Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 17:24
Behavioral task
behavioral1
Sample
JaffaCakes118_1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe
-
Size
1.3MB
-
MD5
479adce474d995761b5dd7cf15ee982b
-
SHA1
089521a9018dcb5abe009f549375e85054feef16
-
SHA256
1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5
-
SHA512
d852bfeb11f729f355627cfd466fca37cb6403016889d3d1a2dfe621632e4308e36c15c2b410d4980e61252d898ea7cf9029459b3b8a0a4564953d71667f7682
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1420 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 560 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 804 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1124 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2304 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1464 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 576 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1328 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 304 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1556 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 904 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 800 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 3036 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 3036 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x00070000000186fd-9.dat dcrat behavioral1/memory/2728-13-0x00000000008E0000-0x00000000009F0000-memory.dmp dcrat behavioral1/memory/2764-121-0x0000000000AD0000-0x0000000000BE0000-memory.dmp dcrat behavioral1/memory/380-267-0x00000000012A0000-0x00000000013B0000-memory.dmp dcrat behavioral1/memory/2420-328-0x00000000000E0000-0x00000000001F0000-memory.dmp dcrat behavioral1/memory/1700-388-0x0000000000A30000-0x0000000000B40000-memory.dmp dcrat behavioral1/memory/2008-448-0x0000000001000000-0x0000000001110000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 26 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3016 powershell.exe 1904 powershell.exe 1892 powershell.exe 772 powershell.exe 2064 powershell.exe 2980 powershell.exe 1900 powershell.exe 1744 powershell.exe 2084 powershell.exe 2076 powershell.exe 1732 powershell.exe 2388 powershell.exe 1808 powershell.exe 1524 powershell.exe 752 powershell.exe 2964 powershell.exe 2060 powershell.exe 1360 powershell.exe 2108 powershell.exe 2008 powershell.exe 2988 powershell.exe 2276 powershell.exe 644 powershell.exe 2252 powershell.exe 2700 powershell.exe 1664 powershell.exe -
Executes dropped EXE 9 IoCs
pid Process 2728 DllCommonsvc.exe 1148 DllCommonsvc.exe 2764 sppsvc.exe 380 sppsvc.exe 2420 sppsvc.exe 1700 sppsvc.exe 2008 sppsvc.exe 1888 sppsvc.exe 2848 sppsvc.exe -
Loads dropped DLL 2 IoCs
pid Process 2392 cmd.exe 2392 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
flow ioc 5 raw.githubusercontent.com 9 raw.githubusercontent.com 13 raw.githubusercontent.com 17 raw.githubusercontent.com 21 raw.githubusercontent.com 25 raw.githubusercontent.com 29 raw.githubusercontent.com 4 raw.githubusercontent.com -
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files\Reference Assemblies\Microsoft\Framework\System.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\lua\csrss.exe DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files\Windows Mail\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files (x86)\Uninstall Information\OSPPSVC.exe DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\lua\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\Windows Mail\services.exe DllCommonsvc.exe File created C:\Program Files (x86)\Uninstall Information\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe DllCommonsvc.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\L2Schemas\56085415360792 DllCommonsvc.exe File created C:\Windows\ServiceProfiles\NetworkService\conhost.exe DllCommonsvc.exe File created C:\Windows\ServiceProfiles\NetworkService\088424020bedd6 DllCommonsvc.exe File created C:\Windows\en-US\886983d96e3d3e DllCommonsvc.exe File created C:\Windows\twain_32\WmiPrvSE.exe DllCommonsvc.exe File created C:\Windows\Globalization\ELS\Transliteration\56085415360792 DllCommonsvc.exe File created C:\Windows\L2Schemas\wininit.exe DllCommonsvc.exe File created C:\Windows\AppPatch\6203df4a6bafc7 DllCommonsvc.exe File created C:\Windows\en-US\csrss.exe DllCommonsvc.exe File created C:\Windows\twain_32\24dbde2999530e DllCommonsvc.exe File created C:\Windows\Globalization\ELS\Transliteration\wininit.exe DllCommonsvc.exe File created C:\Windows\AppPatch\lsass.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2792 schtasks.exe 2332 schtasks.exe 2992 schtasks.exe 1464 schtasks.exe 2932 schtasks.exe 2344 schtasks.exe 2360 schtasks.exe 2952 schtasks.exe 2276 schtasks.exe 1584 schtasks.exe 1940 schtasks.exe 2128 schtasks.exe 1612 schtasks.exe 1420 schtasks.exe 2032 schtasks.exe 1124 schtasks.exe 2660 schtasks.exe 2688 schtasks.exe 2952 schtasks.exe 3064 schtasks.exe 576 schtasks.exe 2600 schtasks.exe 2028 schtasks.exe 1784 schtasks.exe 2880 schtasks.exe 304 schtasks.exe 2636 schtasks.exe 2320 schtasks.exe 1328 schtasks.exe 1144 schtasks.exe 1556 schtasks.exe 904 schtasks.exe 2024 schtasks.exe 2448 schtasks.exe 2908 schtasks.exe 2920 schtasks.exe 2928 schtasks.exe 2028 schtasks.exe 1500 schtasks.exe 1728 schtasks.exe 800 schtasks.exe 1876 schtasks.exe 2800 schtasks.exe 2588 schtasks.exe 1688 schtasks.exe 2304 schtasks.exe 2008 schtasks.exe 2484 schtasks.exe 2876 schtasks.exe 1332 schtasks.exe 1484 schtasks.exe 1724 schtasks.exe 2540 schtasks.exe 1588 schtasks.exe 2556 schtasks.exe 2788 schtasks.exe 2972 schtasks.exe 2076 schtasks.exe 2828 schtasks.exe 2720 schtasks.exe 2740 schtasks.exe 2792 schtasks.exe 1936 schtasks.exe 2256 schtasks.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 6 IoCs
pid Process 380 sppsvc.exe 2420 sppsvc.exe 1700 sppsvc.exe 2008 sppsvc.exe 1888 sppsvc.exe 2848 sppsvc.exe -
Suspicious behavior: EnumeratesProcesses 63 IoCs
pid Process 2728 DllCommonsvc.exe 1664 powershell.exe 2980 powershell.exe 2008 powershell.exe 1148 DllCommonsvc.exe 1148 DllCommonsvc.exe 1148 DllCommonsvc.exe 2988 powershell.exe 1808 powershell.exe 3016 powershell.exe 1148 DllCommonsvc.exe 1148 DllCommonsvc.exe 1148 DllCommonsvc.exe 1148 DllCommonsvc.exe 1148 DllCommonsvc.exe 1148 DllCommonsvc.exe 1148 DllCommonsvc.exe 1148 DllCommonsvc.exe 1148 DllCommonsvc.exe 1148 DllCommonsvc.exe 1148 DllCommonsvc.exe 1148 DllCommonsvc.exe 1148 DllCommonsvc.exe 1148 DllCommonsvc.exe 1148 DllCommonsvc.exe 1148 DllCommonsvc.exe 1148 DllCommonsvc.exe 1148 DllCommonsvc.exe 1148 DllCommonsvc.exe 1148 DllCommonsvc.exe 1148 DllCommonsvc.exe 1148 DllCommonsvc.exe 1148 DllCommonsvc.exe 1148 DllCommonsvc.exe 1148 DllCommonsvc.exe 1148 DllCommonsvc.exe 1744 powershell.exe 1900 powershell.exe 1360 powershell.exe 1524 powershell.exe 2252 powershell.exe 2108 powershell.exe 2964 powershell.exe 2764 sppsvc.exe 2700 powershell.exe 2064 powershell.exe 1892 powershell.exe 2276 powershell.exe 644 powershell.exe 2076 powershell.exe 772 powershell.exe 2084 powershell.exe 752 powershell.exe 2060 powershell.exe 1904 powershell.exe 1732 powershell.exe 2388 powershell.exe 380 sppsvc.exe 2420 sppsvc.exe 1700 sppsvc.exe 2008 sppsvc.exe 1888 sppsvc.exe 2848 sppsvc.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2728 DllCommonsvc.exe Token: SeDebugPrivilege 1664 powershell.exe Token: SeDebugPrivilege 2980 powershell.exe Token: SeDebugPrivilege 2008 powershell.exe Token: SeDebugPrivilege 1148 DllCommonsvc.exe Token: SeDebugPrivilege 2988 powershell.exe Token: SeDebugPrivilege 1808 powershell.exe Token: SeDebugPrivilege 3016 powershell.exe Token: SeDebugPrivilege 1744 powershell.exe Token: SeDebugPrivilege 1900 powershell.exe Token: SeDebugPrivilege 1360 powershell.exe Token: SeDebugPrivilege 2764 sppsvc.exe Token: SeDebugPrivilege 1524 powershell.exe Token: SeDebugPrivilege 2252 powershell.exe Token: SeDebugPrivilege 2108 powershell.exe Token: SeDebugPrivilege 2964 powershell.exe Token: SeDebugPrivilege 2700 powershell.exe Token: SeDebugPrivilege 2064 powershell.exe Token: SeDebugPrivilege 1892 powershell.exe Token: SeDebugPrivilege 2276 powershell.exe Token: SeDebugPrivilege 644 powershell.exe Token: SeDebugPrivilege 2076 powershell.exe Token: SeDebugPrivilege 772 powershell.exe Token: SeDebugPrivilege 2084 powershell.exe Token: SeDebugPrivilege 752 powershell.exe Token: SeDebugPrivilege 2060 powershell.exe Token: SeDebugPrivilege 1904 powershell.exe Token: SeDebugPrivilege 1732 powershell.exe Token: SeDebugPrivilege 2388 powershell.exe Token: SeDebugPrivilege 380 sppsvc.exe Token: SeDebugPrivilege 2420 sppsvc.exe Token: SeDebugPrivilege 1700 sppsvc.exe Token: SeDebugPrivilege 2008 sppsvc.exe Token: SeDebugPrivilege 1888 sppsvc.exe Token: SeDebugPrivilege 2848 sppsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2292 wrote to memory of 2320 2292 JaffaCakes118_1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe 30 PID 2292 wrote to memory of 2320 2292 JaffaCakes118_1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe 30 PID 2292 wrote to memory of 2320 2292 JaffaCakes118_1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe 30 PID 2292 wrote to memory of 2320 2292 JaffaCakes118_1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe 30 PID 2320 wrote to memory of 2392 2320 WScript.exe 32 PID 2320 wrote to memory of 2392 2320 WScript.exe 32 PID 2320 wrote to memory of 2392 2320 WScript.exe 32 PID 2320 wrote to memory of 2392 2320 WScript.exe 32 PID 2392 wrote to memory of 2728 2392 cmd.exe 34 PID 2392 wrote to memory of 2728 2392 cmd.exe 34 PID 2392 wrote to memory of 2728 2392 cmd.exe 34 PID 2392 wrote to memory of 2728 2392 cmd.exe 34 PID 2728 wrote to memory of 2980 2728 DllCommonsvc.exe 51 PID 2728 wrote to memory of 2980 2728 DllCommonsvc.exe 51 PID 2728 wrote to memory of 2980 2728 DllCommonsvc.exe 51 PID 2728 wrote to memory of 2988 2728 DllCommonsvc.exe 52 PID 2728 wrote to memory of 2988 2728 DllCommonsvc.exe 52 PID 2728 wrote to memory of 2988 2728 DllCommonsvc.exe 52 PID 2728 wrote to memory of 1664 2728 DllCommonsvc.exe 54 PID 2728 wrote to memory of 1664 2728 DllCommonsvc.exe 54 PID 2728 wrote to memory of 1664 2728 DllCommonsvc.exe 54 PID 2728 wrote to memory of 2008 2728 DllCommonsvc.exe 55 PID 2728 wrote to memory of 2008 2728 DllCommonsvc.exe 55 PID 2728 wrote to memory of 2008 2728 DllCommonsvc.exe 55 PID 2728 wrote to memory of 3016 2728 DllCommonsvc.exe 56 PID 2728 wrote to memory of 3016 2728 DllCommonsvc.exe 56 PID 2728 wrote to memory of 3016 2728 DllCommonsvc.exe 56 PID 2728 wrote to memory of 1808 2728 DllCommonsvc.exe 57 PID 2728 wrote to memory of 1808 2728 DllCommonsvc.exe 57 PID 2728 wrote to memory of 1808 2728 DllCommonsvc.exe 57 PID 2728 wrote to memory of 1148 2728 DllCommonsvc.exe 63 PID 2728 wrote to memory of 1148 2728 DllCommonsvc.exe 63 PID 2728 wrote to memory of 1148 2728 DllCommonsvc.exe 63 PID 1148 wrote to memory of 1900 1148 DllCommonsvc.exe 121 PID 1148 wrote to memory of 1900 1148 DllCommonsvc.exe 121 PID 1148 wrote to memory of 1900 1148 DllCommonsvc.exe 121 PID 1148 wrote to memory of 1744 1148 DllCommonsvc.exe 122 PID 1148 wrote to memory of 1744 1148 DllCommonsvc.exe 122 PID 1148 wrote to memory of 1744 1148 DllCommonsvc.exe 122 PID 1148 wrote to memory of 2084 1148 DllCommonsvc.exe 123 PID 1148 wrote to memory of 2084 1148 DllCommonsvc.exe 123 PID 1148 wrote to memory of 2084 1148 DllCommonsvc.exe 123 PID 1148 wrote to memory of 1904 1148 DllCommonsvc.exe 124 PID 1148 wrote to memory of 1904 1148 DllCommonsvc.exe 124 PID 1148 wrote to memory of 1904 1148 DllCommonsvc.exe 124 PID 1148 wrote to memory of 1524 1148 DllCommonsvc.exe 125 PID 1148 wrote to memory of 1524 1148 DllCommonsvc.exe 125 PID 1148 wrote to memory of 1524 1148 DllCommonsvc.exe 125 PID 1148 wrote to memory of 2276 1148 DllCommonsvc.exe 126 PID 1148 wrote to memory of 2276 1148 DllCommonsvc.exe 126 PID 1148 wrote to memory of 2276 1148 DllCommonsvc.exe 126 PID 1148 wrote to memory of 752 1148 DllCommonsvc.exe 127 PID 1148 wrote to memory of 752 1148 DllCommonsvc.exe 127 PID 1148 wrote to memory of 752 1148 DllCommonsvc.exe 127 PID 1148 wrote to memory of 2964 1148 DllCommonsvc.exe 129 PID 1148 wrote to memory of 2964 1148 DllCommonsvc.exe 129 PID 1148 wrote to memory of 2964 1148 DllCommonsvc.exe 129 PID 1148 wrote to memory of 2060 1148 DllCommonsvc.exe 130 PID 1148 wrote to memory of 2060 1148 DllCommonsvc.exe 130 PID 1148 wrote to memory of 2060 1148 DllCommonsvc.exe 130 PID 1148 wrote to memory of 1360 1148 DllCommonsvc.exe 131 PID 1148 wrote to memory of 1360 1148 DllCommonsvc.exe 131 PID 1148 wrote to memory of 1360 1148 DllCommonsvc.exe 131 PID 1148 wrote to memory of 2076 1148 DllCommonsvc.exe 132 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\NetworkService\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\csrss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\services.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\WmiPrvSE.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\ELS\Transliteration\wininit.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Start Menu\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\schtasks.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\OSPPSVC.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\dwm.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\System.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\csrss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\providercommon\sppsvc.exe"C:\providercommon\sppsvc.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat"7⤵PID:1660
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2268
-
-
C:\providercommon\sppsvc.exe"C:\providercommon\sppsvc.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:380 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Db0hEHdXHW.bat"9⤵PID:2304
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:316
-
-
C:\providercommon\sppsvc.exe"C:\providercommon\sppsvc.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat"11⤵PID:2432
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2724
-
-
C:\providercommon\sppsvc.exe"C:\providercommon\sppsvc.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XC59y11ueh.bat"13⤵PID:1660
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1860
-
-
C:\providercommon\sppsvc.exe"C:\providercommon\sppsvc.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat"15⤵PID:2540
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1876
-
-
C:\providercommon\sppsvc.exe"C:\providercommon\sppsvc.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PoOVO2yVWN.bat"17⤵PID:2724
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:748
-
-
C:\providercommon\sppsvc.exe"C:\providercommon\sppsvc.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yJyIm7wr5G.bat"19⤵PID:2764
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2824
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\providercommon\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\L2Schemas\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\ServiceProfiles\NetworkService\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\ServiceProfiles\NetworkService\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\AppPatch\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\AppPatch\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\AppPatch\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\csrss.exe'" /f1⤵
- Process spawned unexpected child process
PID:804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\twain_32\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\twain_32\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\Globalization\ELS\Transliteration\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Globalization\ELS\Transliteration\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Globalization\ELS\Transliteration\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Start Menu\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Start Menu\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\providercommon\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\providercommon\wininit.exe'" /f1⤵
- Process spawned unexpected child process
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 10 /tr "'C:\providercommon\schtasks.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\providercommon\schtasks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 10 /tr "'C:\providercommon\schtasks.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Documents\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Documents\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Documents\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\System.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\System.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\lua\csrss.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\csrss.exe'" /rl HIGHEST /f1⤵PID:1292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\lua\csrss.exe'" /rl HIGHEST /f1⤵PID:1436
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD522f576e030ccae42f80ac35a63df4e01
SHA11fb75b1e24371c14d8fa7d14853117327fc90cca
SHA256a7ce4bc71c17e072fa07c128f9cb04ad18caa07f3b7bea47bed5a1e3ba08e8b7
SHA5123a1bf816a7c83e3ba9bc54b65183eed98e05b490137979d1bd794ffca4d7d25121d4beeaed3d5ab8a1df9ed595e78983103b1e6e9d9c5aeda6bf568f9e2d089e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53717d9fdd02be55dc0228a750c045635
SHA1224a86b48c039cb139897d6c77e5efe545085c2f
SHA2568aa1012edda648e640e05e171ccf8e9bd67c1aa520090ccb93a9f2df8fcd0f72
SHA512bbee23cda95db9846dc1f7e7109f88413c8bf7fd95d62e934771de2dd908b6612471f21bc98f0ebf6005a099c77e8908f02fe03ef1db0d3ac2191ec78e7329f3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD542d54950f5c8beaffbfe5633576458b8
SHA15d063f16ae910d9332ee032411c50592f77b657c
SHA256693956c56f9840fb0b64249d751b45bc4739c633ebd9e0fb4bd4baa22039a1c7
SHA512e2b7c14bf0f4accf5e2df5dfeff07639ae351a245071da7ccd82c321f8ce9a55fffbf326ca16f9bd0fad621074188d81033a82004a7e785509b1db609b447e57
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ee78d1ef7ef223e322f8f2a5f0bd3618
SHA127bdb9d5cda245a642b3d8a1935108f773b7dd6f
SHA256ec12ddfed6e7ee631462b2f5b73ea2c6ca061563807172a333bc3955b62760b8
SHA51272288319a0c995b9b8879ef81e90b8b5bc8cee6096fef75371dd79f5b20e843658290a84ed66998032a592a3350bb18484823ab2dd4c0691fd48eb8a7e845ff4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54472cd57568b1ffbceddd3be2234150b
SHA143603d46bce555a686232f685080fc9ea0b6dd99
SHA256644524200d451baf3fe52747bd0f41616ad3b15746528350e44093a75c8741f8
SHA512c24ec27fbfee6c8825bb5d814282dd1b044fa8cc5516b1bdfe9b2158db66376552dbd3ed3cf68a26d7c492bf810e2ac384c29e316c0a8642575abec81908766b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56d6d3981ba24f4914ac82c16449d68b1
SHA199f8276c96a7998ef41b8199e8dd11f619384858
SHA2566089a07ad784a68d18233431ce7e259751b4e6fc134015ac7677becfef81f52b
SHA512a0a783af4480133ad1cd9bfcfbfd9128dc3fffcd8e8ca98c1114c99b247ea3015bd7714c9dac4bc8cf5a82d078a2c099db8caa799bb08f201a707a9fcdd9db85
-
Filesize
193B
MD58e3e7fb486cff57b284212a3a07bf28e
SHA1955af45ff73bc1e93901c2dae411f7f788366328
SHA2565d442a14e5422c8c127570696be0bbac679269752b8fb1a7cea6412b91a1d15b
SHA512e2885c7f0cc9f6753ec1d3445888e9fd0a7fcfdb9a2bf2a87d21355dd462338e024f07bb6110cf85b5665fe7947069cf1effa3d9891b616c2fdc288cd363a60b
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
193B
MD5ed8b7cd993c11d233df8e2c3fec43031
SHA11f7212c7e717f127d1ea5f7a91b243070c2ea076
SHA25691dd3a5e5b5ba3e38d3526b2edf2c2e9e421c4895baaa52afc0f7d0b5e480641
SHA512690f3c857c998279ad48d60ef359c303ae3fa2c06bd6a38f1421f3f7511976fa3a29e3bab9ae3a6f018a4fa1011487315ebfe0be7bb9a7757395c11f2324c396
-
Filesize
193B
MD5473f42d4ad5c78cacea804992e0b8e4d
SHA1ca915f8936b0e54aba10f267187424a7f4b3e6dc
SHA2564b186e337167375e738d0f99315e3cca491eff651f9daa9abb8639a3b8a065c9
SHA5126acbf87850a048fbe6970bacce0eff2ae534d52d21c1463d6a2e33028befee337682e1f107a82658ca7dabc27a52ad5c33a7ebe1b0ae5c4d9686fe2c67081537
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
193B
MD514f3796310b19a102cbae1d3e17be8cb
SHA1529f075232ce79da80f3caeb980c003b857471a3
SHA256938561c7b58a22e81490850a4630006ccb58821f4a8e44e7815be5bb60194263
SHA5126f302706740ad83b877df1c759f1454c1b8f03850e509c0c399b8e03ca4c03866f95d58fbd083192c97ccaaeb87cffef5d83473960bbf93737da004fa7042485
-
Filesize
193B
MD53366c8956d59feae20b754e1fb52fbc0
SHA123cd963f4cf98062e43d926c5f4d87e7ed3e5ea3
SHA256a2254072bd649bdf4b5fbd3fab5e4d16eaa4327a0d4d4e04857e6f334e38e372
SHA512ea82d3ca2b19cf51a220e911678571a175b4ff15fa80c3c00c24b74851291817c27444926a2cea4cd4cb4643f733520f0f86fa1b660fe0802fd925cf25443d9d
-
Filesize
193B
MD5b0e08fb13eb0289cafc10eab35a7d03f
SHA15299646c79a41fff116c4ce60960f795e3a3dc02
SHA256b357ca17e7e1f402751a8325fd106ea318f0b5d80ad30805a0094fef801fedfa
SHA512b6b24a68cfad7f561dce85730fdc4ff573e69ea4b9cbe5c33ccf645aa0b9bbb620f5529a6793d94d6856ee58f85e81d1f37f8363da41644772bdc1edb05b43a3
-
Filesize
193B
MD59bd0cdcbfd590a77014ab58e76cee8e0
SHA179f90e09fa1222b959cd937b736d19e881f84a6b
SHA25686a95655c51b810052e7d7fbfba61d8983845952f5c3ee3beebabdcc3d85b274
SHA5121b117c7509dc2bcb4f80362f7a3cf1a78c2eb360ecc99b1928950978b461232127d4520831c607560598dfdae1a431c135eb242d3fade672d5f215e22c809798
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD544169ab3e082f1fb1ac42110fe4bfac3
SHA19bbbcca132a149101b4db99cf18281089dad8d62
SHA2569be34b50756cd1bdd321e86c49f86ef43215cf3fd3abac122f11780dd80a37f5
SHA51295a96a70bc6ad20d5b3fe978863905419df899c2d15ea98bf951985bec4b809d7c070c4dff63e79da0305778b3efbc67e92b7b56ba1c8757e8a3db84ad2f8618
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394