasks.exe 2432 schtasks.exe 2564 schtasks.exe 936 schtasks.exe 2616 schtasks.exe 1176 schtasks.exe 1792 schtasks.exe 2024 schtasks.exe 2940 schtasks.exe 3068 schtasks.exe 1448 schtasks.exe 1444 schtasks.exe 2528 schtasks.exe 1496 schtasks.exe 692 schtasks.exe 2680 schtasks.exe 1952 schtasks.exe 2424 schtasks.exe 2716 schtasks.exe 2148 schtasks.exe 1964 schtasks.exe 832 schtasks.exe 1796 schtasks.exe 2760 schtasks.exe 1036 schtasks.exe 2700 schtasks.exe 1536 schtasks.exe 2300 schtasks.exe 2268 schtasks.exe 1944 schtasks.exe 2672 schtasks.exe 924 schtasks.exe 1368 schtasks.exe 2848 schtasks.exe 3024 schtasks.exe 2752 schtasks.exe 2936 schtasks.exe 2924 schtasks.exe 1376 schtasks.exe 1700 schtasks.exe 3008 schtasks.exe 2236 schtasks.exe 2740 schtasks.exe 2900 schtasks.exe 1036 schtasks.exe 3016 schtasks.exe 2304 schtasks.exe 2240 schtasks.exe 1012 schtasks.exe 1220 schtasks.exe 2104 schtasks.exe 2636 schtasks.exe 812 schtasks.exe 2856 schtasks.exe 2572 schtasks.exe 296 schtasks.exe 2952 schtasks.exe 976 schtasks.exe 900 schtasks.exe 2672 schtasks.exe 2492 schtasks.exe 1248 schtasks.exe 2712 schtasks.exe 904 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 2776 DllCommonsvc.exe 2168 powershell.exe 2972 powershell.exe 2700 powershell.exe 3068 powershell.exe 2536 DllCommonsvc.exe 2536 DllCommonsvc.exe 2536 DllCommonsvc.exe 2536 DllCommonsvc.exe 2536 DllCommonsvc.exe 2536 DllCommonsvc.exe 2536 DllCommonsvc.exe 2536 DllCommonsvc.exe 2536 DllCommonsvc.exe 2536 DllCommonsvc.exe 2536 DllCommonsvc.exe 2088 powershell.exe 1032 powershell.exe 2968 powershell.exe 788 powershell.exe 1684 powershell.exe 1248 powershell.exe 1016 powershell.exe 2044 powershell.exe 1216 powershell.exe 2512 powershell.exe 2252 WmiPrvSE.exe 2228 powershell.exe 976 powershell.exe 284 powershell.exe 280 powershell.exe 2420 powershell.exe 2212 powershell.exe 2604 powershell.exe 848 powershell.exe 2200 powershell.exe 1772 powershell.exe 1900 WmiPrvSE.exe 2752 WmiPrvSE.exe 2584 WmiPrvSE.exe 2336 WmiPrvSE.exe 1036 WmiPrvSE.exe 1772 WmiPrvSE.exe 2584 WmiPrvSE.exe 1660 WmiPrvSE.exe 2768 WmiPrvSE.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 2776 DllCommonsvc.exe Token: SeDebugPrivilege 2168 powershell.exe Token: SeDebugPrivilege 2972 powershell.exe Token: SeDebugPrivilege 2700 powershell.exe Token: SeDebugPrivilege 3068 powershell.exe Token: SeDebugPrivilege 2536 DllCommonsvc.exe Token: SeDebugPrivilege 2088 powershell.exe Token: SeDebugPrivilege 1032 powershell.exe Token: SeDebugPrivilege 2252 WmiPrvSE.exe Token: SeDebugPrivilege 2968 powershell.exe Token: SeDebugPrivilege 788 powershell.exe Token: SeDebugPrivilege 1684 powershell.exe Token: SeDebugPrivilege 1248 powershell.exe Token: SeDebugPrivilege 1016 powershell.exe Token: SeDebugPrivilege 2044 powershell.exe Token: SeDebugPrivilege 1216 powershell.exe Token: SeDebugPrivilege 2512 powershell.exe Token: SeDebugPrivilege 2228 powershell.exe Token: SeDebugPrivilege 976 powershell.exe Token: SeDebugPrivilege 284 powershell.exe Token: SeDebugPrivilege 280 powershell.exe Token: SeDebugPrivilege 2420 powershell.exe Token: SeDebugPrivilege 2212 powershell.exe Token: SeDebugPrivilege 2604 powershell.exe Token: SeDebugPrivilege 848 powershell.exe Token: SeDebugPrivilege 2200 powershell.exe Token: SeDebugPrivilege 1772 powershell.exe Token: SeDebugPrivilege 1900 WmiPrvSE.exe Token: SeDebugPrivilege 2752 WmiPrvSE.exe Token: SeDebugPrivilege 2584 WmiPrvSE.exe Token: SeDebugPrivilege 2336 WmiPrvSE.exe Token: SeDebugPrivilege 1036 WmiPrvSE.exe Token: SeDebugPrivilege 1772 WmiPrvSE.exe Token: SeDebugPrivilege 2584 WmiPrvSE.exe Token: SeDebugPrivilege 1660 WmiPrvSE.exe Token: SeDebugPrivilege 2768 WmiPrvSE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1712 wrote to memory of 1748 1712 JaffaCakes118_40609b7de672d5caba4bc6662eb428dfb3b59acef74300590e854f19aad2e5fe.exe 31 PID 1712 wrote to memory of 1748 1712 JaffaCakes118_40609b7de672d5caba4bc6662eb428dfb3b59acef74300590e854f19aad2e5fe.exe 31 PID 1712 wrote to memory of 1748 1712 JaffaCakes118_40609b7de672d5caba4bc6662eb428dfb3b59acef74300590e854f19aad2e5fe.exe 31 PID 1712 wrote to memory of 1748 1712 JaffaCakes118_40609b7de672d5caba4bc6662eb428dfb3b59acef74300590e854f19aad2e5fe.exe 31 PID 1748 wrote to memory of 2580 1748 WScript.exe 32 PID 1748 wrote to memory of 2580 1748 WScript.exe 32 PID 1748 wrote to memory of 2580 1748 WScript.exe 32 PID 1748 wrote to memory of 2580 1748 WScript.exe 32 PID 2580 wrote to memory of 2776 2580 cmd.exe 34 PID 2580 wrote to memory of 2776 2580 cmd.exe 34 PID 2580 wrote to memory of 2776 2580 cmd.exe 34 PID 2580 wrote to memory of 2776 2580 cmd.exe 34 PID 2776 wrote to memory of 2700 2776 DllCommonsvc.exe 45 PID 2776 wrote to memory of 2700 2776 DllCommonsvc.exe 45 PID 2776 wrote to memory of 2700 2776 DllCommonsvc.exe 45 PID 2776 wrote to memory of 3068 2776 DllCommonsvc.exe 46 PID 2776 wrote to memory of 3068 2776 DllCommonsvc.exe 46 PID 2776 wrote to memory of 3068 2776 DllCommonsvc.exe 46 PID 2776 wrote to memory of 2972 2776 DllCommonsvc.exe 48 PID 2776 wrote to memory of 2972 2776 DllCommonsvc.exe 48 PID 2776 wrote to memory of 2972 2776 DllCommonsvc.exe 48 PID 2776 wrote to memory of 2168 2776 DllCommonsvc.exe 49 PID 2776 wrote to memory of 2168 2776 DllCommonsvc.exe 49 PID 2776 wrote to memory of 2168 2776 DllCommonsvc.exe 49 PID 2776 wrote to memory of 3048 2776 DllCommonsvc.exe 53 PID 2776 wrote to memory of 3048 2776 DllCommonsvc.exe 53 PID 2776 wrote to memory of 3048 2776 DllCommonsvc.exe 53 PID 3048 wrote to memory of 2348 3048 cmd.exe 55 PID 3048 wrote to memory of 2348 3048 cmd.exe 55 PID 3048 wrote to memory of 2348 3048 cmd.exe 55 PID 3048 wrote to memory of 2536 3048 cmd.exe 56 PID 3048 wrote to memory of 2536 3048 cmd.exe 56 PID 3048 wrote to memory of 2536 3048 cmd.exe 56 PID 2536 wrote to memory of 2968 2536 DllCommonsvc.exe 114 PID 2536 wrote to memory of 2968 2536 DllCommonsvc.exe 114 PID 2536 wrote to memory of 2968 2536 DllCommonsvc.exe 114 PID 2536 wrote to memory of 2420 2536 DllCommonsvc.exe 115 PID 2536 wrote to memory of 2420 2536 DllCommonsvc.exe 115 PID 2536 wrote to memory of 2420 2536 DllCommonsvc.exe 115 PID 2536 wrote to memory of 280 2536 DllCommonsvc.exe 116 PID 2536 wrote to memory of 280 2536 DllCommonsvc.exe 116 PID 2536 wrote to memory of 280 2536 DllCommonsvc.exe 116 PID 2536 wrote to memory of 2044 2536 DllCommonsvc.exe 117 PID 2536 wrote to memory of 2044 2536 DllCommonsvc.exe 117 PID 2536 wrote to memory of 2044 2536 DllCommonsvc.exe 117 PID 2536 wrote to memory of 1216 2536 DllCommonsvc.exe 118 PID 2536 wrote to memory of 1216 2536 DllCommonsvc.exe 118 PID 2536 wrote to memory of 1216 2536 DllCommonsvc.exe 118 PID 2536 wrote to memory of 1772 2536 DllCommonsvc.exe 119 PID 2536 wrote to memory of 1772 2536 DllCommonsvc.exe 119 PID 2536 wrote to memory of 1772 2536 DllCommonsvc.exe 119 PID 2536 wrote to memory of 848 2536 DllCommonsvc.exe 120 PID 2536 wrote to memory of 848 2536 DllCommonsvc.exe 120 PID 2536 wrote to memory of 848 2536 DllCommonsvc.exe 120 PID 2536 wrote to memory of 2604 2536 DllCommonsvc.exe 121 PID 2536 wrote to memory of 2604 2536 DllCommonsvc.exe 121 PID 2536 wrote to memory of 2604 2536 DllCommonsvc.exe 121 PID 2536 wrote to memory of 1032 2536 DllCommonsvc.exe 122 PID 2536 wrote to memory of 1032 2536 DllCommonsvc.exe 122 PID 2536 wrote to memory of 1032 2536 DllCommonsvc.exe 122 PID 2536 wrote to memory of 2512 2536 DllCommonsvc.exe 124 PID 2536 wrote to memory of 2512 2536 DllCommonsvc.exe 124 PID 2536 wrote to memory of 2512 2536 DllCommonsvc.exe 124 PID 2536 wrote to memory of 1248 2536 DllCommonsvc.exe 125 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40609b7de672d5caba4bc6662eb428dfb3b59acef74300590e854f19aad2e5fe.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40609b7de672d5caba4bc6662eb428dfb3b59acef74300590e854f19aad2e5fe.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9IAIdwWqxW.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2348
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:280
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Links\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\lsm.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\en-US\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\smss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\winlogon.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\explorer.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\fr-FR\winlogon.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\fr-FR\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:284
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:788
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat"8⤵PID:1716
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1748
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat"10⤵PID:3000
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1428
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.bat"12⤵PID:2544
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:284
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yWf31kVUUl.bat"14⤵PID:2580
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2252
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6oaLUsZTY.bat"16⤵PID:692
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1872
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat"18⤵PID:2272
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1296
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yvlYFj4oEg.bat"20⤵PID:1644
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2600
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2mwtwHUJyt.bat"22⤵PID:2612
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1168
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat"24⤵PID:2304
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2180
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\RemotePackages\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\RemotePackages\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\RemotePackages\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\providercommon\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Links\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\Links\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Links\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\providercommon\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\en-US\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\providercommon\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:296
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d2af5c8d645ec1ec530aa32c3bdd99e4
SHA1f87030147fd61dacbc1232d4fea44e43e9404b2e
SHA25692d06c25280e242853238b85e74b21e256238a5ec7af19ebbdee02e436d12264
SHA512ade2177964fa0ed46297c2329fb39e235f2c43531742e4656274f23415fe29ee305a28535b61a444888f3fdd84afe41e11c2b730c718cadb75d3ecdf3e3343be
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5955ba6179ef3bcb4c556590f206e30cb
SHA1afb0e82f66c11efe9d94345b00bf8e099986360a
SHA256c6e1af626870a99341e358e76cfdcc33d1889385aedf7347d50e9e5612e9960a
SHA512af8f4427c7fbdf33f3e3835129e37bb0e680767a9ecc885c86fa4c5f7fbcc0e598c75ea9c6dfe936a21c648d207b565e5283478cb65a77fa84a11127bd2bfe05
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD510f7efed605a4cb7b86a8254de37c7d3
SHA1d63a06f623e36d3eaf20c19018ca835eac70b4ea
SHA256ae66234d01411cab348213c1e69c3dfb44f2f5dee458b03e48a8a6303feb62a9
SHA51216b53066e7c7a21be2db9eb4fa84b321044348493614dc1e20cea68a2f2ee224643544595fa3afe6720562a7180f80168af8d4c899d6bc08ec64007d599da4a4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5391dadfc79c7241cda2774d354f56738
SHA17df3ada5be6584aed88f141022101db0b41c8180
SHA2568ef215b1f801e6e1e089496f77bf31224134cdca8d40ebd72f4e7f42d5ac9410
SHA51237728baefe4bf76a4c94d173e4c70f1224e536c424ac201a0b14ced79ce44e7f08d45593eaf768b07932f7f51b1fd1bce156a2cdc45eb4b07788d6c4bada8470
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e8fa4f84b80650f35263c594676a0cec
SHA1f708619166c73051485a641fcde7fc8de64a4496
SHA25647ea3213d71f3f79115cb3e7b091d7ae379c60c0f1d5f28a0ff9eb52ee8ef285
SHA51241099071a17d3c83e48d8fac816097a34808c0a891b8273bdcfe2348274fbd5292d92dc1294e9bd1bab4ec9d82686225c36e5aa95e8f72e6b06f08f9be2aa147
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52e8d8be83163eab426da77e344f97f97
SHA1ecd240f0c8d7499f0e2ec194f8004c133978aeb7
SHA2568abe38d656b34d0316fe9a479f1ffc99d37966786e9fb0a985c75c1957827b47
SHA512b4f28edcd63500b1bff653f7fb24bd92a9b53a421402d167e58f9e231f8fcdfd407cd5427dad693a165adc57b89689fcced8358cc9496cc07f8b5281c1aaab93
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56adfaa0bef269fc5d6900fd25458e7e0
SHA1892e19af2fcc61d722422a0049e3e1939351bbe7
SHA2562bb174cf137745488959225ec64134abee6d6bb039650cb25fdaea3c37a83223
SHA51220692359457d15b6fbba0534792277ce54b4a530c25adc486a20c1af31d1d5d0b6e468d46414fe9d99297935f84cc781ffbe9b24a3fac7cb1b20ffa1385132d3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c898bab6fc92403c3270532f3be9a41b
SHA1b696e8169ffe7bdf5df0be2d056e6fefe2336bab
SHA2568bb53be4a4de13f1c94515ebf9d47ae692ffaa3400ae4ce29038c62e710bcb50
SHA512ce925a499a13eba1fea064508a61eabcc8cea2d2490b95366e4c5e87f067a28e0c192e72c37e9e7b5333e984dc4026c5ad37fd689df835496288feb51030f118
-
Filesize
195B
MD5f6e4798961c4c4cfac798519a74ff4e9
SHA11aa87903f9f2c8100da2597a39e2d2796ae513d1
SHA256b1940486722a2b260686f2d56f69b04aadc72fb757136e5f681b83d821d3ac1f
SHA512913699a6945bd098c0446bd896493b6ad7695813a20453e1e92d6c6f1ea87e95690cddbc4e24601e5f4b5bf82fff22fe6dc59c501730ccabf77ca6fab3ce1c6f
-
Filesize
199B
MD54bd52ee1a9b6e179f3721224dd318ae6
SHA12678b898a668eb608f712aecfd719a89c001aa27
SHA256e92e1944fcdc4e15eec4b0742096268ff0da5dfd31f6ef1110e5dfb5478b78db
SHA512bb146a63ff240421ebe87d269b08a4b4ea36414d1740103c46a7865c0fd763f6411f6a8c50251bccdb35f4678fa20c845e5d3aef1da164bb8ae76de349dcb249
-
Filesize
195B
MD57035ad587bf56a7b5a585824035d4d62
SHA1364c7224c8644532f7ccad39f9f6fd03aec566d9
SHA256990e66e7fad7c9b6dddbb5542d788e4fe86216d8cd67ace8966c868e63e59726
SHA5126c3e8a7df325d692f8b4fe31da3fd91f4b9a99d66a68c1026df47cb50ac73b799c0c13cbff19c860ec44201c2744f6d6f4db9267daf0671676802fcc5b5bb2d4
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
195B
MD54c6a3f5ca52ca78fa211d31cd3507bbd
SHA16ad4add55c671621bd1fcabf0584122fc75baf12
SHA256993182075f48d6e490cdf20fd8e1a578c466dd933d404a811d53d9ab88cd5c13
SHA512164576e7aeacc9e7ae60849742b2571ec9b52f94028933f91212f2a934b2aa848c6423185b4d723095e9387b4e1cc333864962598fe87fc67fcbcbe094088586
-
Filesize
195B
MD51634ae37a5e337cc2272078abcb93c3e
SHA1ac6fce66b34166c84d4cbf854998852a6b7dd2d0
SHA25689c899f5e6e67b4f5aa05bba86161dcbe28b79f6924cac2d71db312c6576a8a2
SHA512d6726626d54063eb193222086e60d7bc8a4e8ea516456d763d8ad4a98c9e7a27461b93542c7a8cbb4cfd051d3b01650a4e7659c2b8adac897d0900776ed6e067
-
Filesize
195B
MD55cecc6b31ebc4e11f0f0c6c702a3c55b
SHA1601a4f8a471f344bc367b6acddd03d6bc2a56381
SHA256f5aa8878a53de656d090bc8515a902f6b7d9cb019b88b297dba92ccd7bd30295
SHA5129e9f756eada5d55e8defa2eb72938ac2cb3f8634150db87e877ac323a93a69117c8cfbb383a553e22c96925e77ba460dc754ff38ed1485a860a41bebd3ad6eab
-
Filesize
195B
MD5cf9bbcdfc8f8e2daf7d50803929d1fe2
SHA1ef659edcdfa98eece64c47166452c75d9ae037aa
SHA256e25da996a525a2d0233aca896f726d1ce66cb991e8e473151e395e98ade86b8c
SHA512ef415e8e6fa6bfbae9a31354fa0a296768f71c43ccf1773778409d96998b49240af4f050e3ca14c34d8cc15df18dcd47dfb1a9e791ea066f2ed3fd06bc477886
-
Filesize
195B
MD5d7637213303e620529a519a85405ae5f
SHA17a22ae4f866a13a471e60cc1d59fe7fe0024fd89
SHA25631e4b578e72c0a001b17c615bbf5e2d6f2f756980cb2ad33aac6ea0e6503c088
SHA512dbab67c63bf43a3896c4d30c690395a5683cf436785593ab0c07dfbd675182edd597ade5cfa768f7bbd2fd471b5e3fdd129625d2e01f02040cca0b820c54e9bd
-
Filesize
195B
MD59fd65186a5e48973adc9bf97fc7db84f
SHA18f66bf902671070ad2959f80d917d38d2b9a7562
SHA256610901addfa7e58ccb2a32dfc51689f071a9925539283b70e4070947eda4fc30
SHA512bbbb7b2d60a9f4d25a63e921f5769a2a2f6a48a06683837db3c46cc003967a7351afd8ac1bf5158b8952bfb5d3c9151a202b90276316bae378bbe96659adcefd
-
Filesize
195B
MD53adca9f52a67cc79907c5d8c3173a4b6
SHA1a1e42b90ed1f1d7042048f122748ae8a7b36770f
SHA25615f90d94ed5500c1c768db38487b23b81bcd3ceddd030ca2138b72ab1bf7c403
SHA512b0966edd57a38b84f5e7f7bb6083428e598600b1dc370f710d753cf12f9f3f75cd15e24ed94ea6e7bf3f9cced61a6c89226adcc7ea737cd149dcce963b630583
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD53368afb4d8f2624f66004e74a59d5eb8
SHA106a539bedfeb2764eaabb468601637fdabccf5d2
SHA256cee2418dd32e3088ce1422b3c19607242f35f69112eeb9f1da7ebb7bdd6ad21a
SHA51220ff1e54afc16808397f14c6d5bf4d0133c68e7c534bf84f50d170239e3929d05d0200e90ce65e480e47f38e7ba713d0d7ae35f44673c1ef79ffab2416e125a6
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394