Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:01
Behavioral task
behavioral1
Sample
JaffaCakes118_5ffba813301245829dedc5a71d69d91f368e7ef1bd826dc86d02d84ddf99ea24.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_5ffba813301245829dedc5a71d69d91f368e7ef1bd826dc86d02d84ddf99ea24.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_5ffba813301245829dedc5a71d69d91f368e7ef1bd826dc86d02d84ddf99ea24.exe
-
Size
1.3MB
-
MD5
190de366c69cccb7c329ed896d21e705
-
SHA1
9195874442ba7e1c889709cc84adf5533f2de23d
-
SHA256
5ffba813301245829dedc5a71d69d91f368e7ef1bd826dc86d02d84ddf99ea24
-
SHA512
c177b2e74b18ebbaced07eab84010fba90a34ffe728930b579064af2c590e103243b5881b61d21e00c63da9c8144430682bd9e2c2ed187a1f0cddb51b2c2c9b1
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 392 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 644 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 328 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2304 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 580 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 288 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 640 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1120 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 948 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1532 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1348 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1300 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 944 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2248 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 440 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1572 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1396 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1264 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 928 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1300 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2568 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1488 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1772 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2400 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 2608 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000015686-10.dat dcrat behavioral1/memory/2684-13-0x0000000000FF0000-0x0000000001100000-memory.dmp dcrat behavioral1/memory/2448-227-0x0000000000250000-0x0000000000360000-memory.dmp dcrat behavioral1/memory/2828-287-0x0000000000300000-0x0000000000410000-memory.dmp dcrat behavioral1/memory/2736-347-0x0000000000BB0000-0x0000000000CC0000-memory.dmp dcrat behavioral1/memory/308-408-0x0000000000E50000-0x0000000000F60000-memory.dmp dcrat behavioral1/memory/1480-468-0x0000000000210000-0x0000000000320000-memory.dmp dcrat behavioral1/memory/1880-529-0x0000000000010000-0x0000000000120000-memory.dmp dcrat behavioral1/memory/2524-590-0x0000000000AC0000-0x0000000000BD0000-memory.dmp dcrat behavioral1/memory/1568-650-0x00000000013A0000-0x00000000014B0000-memory.dmp dcrat behavioral1/memory/2424-708-0x0000000000280000-0x0000000000390000-memory.dmp dcrat behavioral1/memory/2476-765-0x0000000000850000-0x0000000000960000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 28 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3036 powershell.exe 2336 powershell.exe 2640 powershell.exe 2372 powershell.exe 2968 powershell.exe 2328 powershell.exe 2500 powershell.exe 2692 powershell.exe 1608 powershell.exe 2356 powershell.exe 1020 powershell.exe 1660 powershell.exe 2956 powershell.exe 2812 powershell.exe 2540 powershell.exe 1868 powershell.exe 1516 powershell.exe 3012 powershell.exe 1628 powershell.exe 1484 powershell.exe 2096 powershell.exe 3020 powershell.exe 1612 powershell.exe 1620 powershell.exe 1952 powershell.exe 2420 powershell.exe 1644 powershell.exe 3036 powershell.exe -
Executes dropped EXE 14 IoCs
pid Process 2684 DllCommonsvc.exe 1144 DllCommonsvc.exe 2432 DllCommonsvc.exe 2448 powershell.exe 2828 powershell.exe 2736 powershell.exe 308 powershell.exe 1480 powershell.exe 2512 powershell.exe 1880 powershell.exe 2524 powershell.exe 1568 powershell.exe 2424 powershell.exe 2476 powershell.exe -
Loads dropped DLL 2 IoCs
pid Process 2904 cmd.exe 2904 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 4 raw.githubusercontent.com 25 raw.githubusercontent.com 28 raw.githubusercontent.com 32 raw.githubusercontent.com 35 raw.githubusercontent.com 22 raw.githubusercontent.com 38 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com -
Drops file in Program Files directory 21 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files\Windows Journal\csrss.exe DllCommonsvc.exe File created C:\Program Files\Windows NT\Accessories\explorer.exe DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\de-DE\wininit.exe DllCommonsvc.exe File created C:\Program Files\7-Zip\24dbde2999530e DllCommonsvc.exe File created C:\Program Files\Windows Journal\en-US\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\System\ja-JP\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\Idle.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files\Common Files\Services\powershell.exe DllCommonsvc.exe File created C:\Program Files\Common Files\Services\e978f868350d50 DllCommonsvc.exe File created C:\Program Files\Windows NT\Accessories\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\it-IT\wininit.exe DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\de-DE\56085415360792 DllCommonsvc.exe File created C:\Program Files\7-Zip\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files\Windows Journal\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\Windows Journal\en-US\24dbde2999530e DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\it-IT\56085415360792 DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\System\ja-JP\winlogon.exe DllCommonsvc.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\PolicyDefinitions\ja-JP\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Windows\servicing\GC64\conhost.exe DllCommonsvc.exe File created C:\Windows\Prefetch\ReadyBoot\conhost.exe DllCommonsvc.exe File created C:\Windows\Prefetch\ReadyBoot\088424020bedd6 DllCommonsvc.exe File created C:\Windows\schemas\powershell.exe DllCommonsvc.exe File created C:\Windows\schemas\e978f868350d50 DllCommonsvc.exe File created C:\Windows\PolicyDefinitions\ja-JP\System.exe DllCommonsvc.exe File opened for modification C:\Windows\PolicyDefinitions\ja-JP\System.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5ffba813301245829dedc5a71d69d91f368e7ef1bd826dc86d02d84ddf99ea24.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1572 schtasks.exe 928 schtasks.exe 2620 schtasks.exe 1476 schtasks.exe 1640 schtasks.exe 1992 schtasks.exe 1720 schtasks.exe 1512 schtasks.exe 2396 schtasks.exe 328 schtasks.exe 1036 schtasks.exe 2444 schtasks.exe 2716 schtasks.exe 2544 schtasks.exe 2528 schtasks.exe 1300 schtasks.exe 392 schtasks.exe 2224 schtasks.exe 2072 schtasks.exe 2576 schtasks.exe 1268 schtasks.exe 2864 schtasks.exe 680 schtasks.exe 1876 schtasks.exe 2420 schtasks.exe 1640 schtasks.exe 2452 schtasks.exe 1488 schtasks.exe 1772 schtasks.exe 2904 schtasks.exe 2452 schtasks.exe 288 schtasks.exe 944 schtasks.exe 2508 schtasks.exe 1712 schtasks.exe 1108 schtasks.exe 2732 schtasks.exe 1348 schtasks.exe 2644 schtasks.exe 3032 schtasks.exe 2396 schtasks.exe 2304 schtasks.exe 1780 schtasks.exe 1812 schtasks.exe 948 schtasks.exe 1300 schtasks.exe 644 schtasks.exe 1568 schtasks.exe 2404 schtasks.exe 2700 schtasks.exe 2572 schtasks.exe 1752 schtasks.exe 1120 schtasks.exe 2168 schtasks.exe 1988 schtasks.exe 1492 schtasks.exe 2980 schtasks.exe 2248 schtasks.exe 440 schtasks.exe 1396 schtasks.exe 1532 schtasks.exe 2548 schtasks.exe 2400 schtasks.exe 2152 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2684 DllCommonsvc.exe 1868 powershell.exe 2968 powershell.exe 2956 powershell.exe 1144 DllCommonsvc.exe 1608 powershell.exe 3036 powershell.exe 1620 powershell.exe 1516 powershell.exe 2096 powershell.exe 3020 powershell.exe 2640 powershell.exe 2356 powershell.exe 2336 powershell.exe 1612 powershell.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe 2432 DllCommonsvc.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2684 DllCommonsvc.exe Token: SeDebugPrivilege 1868 powershell.exe Token: SeDebugPrivilege 2968 powershell.exe Token: SeDebugPrivilege 2956 powershell.exe Token: SeDebugPrivilege 1144 DllCommonsvc.exe Token: SeDebugPrivilege 1608 powershell.exe Token: SeDebugPrivilege 3036 powershell.exe Token: SeDebugPrivilege 1620 powershell.exe Token: SeDebugPrivilege 1516 powershell.exe Token: SeDebugPrivilege 2096 powershell.exe Token: SeDebugPrivilege 3020 powershell.exe Token: SeDebugPrivilege 2640 powershell.exe Token: SeDebugPrivilege 2432 DllCommonsvc.exe Token: SeDebugPrivilege 2356 powershell.exe Token: SeDebugPrivilege 2336 powershell.exe Token: SeDebugPrivilege 1612 powershell.exe Token: SeDebugPrivilege 2372 powershell.exe Token: SeDebugPrivilege 1644 powershell.exe Token: SeDebugPrivilege 3036 powershell.exe Token: SeDebugPrivilege 1020 powershell.exe Token: SeDebugPrivilege 1952 powershell.exe Token: SeDebugPrivilege 1628 powershell.exe Token: SeDebugPrivilege 2812 powershell.exe Token: SeDebugPrivilege 2500 powershell.exe Token: SeDebugPrivilege 3012 powershell.exe Token: SeDebugPrivilege 2328 powershell.exe Token: SeDebugPrivilege 1484 powershell.exe Token: SeDebugPrivilege 2692 powershell.exe Token: SeDebugPrivilege 1660 powershell.exe Token: SeDebugPrivilege 2420 powershell.exe Token: SeDebugPrivilege 2540 powershell.exe Token: SeDebugPrivilege 2448 powershell.exe Token: SeDebugPrivilege 2828 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 308 powershell.exe Token: SeDebugPrivilege 1480 powershell.exe Token: SeDebugPrivilege 1880 powershell.exe Token: SeDebugPrivilege 2524 powershell.exe Token: SeDebugPrivilege 1568 powershell.exe Token: SeDebugPrivilege 2424 powershell.exe Token: SeDebugPrivilege 2476 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2960 wrote to memory of 3060 2960 JaffaCakes118_5ffba813301245829dedc5a71d69d91f368e7ef1bd826dc86d02d84ddf99ea24.exe 30 PID 2960 wrote to memory of 3060 2960 JaffaCakes118_5ffba813301245829dedc5a71d69d91f368e7ef1bd826dc86d02d84ddf99ea24.exe 30 PID 2960 wrote to memory of 3060 2960 JaffaCakes118_5ffba813301245829dedc5a71d69d91f368e7ef1bd826dc86d02d84ddf99ea24.exe 30 PID 2960 wrote to memory of 3060 2960 JaffaCakes118_5ffba813301245829dedc5a71d69d91f368e7ef1bd826dc86d02d84ddf99ea24.exe 30 PID 3060 wrote to memory of 2904 3060 WScript.exe 31 PID 3060 wrote to memory of 2904 3060 WScript.exe 31 PID 3060 wrote to memory of 2904 3060 WScript.exe 31 PID 3060 wrote to memory of 2904 3060 WScript.exe 31 PID 2904 wrote to memory of 2684 2904 cmd.exe 33 PID 2904 wrote to memory of 2684 2904 cmd.exe 33 PID 2904 wrote to memory of 2684 2904 cmd.exe 33 PID 2904 wrote to memory of 2684 2904 cmd.exe 33 PID 2684 wrote to memory of 1868 2684 DllCommonsvc.exe 41 PID 2684 wrote to memory of 1868 2684 DllCommonsvc.exe 41 PID 2684 wrote to memory of 1868 2684 DllCommonsvc.exe 41 PID 2684 wrote to memory of 2956 2684 DllCommonsvc.exe 42 PID 2684 wrote to memory of 2956 2684 DllCommonsvc.exe 42 PID 2684 wrote to memory of 2956 2684 DllCommonsvc.exe 42 PID 2684 wrote to memory of 2968 2684 DllCommonsvc.exe 43 PID 2684 wrote to memory of 2968 2684 DllCommonsvc.exe 43 PID 2684 wrote to memory of 2968 2684 DllCommonsvc.exe 43 PID 2684 wrote to memory of 2164 2684 DllCommonsvc.exe 47 PID 2684 wrote to memory of 2164 2684 DllCommonsvc.exe 47 PID 2684 wrote to memory of 2164 2684 DllCommonsvc.exe 47 PID 2164 wrote to memory of 1740 2164 cmd.exe 49 PID 2164 wrote to memory of 1740 2164 cmd.exe 49 PID 2164 wrote to memory of 1740 2164 cmd.exe 49 PID 2164 wrote to memory of 1144 2164 cmd.exe 50 PID 2164 wrote to memory of 1144 2164 cmd.exe 50 PID 2164 wrote to memory of 1144 2164 cmd.exe 50 PID 1144 wrote to memory of 1516 1144 DllCommonsvc.exe 78 PID 1144 wrote to memory of 1516 1144 DllCommonsvc.exe 78 PID 1144 wrote to memory of 1516 1144 DllCommonsvc.exe 78 PID 1144 wrote to memory of 2356 1144 DllCommonsvc.exe 79 PID 1144 wrote to memory of 2356 1144 DllCommonsvc.exe 79 PID 1144 wrote to memory of 2356 1144 DllCommonsvc.exe 79 PID 1144 wrote to memory of 2640 1144 DllCommonsvc.exe 80 PID 1144 wrote to memory of 2640 1144 DllCommonsvc.exe 80 PID 1144 wrote to memory of 2640 1144 DllCommonsvc.exe 80 PID 1144 wrote to memory of 2336 1144 DllCommonsvc.exe 82 PID 1144 wrote to memory of 2336 1144 DllCommonsvc.exe 82 PID 1144 wrote to memory of 2336 1144 DllCommonsvc.exe 82 PID 1144 wrote to memory of 1608 1144 DllCommonsvc.exe 83 PID 1144 wrote to memory of 1608 1144 DllCommonsvc.exe 83 PID 1144 wrote to memory of 1608 1144 DllCommonsvc.exe 83 PID 1144 wrote to memory of 1620 1144 DllCommonsvc.exe 84 PID 1144 wrote to memory of 1620 1144 DllCommonsvc.exe 84 PID 1144 wrote to memory of 1620 1144 DllCommonsvc.exe 84 PID 1144 wrote to memory of 3036 1144 DllCommonsvc.exe 85 PID 1144 wrote to memory of 3036 1144 DllCommonsvc.exe 85 PID 1144 wrote to memory of 3036 1144 DllCommonsvc.exe 85 PID 1144 wrote to memory of 1612 1144 DllCommonsvc.exe 86 PID 1144 wrote to memory of 1612 1144 DllCommonsvc.exe 86 PID 1144 wrote to memory of 1612 1144 DllCommonsvc.exe 86 PID 1144 wrote to memory of 3020 1144 DllCommonsvc.exe 87 PID 1144 wrote to memory of 3020 1144 DllCommonsvc.exe 87 PID 1144 wrote to memory of 3020 1144 DllCommonsvc.exe 87 PID 1144 wrote to memory of 2096 1144 DllCommonsvc.exe 88 PID 1144 wrote to memory of 2096 1144 DllCommonsvc.exe 88 PID 1144 wrote to memory of 2096 1144 DllCommonsvc.exe 88 PID 1144 wrote to memory of 2432 1144 DllCommonsvc.exe 98 PID 1144 wrote to memory of 2432 1144 DllCommonsvc.exe 98 PID 1144 wrote to memory of 2432 1144 DllCommonsvc.exe 98 PID 2432 wrote to memory of 2812 2432 DllCommonsvc.exe 141 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ffba813301245829dedc5a71d69d91f368e7ef1bd826dc86d02d84ddf99ea24.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ffba813301245829dedc5a71d69d91f368e7ef1bd826dc86d02d84ddf99ea24.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\ja-JP\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5oQSJwSTU5.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1740
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\sppsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\it-IT\wininit.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\ja-JP\winlogon.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\Idle.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\de-DE\wininit.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2096
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\conhost.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\powershell.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Services\powershell.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\WmiPrvSE.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\csrss.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\en-US\WmiPrvSE.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\conhost.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\conhost.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\schemas\powershell.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\67qUUeYaoa.bat"8⤵PID:1548
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1708
-
-
C:\Users\Default User\powershell.exe"C:\Users\Default User\powershell.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2448 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Q74CISUeM.bat"10⤵PID:1796
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2528
-
-
C:\Users\Default User\powershell.exe"C:\Users\Default User\powershell.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2828 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat"12⤵PID:404
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1620
-
-
C:\Users\Default User\powershell.exe"C:\Users\Default User\powershell.exe"13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2736 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat"14⤵PID:1748
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:624
-
-
C:\Users\Default User\powershell.exe"C:\Users\Default User\powershell.exe"15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:308 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat"16⤵PID:1780
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1992
-
-
C:\Users\Default User\powershell.exe"C:\Users\Default User\powershell.exe"17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1480 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rBMLF9HJtT.bat"18⤵PID:392
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2568
-
-
C:\Users\Default User\powershell.exe"C:\Users\Default User\powershell.exe"19⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat"20⤵PID:1620
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2204
-
-
C:\Users\Default User\powershell.exe"C:\Users\Default User\powershell.exe"21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1880 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBiR4PpyYA.bat"22⤵PID:1500
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:860
-
-
C:\Users\Default User\powershell.exe"C:\Users\Default User\powershell.exe"23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2524 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"24⤵PID:3056
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:952
-
-
C:\Users\Default User\powershell.exe"C:\Users\Default User\powershell.exe"25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1568 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1lJXnITmE.bat"26⤵PID:880
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:2780
-
-
C:\Users\Default User\powershell.exe"C:\Users\Default User\powershell.exe"27⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2424 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jobc5AEC9X.bat"28⤵PID:2188
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:2444
-
-
C:\Users\Default User\powershell.exe"C:\Users\Default User\powershell.exe"29⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2476 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat"30⤵PID:1044
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:1356
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\ja-JP\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\ja-JP\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\PolicyDefinitions\ja-JP\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\providercommon\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\wininit.exe'" /f1⤵
- Process spawned unexpected child process
PID:640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Videos\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Videos\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Videos\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\System\ja-JP\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\ja-JP\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\System\ja-JP\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\de-DE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\de-DE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\de-DE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\providercommon\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\powershell.exe'" /f1⤵
- Process spawned unexpected child process
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Default User\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Services\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\Services\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\7-Zip\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\en-US\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\en-US\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\en-US\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Libraries\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\ReadyBoot\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\Prefetch\ReadyBoot\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\providercommon\conhost.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵PID:1428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Windows\schemas\powershell.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\schemas\powershell.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Windows\schemas\powershell.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\providercommon\services.exe'" /f1⤵PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1108
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56e85774531bb151ba45a814cdedb185c
SHA165e1719c6d8530670a87624a165df84d57f74b3c
SHA256fe03abb4a04db0b7c1cb5f3c8ac87e613f9e35f9025b0861a313aa88c4587372
SHA512c081883eca6ee8efafb56ef0b6694a771d6f422d565065b4e83ed5d7f6a117b67a501b5cfeae6031c40835490167624c89fbfa7539e22e8c05076505fcd65ab7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55bca28f1c69bf12c3591f9c1b77a421f
SHA1cd74d4f7cbc8086ed555dc99d112da4f2d622adf
SHA256ea4cfde41145cf62542a68e35e294b410129892b8768e03336b0a316afdb61b8
SHA5129dbf37de2d3c5c12cc2966348f9d8c2428638e796edb320d1a55c93347e68923eb5a0d6db625cf8a8fe2bd791b12e4da8ac75f7547818e85bdde2253f65592f7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cee4dbba3ac50dcd2d583b3c3f25df52
SHA1e645941f11d6592f9ae352d3ecf45775c1e28cc3
SHA2563403b7b4d9f1ef9e0a38aa3c6fd41944202fe8cab794154cd1a892d1d34555ca
SHA5128da350f596607bd20b1bbf3acb028dbdc73f45a4d9ffb39fb173069ac6471f38fa31d99d325b8094ec424a1ce6a271fd10a482ece908308be30e3a68730cecc2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a31d863a410bc49a56a206a0519a4f62
SHA1c8cbbea7e3ce48a4e4f8ea8fce8878b6303df414
SHA2566b4a44d9035a647fe4c85bf6c2bd264343deb8dfff531d432da46f8b51477533
SHA5123a7f71538c91a4ba205d601e9fe0508a8748cfecbe1f97dae46250913259959673a7c3586a83da8d2bd4807002a80dac2c1d964ffcb8a38aa573feba11a83a1c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5548e1a63293da1b437d8d15ad1222bbd
SHA136ff0bf0bfae780affe6a2adac3e1a3d08f8e033
SHA2568c04be04ad4acc65178539be7aa493eee908777f5785186bb43f5e9a70cdc9a1
SHA5128d86ce56dfe511bada10f3c361672d0e7c80be8cda5f1d3f590b274e8a996ff925a3532718a138e088cd2ce2a5522964dbccf0c43bf03c7ba5748caf2b18d767
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5153fa49a427d01835edf62ff4d1cd16a
SHA186bb13f3c190dee32afc9e2e4d022c0acab0e049
SHA2569942973cb7a6ff3e65a51aaf36e24f8114f6b882305ef2731779c52aad7f378d
SHA512cd8c47e42c259a35ff6ef9a926b16cefdee2d029703601a34e8d8d06aad4ea69da129f603bd85cbc696313d9d916f61a907f4bbff3f245f8d3285c129026f918
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59abcc456b2c7fc3980a298b1951e8ca8
SHA10c71642abf755fbbf124828eca0332e07819f1a8
SHA2564cd173bd2492b51256c70fee345df201bf79109ee740503fa29c83daa0819c49
SHA512e30f464c019ad9fd98bdb6359a383ff33c0b7f77dcbb92a080d8a49a7264682f0850e67aac639f46d5feb6234c8a39275be3ddd6a754e84ac0b5ac9fccb9c37d
-
Filesize
201B
MD531c730656d57b8c60807b8fb2795a113
SHA18e7711a34ade686dc68f1fe5dce4c69d06095f15
SHA256f9567339eae6732222b5a7e57f19d99d872e64f60e1cc029d27977e132dae136
SHA512e240cfe23d4b45321783331e29d8ad7a0127098746f25fdf496f963574adb65a9d34b4ca6f6b2f12bc57cef627d317d713b2eed9bf3d79bbaf2ee13ef520b225
-
Filesize
199B
MD54205300563381855ac7d9bf3a21c0277
SHA127954f2c3dd819cbbf23f986aeca96c26d798a7a
SHA256d3590d2f2e02704a6d02dbcd71093ab2c947b1e855f5603afc6fa78c099b7204
SHA512a32bc2d30e0c18070e41b88e7f61b470fa2dca0aa54e6d833bdfbc51d97e74ffd079454eea2f10130d340a5d3ccf545f993a2cd0fea4148823e213c5be4ea3bc
-
Filesize
201B
MD5b86a181367f4fb587fe4261187b5cd56
SHA12d6e40c4b618d4b98b755e4e44336d8b1edea7c2
SHA256db201bbfc434429f148d9142156e185171c6a2ce115001c7829182c39d0955eb
SHA512b6afc7c6a036c686edb01139692416dbe58285ce6acf3721b71db52f77009d27c73050f771425ffce3d09f000179d945f88c7cfa9a283dfb32d382d9a9af9b2c
-
Filesize
201B
MD5c2d42da067620f16b3ee17fc7ef7a44f
SHA1fa1c66ed14c89b65550ca77e9cb72d8cafd9c5ca
SHA25634424538a58c6869268f9ee6492e56a39e806cdcb378c3d35344df84a9408b16
SHA512edeb45c8a08c3f4ddbe52e00394aa8fbab2b7c4021db9b107bee7e368bf5716d3c60f388a822a84b5a3445d14714464a5e571d1077990dfdcd7cd5fcdea5bae2
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
201B
MD589b5a74a4420cb6744dd6bd89a0a912a
SHA1f3ab7b252f280d48c97a758d72347fc4f1518ac6
SHA25628687204f77c3710e9ed9658502224f367712e56e9e3bbd146f994c817aa0f8b
SHA51267ab839df10476bacbb9fc756d6c66a1e26c9f0873c257921164a27d8572e438b2cd1f89c231b1ef9fb94f1255c0f3bf2155264e403045172b531fe17a4576d0
-
Filesize
201B
MD5dff8b4370021f5aef737efd0b4484245
SHA13a6e998afdf4980e24d75219f8f01a424cb33138
SHA2566115e4c84bede23d990da761474118609aa8e804fec9156f9ac2b5f3f2d963be
SHA5122ff6065e788f197a02b461f4f0e427f6b5b308ccae2d2b8b7d8b1e843c344b1977441568b9896b2ca151cea86fbb86a31f8ff1ac031bf90176a33640b0d3a857
-
Filesize
201B
MD5b2849461cd6415007686882796fba98b
SHA18c65ed7ff44ea8d8346b5b2d2abe63b42bbeaf01
SHA256258ffe4bde20c05ed6ddbc5c2cb10e6116b8016eb4a64c8bc4fdf29f4e598992
SHA512c2ca1a574aa8a3b8066c2c34e6744cc679c720f88976c3864c62225390dc7bdf60e98dc561312d7e66368864a8f4b720a83bfca0d754f8095900c606ad608c52
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
201B
MD529af6889e608e798e3403c74a9e0af05
SHA1022c6850ecaf537c356ffb1d02eba4bbea34a373
SHA256febf74f72585eabbb30f623096f594ac9e4a874e98c0e833f779330194a9aa40
SHA512511d21b66412fdb56b90a474177e2b04db0a5c9225596a0d1368a04a8c385cb674d06979d110586e15343c577d9b4a3c998143394f07b48064d33235dbc299fd
-
Filesize
201B
MD5da0cdc2ed41526f8e639c94570fcbc10
SHA1f57467636d012784ce10fb2a5e3b41154941ff2b
SHA2565f253f6cfd991f18b6f9bed568525ef4890c0765e21416950fef3695871782ba
SHA512f0c4d45abf33b374e7806ab412a4aa9497f012e1c29bf878c0047ef2d218ce6c25777eac4378a4ff5aff4ae454bbc1c1784180eec87a8992cae6ef6aa0b7ffdd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c37e22ebb0d40d8c6455f425a1128bc5
SHA1164b9bee91d0820308f3238323b9767daa13e1ac
SHA2566f8a25782ec4f9cc21d621e1fa2b96397ae0887c0f8ebcae5495ebde08510b0f
SHA5129c9a543dfb97449f143ccc7c4d83a0f53b212de753509aba38904e28d04202584379a4082d43d846975dc153379c3e0887a83eca5c5bbdbee277cd5784447964
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478