Analysis
-
max time kernel
144s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 21:47
Behavioral task
behavioral1
Sample
JaffaCakes118_a593dfa0bf52fac54d72ca0dd36caea17e1ff8882ed9ee52b3e781772eb2ef33.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_a593dfa0bf52fac54d72ca0dd36caea17e1ff8882ed9ee52b3e781772eb2ef33.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_a593dfa0bf52fac54d72ca0dd36caea17e1ff8882ed9ee52b3e781772eb2ef33.exe
-
Size
1.3MB
-
MD5
f575f706d318594205de442141c1ecb5
-
SHA1
3b1802d85e90ec9fc0742f4368afb57f23ddaa1a
-
SHA256
a593dfa0bf52fac54d72ca0dd36caea17e1ff8882ed9ee52b3e781772eb2ef33
-
SHA512
8459655652b39d7643cc531325b7bd2e1b2aba2e2b22a3ea7b940e270bc4f10587b4e3d8a7ebd253b1e1eee6b2ed25f8d0c36ad672d0fe4d14d6a20b1b37a1b1
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 692 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1248 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 380 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1424 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 860 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 844 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 616 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 856 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 576 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2264 2720 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 2720 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x00060000000186c8-9.dat dcrat behavioral1/memory/2056-13-0x0000000000F40000-0x0000000001050000-memory.dmp dcrat behavioral1/memory/1640-123-0x0000000000090000-0x00000000001A0000-memory.dmp dcrat behavioral1/memory/2512-182-0x0000000000960000-0x0000000000A70000-memory.dmp dcrat behavioral1/memory/2196-301-0x0000000000C70000-0x0000000000D80000-memory.dmp dcrat behavioral1/memory/2852-361-0x0000000000D40000-0x0000000000E50000-memory.dmp dcrat behavioral1/memory/836-481-0x0000000000340000-0x0000000000450000-memory.dmp dcrat behavioral1/memory/1640-541-0x0000000000210000-0x0000000000320000-memory.dmp dcrat behavioral1/memory/2296-602-0x0000000000150000-0x0000000000260000-memory.dmp dcrat behavioral1/memory/2620-662-0x0000000000BD0000-0x0000000000CE0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2896 powershell.exe 2820 powershell.exe 3028 powershell.exe 548 powershell.exe 1512 powershell.exe 2100 powershell.exe 892 powershell.exe 2352 powershell.exe 3000 powershell.exe 2332 powershell.exe 2952 powershell.exe 996 powershell.exe 1580 powershell.exe 2252 powershell.exe 2940 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2056 DllCommonsvc.exe 1640 WmiPrvSE.exe 2512 WmiPrvSE.exe 2728 WmiPrvSE.exe 2196 WmiPrvSE.exe 2852 WmiPrvSE.exe 1084 WmiPrvSE.exe 836 WmiPrvSE.exe 1640 WmiPrvSE.exe 2296 WmiPrvSE.exe 2620 WmiPrvSE.exe -
Loads dropped DLL 2 IoCs
pid Process 2480 cmd.exe 2480 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 33 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 26 raw.githubusercontent.com 30 raw.githubusercontent.com 4 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 22 raw.githubusercontent.com -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files\Windows Mail\de-DE\088424020bedd6 DllCommonsvc.exe File created C:\Program Files\Windows Defender\fr-FR\smss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files\Windows NT\Accessories\fr-FR\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files\DVD Maker\de-DE\csrss.exe DllCommonsvc.exe File created C:\Program Files\DVD Maker\de-DE\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\Windows Mail\de-DE\conhost.exe DllCommonsvc.exe File created C:\Program Files\Windows Defender\fr-FR\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\System.exe DllCommonsvc.exe File created C:\Program Files\Windows NT\Accessories\fr-FR\smss.exe DllCommonsvc.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\CSC\v2.0.6\lsm.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_a593dfa0bf52fac54d72ca0dd36caea17e1ff8882ed9ee52b3e781772eb2ef33.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2452 schtasks.exe 2468 schtasks.exe 2792 schtasks.exe 2688 schtasks.exe 380 schtasks.exe 1424 schtasks.exe 2136 schtasks.exe 860 schtasks.exe 2272 schtasks.exe 1684 schtasks.exe 2264 schtasks.exe 2860 schtasks.exe 2980 schtasks.exe 692 schtasks.exe 2556 schtasks.exe 2872 schtasks.exe 2612 schtasks.exe 2312 schtasks.exe 1744 schtasks.exe 616 schtasks.exe 1656 schtasks.exe 856 schtasks.exe 576 schtasks.exe 2728 schtasks.exe 2740 schtasks.exe 1740 schtasks.exe 2972 schtasks.exe 1092 schtasks.exe 448 schtasks.exe 2624 schtasks.exe 1672 schtasks.exe 2476 schtasks.exe 1156 schtasks.exe 844 schtasks.exe 1144 schtasks.exe 1640 schtasks.exe 1956 schtasks.exe 1900 schtasks.exe 1248 schtasks.exe 2824 schtasks.exe 2432 schtasks.exe 2876 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2056 DllCommonsvc.exe 2056 DllCommonsvc.exe 2056 DllCommonsvc.exe 2056 DllCommonsvc.exe 2056 DllCommonsvc.exe 2056 DllCommonsvc.exe 2056 DllCommonsvc.exe 2332 powershell.exe 2952 powershell.exe 2896 powershell.exe 3028 powershell.exe 892 powershell.exe 2100 powershell.exe 1580 powershell.exe 996 powershell.exe 3000 powershell.exe 2252 powershell.exe 1512 powershell.exe 2940 powershell.exe 2820 powershell.exe 2352 powershell.exe 1640 WmiPrvSE.exe 2512 WmiPrvSE.exe 2728 WmiPrvSE.exe 2196 WmiPrvSE.exe 2852 WmiPrvSE.exe 1084 WmiPrvSE.exe 836 WmiPrvSE.exe 1640 WmiPrvSE.exe 2296 WmiPrvSE.exe 2620 WmiPrvSE.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 2056 DllCommonsvc.exe Token: SeDebugPrivilege 2332 powershell.exe Token: SeDebugPrivilege 2952 powershell.exe Token: SeDebugPrivilege 2896 powershell.exe Token: SeDebugPrivilege 3028 powershell.exe Token: SeDebugPrivilege 892 powershell.exe Token: SeDebugPrivilege 2100 powershell.exe Token: SeDebugPrivilege 1580 powershell.exe Token: SeDebugPrivilege 996 powershell.exe Token: SeDebugPrivilege 3000 powershell.exe Token: SeDebugPrivilege 2252 powershell.exe Token: SeDebugPrivilege 1512 powershell.exe Token: SeDebugPrivilege 2940 powershell.exe Token: SeDebugPrivilege 2820 powershell.exe Token: SeDebugPrivilege 2352 powershell.exe Token: SeDebugPrivilege 1640 WmiPrvSE.exe Token: SeDebugPrivilege 2512 WmiPrvSE.exe Token: SeDebugPrivilege 2728 WmiPrvSE.exe Token: SeDebugPrivilege 2196 WmiPrvSE.exe Token: SeDebugPrivilege 2852 WmiPrvSE.exe Token: SeDebugPrivilege 1084 WmiPrvSE.exe Token: SeDebugPrivilege 836 WmiPrvSE.exe Token: SeDebugPrivilege 1640 WmiPrvSE.exe Token: SeDebugPrivilege 2296 WmiPrvSE.exe Token: SeDebugPrivilege 2620 WmiPrvSE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1976 wrote to memory of 2328 1976 JaffaCakes118_a593dfa0bf52fac54d72ca0dd36caea17e1ff8882ed9ee52b3e781772eb2ef33.exe 30 PID 1976 wrote to memory of 2328 1976 JaffaCakes118_a593dfa0bf52fac54d72ca0dd36caea17e1ff8882ed9ee52b3e781772eb2ef33.exe 30 PID 1976 wrote to memory of 2328 1976 JaffaCakes118_a593dfa0bf52fac54d72ca0dd36caea17e1ff8882ed9ee52b3e781772eb2ef33.exe 30 PID 1976 wrote to memory of 2328 1976 JaffaCakes118_a593dfa0bf52fac54d72ca0dd36caea17e1ff8882ed9ee52b3e781772eb2ef33.exe 30 PID 2328 wrote to memory of 2480 2328 WScript.exe 31 PID 2328 wrote to memory of 2480 2328 WScript.exe 31 PID 2328 wrote to memory of 2480 2328 WScript.exe 31 PID 2328 wrote to memory of 2480 2328 WScript.exe 31 PID 2480 wrote to memory of 2056 2480 cmd.exe 33 PID 2480 wrote to memory of 2056 2480 cmd.exe 33 PID 2480 wrote to memory of 2056 2480 cmd.exe 33 PID 2480 wrote to memory of 2056 2480 cmd.exe 33 PID 2056 wrote to memory of 2820 2056 DllCommonsvc.exe 77 PID 2056 wrote to memory of 2820 2056 DllCommonsvc.exe 77 PID 2056 wrote to memory of 2820 2056 DllCommonsvc.exe 77 PID 2056 wrote to memory of 2952 2056 DllCommonsvc.exe 78 PID 2056 wrote to memory of 2952 2056 DllCommonsvc.exe 78 PID 2056 wrote to memory of 2952 2056 DllCommonsvc.exe 78 PID 2056 wrote to memory of 2940 2056 DllCommonsvc.exe 79 PID 2056 wrote to memory of 2940 2056 DllCommonsvc.exe 79 PID 2056 wrote to memory of 2940 2056 DllCommonsvc.exe 79 PID 2056 wrote to memory of 2896 2056 DllCommonsvc.exe 80 PID 2056 wrote to memory of 2896 2056 DllCommonsvc.exe 80 PID 2056 wrote to memory of 2896 2056 DllCommonsvc.exe 80 PID 2056 wrote to memory of 2332 2056 DllCommonsvc.exe 82 PID 2056 wrote to memory of 2332 2056 DllCommonsvc.exe 82 PID 2056 wrote to memory of 2332 2056 DllCommonsvc.exe 82 PID 2056 wrote to memory of 996 2056 DllCommonsvc.exe 84 PID 2056 wrote to memory of 996 2056 DllCommonsvc.exe 84 PID 2056 wrote to memory of 996 2056 DllCommonsvc.exe 84 PID 2056 wrote to memory of 2252 2056 DllCommonsvc.exe 85 PID 2056 wrote to memory of 2252 2056 DllCommonsvc.exe 85 PID 2056 wrote to memory of 2252 2056 DllCommonsvc.exe 85 PID 2056 wrote to memory of 2100 2056 DllCommonsvc.exe 86 PID 2056 wrote to memory of 2100 2056 DllCommonsvc.exe 86 PID 2056 wrote to memory of 2100 2056 DllCommonsvc.exe 86 PID 2056 wrote to memory of 1512 2056 DllCommonsvc.exe 87 PID 2056 wrote to memory of 1512 2056 DllCommonsvc.exe 87 PID 2056 wrote to memory of 1512 2056 DllCommonsvc.exe 87 PID 2056 wrote to memory of 3028 2056 DllCommonsvc.exe 91 PID 2056 wrote to memory of 3028 2056 DllCommonsvc.exe 91 PID 2056 wrote to memory of 3028 2056 DllCommonsvc.exe 91 PID 2056 wrote to memory of 892 2056 DllCommonsvc.exe 92 PID 2056 wrote to memory of 892 2056 DllCommonsvc.exe 92 PID 2056 wrote to memory of 892 2056 DllCommonsvc.exe 92 PID 2056 wrote to memory of 2352 2056 DllCommonsvc.exe 94 PID 2056 wrote to memory of 2352 2056 DllCommonsvc.exe 94 PID 2056 wrote to memory of 2352 2056 DllCommonsvc.exe 94 PID 2056 wrote to memory of 3000 2056 DllCommonsvc.exe 96 PID 2056 wrote to memory of 3000 2056 DllCommonsvc.exe 96 PID 2056 wrote to memory of 3000 2056 DllCommonsvc.exe 96 PID 2056 wrote to memory of 548 2056 DllCommonsvc.exe 97 PID 2056 wrote to memory of 548 2056 DllCommonsvc.exe 97 PID 2056 wrote to memory of 548 2056 DllCommonsvc.exe 97 PID 2056 wrote to memory of 1580 2056 DllCommonsvc.exe 98 PID 2056 wrote to memory of 1580 2056 DllCommonsvc.exe 98 PID 2056 wrote to memory of 1580 2056 DllCommonsvc.exe 98 PID 2056 wrote to memory of 2776 2056 DllCommonsvc.exe 107 PID 2056 wrote to memory of 2776 2056 DllCommonsvc.exe 107 PID 2056 wrote to memory of 2776 2056 DllCommonsvc.exe 107 PID 2776 wrote to memory of 2428 2776 cmd.exe 109 PID 2776 wrote to memory of 2428 2776 cmd.exe 109 PID 2776 wrote to memory of 2428 2776 cmd.exe 109 PID 2776 wrote to memory of 1640 2776 cmd.exe 111 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a593dfa0bf52fac54d72ca0dd36caea17e1ff8882ed9ee52b3e781772eb2ef33.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a593dfa0bf52fac54d72ca0dd36caea17e1ff8882ed9ee52b3e781772eb2ef33.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\de-DE\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\fr-FR\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Application Data\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\fr-FR\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
PID:548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\de-DE\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7eX2I2PXzl.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2428
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat"7⤵PID:1480
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1684
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat"9⤵PID:2816
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2388
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat"11⤵PID:2460
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:792
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y29a6RA8xz.bat"13⤵PID:2976
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2248
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"15⤵PID:3036
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2684
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1084 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u02VouYs0z.bat"17⤵PID:2188
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:3056
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:836 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ER58NgmlZn.bat"19⤵PID:1176
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:356
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I1IMKnnpZ2.bat"21⤵PID:1900
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1148
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat"23⤵PID:2948
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2588
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Downloads\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Downloads\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\providercommon\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\de-DE\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\de-DE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\fr-FR\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\fr-FR\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Application Data\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Application Data\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\providercommon\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\de-DE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\de-DE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\de-DE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54512ec8dc45034d6d85e3086265dff5c
SHA18329f62f51e2bbde8a8b0a779d4e33714a0f617e
SHA25606348e842b5070c980a7f3af0cfd8dbb490fc1dac4aac161d4b84a7aa406c825
SHA512326131de08bc04011faf5b21de00ab41eaf74100739c46a4f9fa8afe2e7c6489e630043681f65a8c1df25dd74e014e64df21e33f893e940f34354699960d0d25
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5519d7efa576f49389e7b3e95e8755a07
SHA1a2256972556a0b17d5ee871bdb34f655b0b55bdb
SHA256b376290c42408dc24e0ba73a44477fd87da45b07773037ee520a7bd42ef4b7a0
SHA51233abcd01901d67394b03a96839afde5d3edde57a1daf4e155db796ec2334a59bffb5814c82029a27056c7ffbcfa19678265cb04855b126c04165606c5a989a22
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59745a83bfbf7d01606853a81c4b4ff77
SHA1a9a51bfa84ce88d78b867e10d7ef993cacfa5f2c
SHA256d0799e45e0dd0635e25ae238fb82271d8b1285c8816dee4d9a0b9dc6dc6de76f
SHA512db0a0d5ee48c56459e56944bb1c59326be921126df389d459564af61f433f760f64a425ba1e2fd0e269b2a3ff56569104fdccb45048ca361273b2a84498fa836
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5034044a4956c68e3eab714d46b58545a
SHA176b21d9b4a00f41fd6885ba1ab75a85e283ad046
SHA25677d6007627e9114895c902b8d18fd40b0e8bb6a7d61389c8f7b8e7327f7e4568
SHA512a2842b324ab7ebdd783f25d49f833a1f21ca7814ae21f431d2123949f16d7367a65ff0842184d81eed2970ff6e7b1d156aca207cbaadd6f13f51b26501acd13d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD596226ebadc07bae623b20c4015190dcd
SHA1c1b40a73d53a60b94d84681f536b6e2f3db2be4a
SHA256f482fafc244803b2d82daf3aced994f07e98b633012a0bf0f1fa4659b4d8d609
SHA5120daef6b24166ec85ad6ce42cbd8c7510dc994731a94257b4092c34549f8f50d328ff2b4e276f4428f40c79e367cb2e394ce8cdb36bc798fcc19d88fa518a1f06
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c94114aee2ac254bd500190e53cac539
SHA1893442c8d4825d4a83ab6ec5b55ff8009f9b59af
SHA256e0635a9f0e9f4a42e9f2695cead04878f2cda5623bbe1a46d5bdf515e94781db
SHA512312e525e1b29fd06022d27bfcba8a35421e39e5af0f467f9de3a03e8ddf9b7f858b032715876ced93b32027726c3c0961e6b20b5ccbfe64f1612611e562d69b8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57d8a868d85367755355054817bf4bf01
SHA12af6d2738d7ea561e43d94cacc602d9541859996
SHA2565520d1bd6c78839deacc7093e6f17b41bba2025f95e212045e7dcf360d7453cf
SHA51243e78e91b6e2ae6f08d21df6a6af095c87d10528857c460faa8ed116a13208db2a8e629a3b2d401664928596ffe6f7c493a3db1b8805f4ac4dc95450495b005e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57f0c6d6a5f67d761da8cc029dd84718d
SHA1485ed468e2a72088b669b579adca6f3b88dc900a
SHA2567853215c1fc3994b5b86590dec89432267fdcfc5f078cd51f5094b0f3a29e9b9
SHA51201749521b12041f9cf4039c5a0574ca1aed3133b0a203e916fb4322e8de61c9e9f0eb5d84a2e99d7dc26cfda29a51d43fbca59d1fb5f680df896992bcb6ddca9
-
Filesize
195B
MD58d552f61cffe3edca8078c05df214d4c
SHA13e76ef8ed134d988fbcf7fe6da59ead3374a49b3
SHA2562856d606afd6946f7f5d620a342b2131c9cd8be62f90c17bfc1628b5a332d4b7
SHA512994dd150d57dc6fc847c5f6dd53020406b1d8d814264047bf958f78e3a9f8ae927c2e1349e211308f3ead0ec473eada4d576df9e0eedcd40d2c459d123ddaa81
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
195B
MD583349355ec8ab1e7f7185d8769705517
SHA1056286e3b450ee0e395b4cf911c79417eae50e27
SHA256e62645cfebbe6b9b196f4c253aac51404a9708283e4a70e089c03d058225127f
SHA512cd301c04543d29c8c6b530f5e3a2194c47b4787948b7df4a29481e614ece0925c2b04ea9cbda081357cd7f5cf129f8e9431fad38081309b5d53dd231bb6724c2
-
Filesize
195B
MD5b386868939c4eabc37bd359c9816d313
SHA153e21a957570cc5a32c262576e7deaad590ba90c
SHA2565d3acdcacbd8afdb4f12b646b2ee41eda291783428eea4b94649696e206dd423
SHA5123fa30c0c6f3611aae6b8f3b0b27d64b03093099aa2a3f48a428a27c7494a8177d83b61853646986b7118af4f6e8843981cd37791079fb8dfc9c03e6c15c1ad40
-
Filesize
195B
MD50649fd1a663e7331ee30c47aa182a681
SHA1366e466f739ad4e665e5b9eec9386b5288ad37d9
SHA25642d5ec14197c3afbf49b4a33ae0515a62920d83888efe6894a410163b07a6961
SHA5129fcfd4758c071499d5268a6a691edad74026a234e7581206c67dfa7b00e90687e60e49360493b933800844b1156f42a44f15db20901b0126e471a48e8a385005
-
Filesize
195B
MD578b066bad52fa47518c095799a53eb06
SHA1bc67e1d0d7e0d5900f0f78aecc199c38cfa48b3f
SHA256d326f04eb28c8059aec4c8710622335f61552b1b3c5ac2b2c5f292262c5ef7c4
SHA5126b0dbcb96fbdf000665c62ffe11a3e2ccd9283a9c45197b5cd0cdee64597768c1618b3846a53eb20871ea624d4674f2351116890127c1696ffceb5e0cfe86b04
-
Filesize
195B
MD517a7b1a70e1933d546fab7b16c4ad916
SHA1787ae423e0415e175da44b3acfd1654722b7dad6
SHA256e538ceb2fee16fb8d0500f7e6159fbd9133ad4c89414149af91731cdf985a4b1
SHA512b9f56b10f677995f5a0b455402aa2dfd7380e74de30bbc9c3758cae68c96bd54ac02a33782cadebfecd87c72647c397450c116ffd637cd77f7d75400c4153412
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
195B
MD55eb42f3dacde8fe78adc8c39f40cb25e
SHA1022bc0e688c513a3713e6466bfaa5e7c41911836
SHA256311e09f53391ac08a89148c01a9c2cf4ebf2a08f53e70bf86e9f39c641443413
SHA51202941988c2099901026afcdb4c81200906a104e55f63d1a432b07b0335327d8eeb754cd033b5bdda5618dffdfdf8a9b43cc9538839ad81469fa804eb209e86b5
-
Filesize
195B
MD59a857dfde4cdec220506b28ddd929b18
SHA1ca1320704f5972287237b9658e7074b1ac9d62f3
SHA256af9e75ebfc72d2453a3b283473817d991bc8cfb16117a3c40634610f2a205c8a
SHA5127359dd289d1bee806dc4809d27c397a233e4489de08e299bb00edc822cba7a6f2285a4479ea40ff2ffb5f3efb811fc93dc4fb8c39a942ed5259068640db4c971
-
Filesize
195B
MD5d07733519d2c46253e68e9e0ddfb578a
SHA1614e87c58fe5f2ce299bc3a541db3dae967d24b4
SHA256bab4a0b89db6cb56e5af90232f500cc3c667a028e5a84bb0aa076b71a63d6a66
SHA5120890aaf411b72031c0afab59d1d6bc2127c1a8b72603ae3da46d9300d871b4f41a0c2205aebd39b3a982e886f214b8ac72538d85c83c5eb5d5a49c93dea5fa30
-
Filesize
195B
MD53d57f070a9a97889167c5fbc2fc4b4a9
SHA18daa1f782079c1bd16aa482534ab223480922fcf
SHA2568d52c74c33ef0a6cd9ea5b27e9f3c83177da94b7425f787c2fcc7f892a164fee
SHA512601383cd90794f875f0220204f460ea75f9c30ad208085e9eb405494c4c9c618e12f616f64ee0ae6338b58a64ebd6c73c14d63d1c55b8b41309d8dcef9c959a4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD524a51975ed0b1d3f3a1a96150df38256
SHA19f444ca91e214734c2a5b11125c9ad1742f1da34
SHA256d2bfd0fe5e472506e0007e731c44dbb42dfce0b1a181df0bbbdc3af871e6a614
SHA5124a41d27a9cba4fd8152e917b1ce0197e339c676020f1dc894d3c255a6e999ed68ba1369dd910bb6a6082722a909fe490a435620364954e899726395d8f4b609b
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394