Analysis
-
max time kernel
144s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 17:22
Behavioral task
behavioral1
Sample
JaffaCakes118_524faec0efb3ab0cfb2d14f91a695710ca21c9c1691a78b63100ca015c8490c1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_524faec0efb3ab0cfb2d14f91a695710ca21c9c1691a78b63100ca015c8490c1.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_524faec0efb3ab0cfb2d14f91a695710ca21c9c1691a78b63100ca015c8490c1.exe
-
Size
1.3MB
-
MD5
16697be95f406116df0fc9b42d05cd5b
-
SHA1
6003ca0500f546496a78b42e16f1c60cef1ffaa3
-
SHA256
524faec0efb3ab0cfb2d14f91a695710ca21c9c1691a78b63100ca015c8490c1
-
SHA512
e7b98c61f15513ffb2034e0a529317c3a2afcd9d0a9aa9d54eb3e4edd0942e4a1101489ff72298ab2c51f04751c26dd16629059d2df52621bfffd34e64693ce8
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1608 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 352 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 280 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1440 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1800 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1328 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1372 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1356 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 492 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 280 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 804 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 796 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 644 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2148 2788 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 404 2788 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0006000000018697-11.dat dcrat behavioral1/memory/2344-13-0x00000000003E0000-0x00000000004F0000-memory.dmp dcrat behavioral1/memory/3044-190-0x0000000000BA0000-0x0000000000CB0000-memory.dmp dcrat behavioral1/memory/2292-308-0x00000000000E0000-0x00000000001F0000-memory.dmp dcrat behavioral1/memory/2688-368-0x0000000000B00000-0x0000000000C10000-memory.dmp dcrat behavioral1/memory/2828-428-0x00000000010A0000-0x00000000011B0000-memory.dmp dcrat behavioral1/memory/3032-488-0x00000000002B0000-0x00000000003C0000-memory.dmp dcrat behavioral1/memory/2540-548-0x0000000000E20000-0x0000000000F30000-memory.dmp dcrat behavioral1/memory/2888-668-0x0000000000050000-0x0000000000160000-memory.dmp dcrat behavioral1/memory/1408-728-0x0000000000960000-0x0000000000A70000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 25 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 684 powershell.exe 2500 powershell.exe 2888 powershell.exe 324 powershell.exe 2036 powershell.exe 1708 powershell.exe 2636 powershell.exe 1744 powershell.exe 2636 powershell.exe 2908 powershell.exe 1684 powershell.exe 2460 powershell.exe 2540 powershell.exe 804 powershell.exe 1812 powershell.exe 2876 powershell.exe 952 powershell.exe 1908 powershell.exe 2380 powershell.exe 1240 powershell.exe 2152 powershell.exe 1588 powershell.exe 1556 powershell.exe 2768 powershell.exe 1964 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2344 DllCommonsvc.exe 2452 DllCommonsvc.exe 3044 sppsvc.exe 2648 sppsvc.exe 2292 sppsvc.exe 2688 sppsvc.exe 2828 sppsvc.exe 3032 sppsvc.exe 2540 sppsvc.exe 2644 sppsvc.exe 2888 sppsvc.exe 1408 sppsvc.exe -
Loads dropped DLL 2 IoCs
pid Process 2308 cmd.exe 2308 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 26 raw.githubusercontent.com 29 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 19 raw.githubusercontent.com 22 raw.githubusercontent.com 33 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 15 raw.githubusercontent.com -
Drops file in Program Files directory 21 IoCs
description ioc Process File created C:\Program Files\Common Files\powershell.exe DllCommonsvc.exe File created C:\Program Files (x86)\Uninstall Information\services.exe DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\conhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\de-DE\56085415360792 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\de-DE\wininit.exe DllCommonsvc.exe File created C:\Program Files (x86)\Uninstall Information\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files (x86)\Uninstall Information\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\Media Renderer\powershell.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\Media Renderer\e978f868350d50 DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\Services\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\Services\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\Common Files\e978f868350d50 DllCommonsvc.exe File created C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files (x86)\Uninstall Information\sppsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\ja-JP\088424020bedd6 DllCommonsvc.exe File created C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\lsass.exe DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\088424020bedd6 DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Common Files\Services\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Vss\6ccacd8608530f DllCommonsvc.exe File created C:\Windows\AppCompat\conhost.exe DllCommonsvc.exe File created C:\Windows\AppCompat\088424020bedd6 DllCommonsvc.exe File created C:\Windows\Vss\Idle.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_524faec0efb3ab0cfb2d14f91a695710ca21c9c1691a78b63100ca015c8490c1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2612 schtasks.exe 2160 schtasks.exe 2004 schtasks.exe 2588 schtasks.exe 796 schtasks.exe 2532 schtasks.exe 1644 schtasks.exe 2936 schtasks.exe 2392 schtasks.exe 2672 schtasks.exe 1372 schtasks.exe 804 schtasks.exe 2276 schtasks.exe 2632 schtasks.exe 2120 schtasks.exe 1892 schtasks.exe 1356 schtasks.exe 1804 schtasks.exe 1440 schtasks.exe 1768 schtasks.exe 2652 schtasks.exe 2352 schtasks.exe 352 schtasks.exe 280 schtasks.exe 2324 schtasks.exe 492 schtasks.exe 644 schtasks.exe 2260 schtasks.exe 2676 schtasks.exe 1620 schtasks.exe 2584 schtasks.exe 2800 schtasks.exe 1512 schtasks.exe 2148 schtasks.exe 1664 schtasks.exe 2624 schtasks.exe 1856 schtasks.exe 2360 schtasks.exe 2308 schtasks.exe 2728 schtasks.exe 1700 schtasks.exe 2392 schtasks.exe 1960 schtasks.exe 2548 schtasks.exe 2608 schtasks.exe 1328 schtasks.exe 1568 schtasks.exe 3012 schtasks.exe 1040 schtasks.exe 2032 schtasks.exe 1608 schtasks.exe 1792 schtasks.exe 1640 schtasks.exe 2124 schtasks.exe 404 schtasks.exe 2700 schtasks.exe 1936 schtasks.exe 2684 schtasks.exe 1152 schtasks.exe 1960 schtasks.exe 280 schtasks.exe 1508 schtasks.exe 2836 schtasks.exe 2608 schtasks.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 10 IoCs
pid Process 3044 sppsvc.exe 2648 sppsvc.exe 2292 sppsvc.exe 2688 sppsvc.exe 2828 sppsvc.exe 3032 sppsvc.exe 2540 sppsvc.exe 2644 sppsvc.exe 2888 sppsvc.exe 1408 sppsvc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2344 DllCommonsvc.exe 2344 DllCommonsvc.exe 2344 DllCommonsvc.exe 804 powershell.exe 2636 powershell.exe 1812 powershell.exe 2152 powershell.exe 1744 powershell.exe 2452 DllCommonsvc.exe 324 powershell.exe 2876 powershell.exe 2888 powershell.exe 2452 DllCommonsvc.exe 2452 DllCommonsvc.exe 2452 DllCommonsvc.exe 2452 DllCommonsvc.exe 2452 DllCommonsvc.exe 2452 DllCommonsvc.exe 2452 DllCommonsvc.exe 2452 DllCommonsvc.exe 2452 DllCommonsvc.exe 2452 DllCommonsvc.exe 2452 DllCommonsvc.exe 2452 DllCommonsvc.exe 2452 DllCommonsvc.exe 2452 DllCommonsvc.exe 2452 DllCommonsvc.exe 2452 DllCommonsvc.exe 2452 DllCommonsvc.exe 2452 DllCommonsvc.exe 2452 DllCommonsvc.exe 2452 DllCommonsvc.exe 2452 DllCommonsvc.exe 2452 DllCommonsvc.exe 2452 DllCommonsvc.exe 2452 DllCommonsvc.exe 2452 DllCommonsvc.exe 2452 DllCommonsvc.exe 2452 DllCommonsvc.exe 2452 DllCommonsvc.exe 2452 DllCommonsvc.exe 2452 DllCommonsvc.exe 1556 powershell.exe 952 powershell.exe 2908 powershell.exe 1908 powershell.exe 1684 powershell.exe 2380 powershell.exe 2500 powershell.exe 2768 powershell.exe 2036 powershell.exe 684 powershell.exe 1240 powershell.exe 1588 powershell.exe 1708 powershell.exe 2540 powershell.exe 2460 powershell.exe 2636 powershell.exe 1964 powershell.exe 3044 sppsvc.exe 2648 sppsvc.exe 2292 sppsvc.exe 2688 sppsvc.exe 2828 sppsvc.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 2344 DllCommonsvc.exe Token: SeDebugPrivilege 804 powershell.exe Token: SeDebugPrivilege 2452 DllCommonsvc.exe Token: SeDebugPrivilege 2636 powershell.exe Token: SeDebugPrivilege 1812 powershell.exe Token: SeDebugPrivilege 2152 powershell.exe Token: SeDebugPrivilege 1744 powershell.exe Token: SeDebugPrivilege 324 powershell.exe Token: SeDebugPrivilege 2876 powershell.exe Token: SeDebugPrivilege 2888 powershell.exe Token: SeDebugPrivilege 1556 powershell.exe Token: SeDebugPrivilege 952 powershell.exe Token: SeDebugPrivilege 2908 powershell.exe Token: SeDebugPrivilege 1908 powershell.exe Token: SeDebugPrivilege 1684 powershell.exe Token: SeDebugPrivilege 2380 powershell.exe Token: SeDebugPrivilege 2500 powershell.exe Token: SeDebugPrivilege 2768 powershell.exe Token: SeDebugPrivilege 2036 powershell.exe Token: SeDebugPrivilege 684 powershell.exe Token: SeDebugPrivilege 1240 powershell.exe Token: SeDebugPrivilege 1588 powershell.exe Token: SeDebugPrivilege 1708 powershell.exe Token: SeDebugPrivilege 2540 powershell.exe Token: SeDebugPrivilege 2460 powershell.exe Token: SeDebugPrivilege 2636 powershell.exe Token: SeDebugPrivilege 1964 powershell.exe Token: SeDebugPrivilege 3044 sppsvc.exe Token: SeDebugPrivilege 2648 sppsvc.exe Token: SeDebugPrivilege 2292 sppsvc.exe Token: SeDebugPrivilege 2688 sppsvc.exe Token: SeDebugPrivilege 2828 sppsvc.exe Token: SeDebugPrivilege 3032 sppsvc.exe Token: SeDebugPrivilege 2540 sppsvc.exe Token: SeDebugPrivilege 2644 sppsvc.exe Token: SeDebugPrivilege 2888 sppsvc.exe Token: SeDebugPrivilege 1408 sppsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2248 wrote to memory of 2076 2248 JaffaCakes118_524faec0efb3ab0cfb2d14f91a695710ca21c9c1691a78b63100ca015c8490c1.exe 30 PID 2248 wrote to memory of 2076 2248 JaffaCakes118_524faec0efb3ab0cfb2d14f91a695710ca21c9c1691a78b63100ca015c8490c1.exe 30 PID 2248 wrote to memory of 2076 2248 JaffaCakes118_524faec0efb3ab0cfb2d14f91a695710ca21c9c1691a78b63100ca015c8490c1.exe 30 PID 2248 wrote to memory of 2076 2248 JaffaCakes118_524faec0efb3ab0cfb2d14f91a695710ca21c9c1691a78b63100ca015c8490c1.exe 30 PID 2076 wrote to memory of 2308 2076 WScript.exe 32 PID 2076 wrote to memory of 2308 2076 WScript.exe 32 PID 2076 wrote to memory of 2308 2076 WScript.exe 32 PID 2076 wrote to memory of 2308 2076 WScript.exe 32 PID 2308 wrote to memory of 2344 2308 cmd.exe 34 PID 2308 wrote to memory of 2344 2308 cmd.exe 34 PID 2308 wrote to memory of 2344 2308 cmd.exe 34 PID 2308 wrote to memory of 2344 2308 cmd.exe 34 PID 2344 wrote to memory of 1744 2344 DllCommonsvc.exe 57 PID 2344 wrote to memory of 1744 2344 DllCommonsvc.exe 57 PID 2344 wrote to memory of 1744 2344 DllCommonsvc.exe 57 PID 2344 wrote to memory of 2636 2344 DllCommonsvc.exe 58 PID 2344 wrote to memory of 2636 2344 DllCommonsvc.exe 58 PID 2344 wrote to memory of 2636 2344 DllCommonsvc.exe 58 PID 2344 wrote to memory of 2888 2344 DllCommonsvc.exe 59 PID 2344 wrote to memory of 2888 2344 DllCommonsvc.exe 59 PID 2344 wrote to memory of 2888 2344 DllCommonsvc.exe 59 PID 2344 wrote to memory of 804 2344 DllCommonsvc.exe 60 PID 2344 wrote to memory of 804 2344 DllCommonsvc.exe 60 PID 2344 wrote to memory of 804 2344 DllCommonsvc.exe 60 PID 2344 wrote to memory of 324 2344 DllCommonsvc.exe 62 PID 2344 wrote to memory of 324 2344 DllCommonsvc.exe 62 PID 2344 wrote to memory of 324 2344 DllCommonsvc.exe 62 PID 2344 wrote to memory of 1812 2344 DllCommonsvc.exe 63 PID 2344 wrote to memory of 1812 2344 DllCommonsvc.exe 63 PID 2344 wrote to memory of 1812 2344 DllCommonsvc.exe 63 PID 2344 wrote to memory of 2876 2344 DllCommonsvc.exe 64 PID 2344 wrote to memory of 2876 2344 DllCommonsvc.exe 64 PID 2344 wrote to memory of 2876 2344 DllCommonsvc.exe 64 PID 2344 wrote to memory of 2152 2344 DllCommonsvc.exe 65 PID 2344 wrote to memory of 2152 2344 DllCommonsvc.exe 65 PID 2344 wrote to memory of 2152 2344 DllCommonsvc.exe 65 PID 2344 wrote to memory of 2452 2344 DllCommonsvc.exe 69 PID 2344 wrote to memory of 2452 2344 DllCommonsvc.exe 69 PID 2344 wrote to memory of 2452 2344 DllCommonsvc.exe 69 PID 2452 wrote to memory of 1588 2452 DllCommonsvc.exe 122 PID 2452 wrote to memory of 1588 2452 DllCommonsvc.exe 122 PID 2452 wrote to memory of 1588 2452 DllCommonsvc.exe 122 PID 2452 wrote to memory of 2036 2452 DllCommonsvc.exe 123 PID 2452 wrote to memory of 2036 2452 DllCommonsvc.exe 123 PID 2452 wrote to memory of 2036 2452 DllCommonsvc.exe 123 PID 2452 wrote to memory of 684 2452 DllCommonsvc.exe 124 PID 2452 wrote to memory of 684 2452 DllCommonsvc.exe 124 PID 2452 wrote to memory of 684 2452 DllCommonsvc.exe 124 PID 2452 wrote to memory of 952 2452 DllCommonsvc.exe 125 PID 2452 wrote to memory of 952 2452 DllCommonsvc.exe 125 PID 2452 wrote to memory of 952 2452 DllCommonsvc.exe 125 PID 2452 wrote to memory of 1556 2452 DllCommonsvc.exe 126 PID 2452 wrote to memory of 1556 2452 DllCommonsvc.exe 126 PID 2452 wrote to memory of 1556 2452 DllCommonsvc.exe 126 PID 2452 wrote to memory of 1708 2452 DllCommonsvc.exe 127 PID 2452 wrote to memory of 1708 2452 DllCommonsvc.exe 127 PID 2452 wrote to memory of 1708 2452 DllCommonsvc.exe 127 PID 2452 wrote to memory of 2636 2452 DllCommonsvc.exe 128 PID 2452 wrote to memory of 2636 2452 DllCommonsvc.exe 128 PID 2452 wrote to memory of 2636 2452 DllCommonsvc.exe 128 PID 2452 wrote to memory of 1908 2452 DllCommonsvc.exe 129 PID 2452 wrote to memory of 1908 2452 DllCommonsvc.exe 129 PID 2452 wrote to memory of 1908 2452 DllCommonsvc.exe 129 PID 2452 wrote to memory of 1684 2452 DllCommonsvc.exe 130 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_524faec0efb3ab0cfb2d14f91a695710ca21c9c1691a78b63100ca015c8490c1.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_524faec0efb3ab0cfb2d14f91a695710ca21c9c1691a78b63100ca015c8490c1.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Services\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\de-DE\wininit.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppCompat\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\lsass.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\sppsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\services.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Media Renderer\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1240
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Idle.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7Kv4WacyUz.bat"6⤵PID:2604
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1712
-
-
C:\Program Files (x86)\Uninstall Information\sppsvc.exe"C:\Program Files (x86)\Uninstall Information\sppsvc.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j8BV8simza.bat"8⤵PID:1216
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1568
-
-
C:\Program Files (x86)\Uninstall Information\sppsvc.exe"C:\Program Files (x86)\Uninstall Information\sppsvc.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iYTmIkWLiw.bat"10⤵PID:2636
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:604
-
-
C:\Program Files (x86)\Uninstall Information\sppsvc.exe"C:\Program Files (x86)\Uninstall Information\sppsvc.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SU2rmp5bpW.bat"12⤵PID:2428
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:880
-
-
C:\Program Files (x86)\Uninstall Information\sppsvc.exe"C:\Program Files (x86)\Uninstall Information\sppsvc.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vad0LeRbBz.bat"14⤵PID:1328
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:644
-
-
C:\Program Files (x86)\Uninstall Information\sppsvc.exe"C:\Program Files (x86)\Uninstall Information\sppsvc.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat"16⤵PID:2444
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2336
-
-
C:\Program Files (x86)\Uninstall Information\sppsvc.exe"C:\Program Files (x86)\Uninstall Information\sppsvc.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:3032 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEvQv3iUx6.bat"18⤵PID:1296
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:352
-
-
C:\Program Files (x86)\Uninstall Information\sppsvc.exe"C:\Program Files (x86)\Uninstall Information\sppsvc.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:2540 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CIMKRyAEqW.bat"20⤵PID:2232
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1152
-
-
C:\Program Files (x86)\Uninstall Information\sppsvc.exe"C:\Program Files (x86)\Uninstall Information\sppsvc.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:2644 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat"22⤵PID:1236
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1932
-
-
C:\Program Files (x86)\Uninstall Information\sppsvc.exe"C:\Program Files (x86)\Uninstall Information\sppsvc.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:2888 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Db0hEHdXHW.bat"24⤵PID:3020
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1272
-
-
C:\Program Files (x86)\Uninstall Information\sppsvc.exe"C:\Program Files (x86)\Uninstall Information\sppsvc.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:1408
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Services\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Services\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\providercommon\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Pictures\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\Pictures\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Pictures\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\providercommon\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'" /f1⤵
- Process spawned unexpected child process
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\AppCompat\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\AppCompat\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\AppCompat\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe'" /f1⤵
- Process spawned unexpected child process
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Common Files\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercommon\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\MSOCache\All Users\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\powershell.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\powershell.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\Vss\Idle.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Vss\Idle.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\Vss\Idle.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1508
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59c0695204b2318d10bb62ab1cd6dd60f
SHA19da70e58d47a98a7731117662c579d955ddd3516
SHA25696cab8d4fc39a7479b2f8dcd8438d2b722b4fad6cde3c0eeaeb65a2fd10a6644
SHA512b271e77dcf48948017175615d9e9687d68cf31e5098e805b20308035b75325aba793785cc45b6a4ec6a91c45d94bbec68f73e520155bca1b6d17add03b5fbcf8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5540cf6915d99f5baa99068443ef552b3
SHA1e87cbe78c1c5ae993104ac2441d07fdbd2eddd95
SHA2568adb1803463f06c87f89990920315e698f3b4fa14e6a8c6998ed8dad7f629677
SHA512439e2807ab824f8ed17bd4c4e5da469ded964c9e5be2478c9e0e84aa8576d9223406d07f9b355967ffa71b0a88c2f8fcfb082aed0ed6037f55897e45b4efc3e4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a74b56f251e458f24d8087962bec2ece
SHA11ca4c5146884239f31abdebba4bcfedfbe44619d
SHA2568f030eba8c97c3ee47e60a3933eeee3b3229044e31e3eb6515f1dc939f6e122f
SHA512c66b9bbf87532c1abeaea8cd355c816f5aa77b2d0e954771bbd5758cfb6cb319180999e1472b48f55630c4e2665ae18d83ecf2b76cf03e356fd1ea9507e2f5e7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d91653077144772b2692bd2c1039258b
SHA14e47a50e31def8bd534848d3619ccce60729eb65
SHA256a7a90db8f2508c5e59a81ba8fc1e100d17db9633c72a2e9844155e52548ec0a4
SHA5126b78c2f5ea7573f1ff05790c11bb76a4803f6ba8ac1fad9a47a3d5a56dc903db9f21e7560d505ce2bc22a1f66305bf94a4792fa48f68d47ae4e21277a8e14727
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD557234510c6d6817b01baf5d38c444d68
SHA17c4271fa951a27318aa2204c7d68bfa30eb06775
SHA2565cc75eac52f3dffc8d0edb7ccd66ebb4c809b2efc00f6e1dfb289e9b8586091f
SHA512b30b05acf00ce14b984fa9dec684c7717620048a4a52c67c69b4f2b83cc6ea27d0c23fffc05dbe9a504147a398976a82c35300edbb40bc6da8bff3a8019f803a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5922be56528ab65e377a467d079fb0ee1
SHA16f452353e0c212b138868630f9580146fc107f2a
SHA256046a854eff996cd5b933770ba0c1e0b0cefb99cd66a9b24be545bc6932f5ba6c
SHA51205ec430a7143ccd0b0b38db363de7aa7b45aed407a3e24fce0a2ef66a9dc1467348595dae5b182a0eea8ffb87039f2cb8148b34f11e4b00abdd13a4b00b9c603
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59eaf0978d4627d96bfa3945e95e2d4a0
SHA1cc802d09e13077feb2148718e0bc5481e415c775
SHA256efdd1f39934ded96462bd1f097e3719fdc952684b2903a2dfba33b5b553f2738
SHA512df72faf1da39c859cfc9d155f9678194afc07452d244c7da55c56d8d36c3cfbca0a18e2d45b2c5b5d8369773de0efb653332958b16cc6453a6a0b3800dcd0b92
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59eb7c80723a43684f780dcb9d2176e53
SHA1e74588c08cffa1102b4648cd74f764f503f40256
SHA256693f1c30500a09f88562c7d4bc3df45268689ced5465f2d8913ce6f15c2c546a
SHA512106deef90c3b7e9f441616a3112c27da50014b182a785caecb37370c4438d906da9274498ea6f81a0d01a251faf3b3490dec18aa9a0a1b2b0991bc3826d07442
-
Filesize
220B
MD5751c4018deb642e7e369df8c3386de72
SHA16da5f4029b8482cd568eeb02f63edc141a34ec5a
SHA256b4e2bc847b413de7c0caadc8db622401f18ac480f2909983e9ce93ef19a4e60a
SHA5123e8777b939973fde3ecc568900f340b0c2c65e1804d9eb684603a0e1982fe9801e4a9d468ee1a1cfa8e8eb9a0e73618f323a8622474eea589ae2c80e4e9216d5
-
Filesize
220B
MD560a08466f0fdf9e092eeb7b6054b80b4
SHA16296b881b54a43ede44de1b122f46c89deaea683
SHA256940bb22f654071fca0f261a14aa7ba08aac428b3ffd89127d3a1362bf5e90394
SHA512aedaa59ddc846f2dc9065949a51f0f08959e54aa5079cf8a73020b97cf7e4007ae0fcf44270c69ba00b6e097fdf2584d989cb9d87c0846ccfbd09f40d87c0fcc
-
Filesize
220B
MD5ec40437f18ce57324a49bbe5d14e82f4
SHA1cea82721b5f5a3c388aa8f2c62a71ff117e68240
SHA256b5a6c5ff20057fbe76bfc77be564bf82b438988e0349e361ab197688e727acaa
SHA5127eeed1d9046f7c6ead3919715dc9de94fd5b09e2b40f82bb5ff7f2f0005f52f986bade6aa9ab8576224df62e7f5288a24c20bbcc74cf5a24647e0059e68eb151
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
220B
MD525c1e82050036cdeafcb00f0e98720ea
SHA17e6e816f241dd184dd9172380e2bc6f5f8423c40
SHA2563b4e06500ec45915effff5e1b6fdc3a2c4ab4298a0806df5d241fb6d947cac76
SHA51262736d989a042c1e6e895624d39ca37b578cc56577c4f65b7486b53991333258da76ce70f1f1b46c68b12759a98cb3023e69e64c5ed488bc5a70d305c262c6bd
-
Filesize
220B
MD521203f2e47ac097a33346d25f7a8aac7
SHA1a997c86706200f6c31cdb800c4acdfe8134ca10c
SHA2561db8a399ca12edbd2f0499fbb780b0fab28487a1b6b7d9e6d84f94b659870d12
SHA51295decff4e74944d39d6c97b3e2eb203e2b984aa07d4b032b9dbf179206f6f31a6d0235519e09270f6a775f4fcc9724f9c5bbf15b4ce2e5979f93884dddced50f
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
220B
MD5be81a3dd8fd3dfd4f46fa06a0310f5ca
SHA1405946148d1ce385e3c8a8d0a8ce539b798d57fc
SHA256b8665f6611dd3f0e50aee87fd32632ebe433250b286f153b22db5b3aebd065b9
SHA5125b7d04938f729d785ffeaaa5b98666e1b8f7fbba7a1f54e2b718859a86ae5df8a0be3cac7dc22d8460b55a38a246a51ec7c450c853027b175f678a94cd2677b7
-
Filesize
220B
MD57d31b2ab4c43d294e0de31aeb90c185c
SHA14d2f0c3d8d8117d1cef91dec9ed032f8c8a7bbe6
SHA2561ce9682cd2e58c97e955d3ab93515d040428d766afb431a68658e0794792be50
SHA512a8e5616fe91928f3c03fb137d40864e99acf4dceb5a79be6e5b0c24583fc03605c4a57d9750e7cbddc3da4b16ce00efdcc810b5acb69d912719acf9f1d03c090
-
Filesize
220B
MD5e76af6d9e44d317114a764e6d397932b
SHA15e27320b33682c946ca597d4b1890cc55bd33b8f
SHA2567c926d0e2305a38c1b3127b054feb22acc017f0aaa1e76fa26433add4fd4c16f
SHA512b4a59d84712d82f3fc48f0735ce096f5c75d88d46e72bedac45ece237e38feaf46b42acf259a9bc13915cd7f6df9609e07b09ee26b087c1c6221b9f421b25737
-
Filesize
220B
MD5fa2c70f023e491aaa3a3c54e354a3e3c
SHA1ce56a0924bb98c448c016ec3f1d27da0349e9668
SHA25694c56f028bfab1a6ee2a7b9b09454f5fd91c7fce0c3a6f74bca7621b35864547
SHA5129bcde69e5cd79f4a07296e7b4d98a9d8146365b4441f56ec104d8fc1cd5a332ffc7745289ed39cd11414785aa7f098d1ce356a8177de6ebd2550bdf5e48e27b5
-
Filesize
220B
MD5bc5d9e049f17028d73ee88eeb5cda088
SHA1f652a20a498ff2630ef560fb226eec366c05636e
SHA256333624e8471689112d16cd57e6133d1a0b972b603cd7d52f6d2ad0ff59e28657
SHA5123eeec0ece3ed6d4a95b94db073fcd963825035a3059d7ad072d2cf8d0ab91b07735263ec270d7365467cfd096c3da89c81dbe3ee336273d981f583a4fe9b66b7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5589aa085d6044f522566846d09e7a33e
SHA1e8305a0e5df0f9b365c69326c0fb3490f0b9bdce
SHA256d55ec02cad32e6601008a733c4e11ce93e5460682362a23b2584fd51704fc334
SHA5120b1d6d61c1843d3b49277ea103ab29550b2481c18534597f0634e4c3cb3d9622bff0ad63a8a5f80b6cc2b48e9b5d918ed872ceddef88d2f2746cfe1117a4f008
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394