Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 23:13
Behavioral task
behavioral1
Sample
JaffaCakes118_e6aa9fb47d17ac820bbef21751e7b650cae1e4c62a681d6b030ab9b8e122e461.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_e6aa9fb47d17ac820bbef21751e7b650cae1e4c62a681d6b030ab9b8e122e461.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_e6aa9fb47d17ac820bbef21751e7b650cae1e4c62a681d6b030ab9b8e122e461.exe
-
Size
1.3MB
-
MD5
ef2843f51fb4d7b5cd9fc0737434466f
-
SHA1
69aaf9ff5809697a84a1d2d6aa32bc83844a8f56
-
SHA256
e6aa9fb47d17ac820bbef21751e7b650cae1e4c62a681d6b030ab9b8e122e461
-
SHA512
183dddb87cf70c6d8e19db6554f64deaacf5a7463efc5e914cf2b5a97728913aabed050bb2d36cb6eb6998a2e447a621b4df7ca3d44071b3c6682a9a086baac8
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 680 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 748 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 668 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 628 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 484 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1076 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1448 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 788 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1068 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1300 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1104 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 880 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 872 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 1360 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 1360 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000019397-12.dat dcrat behavioral1/memory/2856-13-0x0000000000BE0000-0x0000000000CF0000-memory.dmp dcrat behavioral1/memory/2052-117-0x0000000000E70000-0x0000000000F80000-memory.dmp dcrat behavioral1/memory/824-177-0x0000000001060000-0x0000000001170000-memory.dmp dcrat behavioral1/memory/2180-237-0x00000000002B0000-0x00000000003C0000-memory.dmp dcrat behavioral1/memory/2492-297-0x0000000000FD0000-0x00000000010E0000-memory.dmp dcrat behavioral1/memory/680-417-0x0000000000320000-0x0000000000430000-memory.dmp dcrat behavioral1/memory/316-477-0x0000000000280000-0x0000000000390000-memory.dmp dcrat behavioral1/memory/2300-537-0x00000000011E0000-0x00000000012F0000-memory.dmp dcrat behavioral1/memory/2056-597-0x00000000003D0000-0x00000000004E0000-memory.dmp dcrat behavioral1/memory/1396-657-0x0000000000DF0000-0x0000000000F00000-memory.dmp dcrat behavioral1/memory/2504-717-0x00000000013D0000-0x00000000014E0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2644 powershell.exe 376 powershell.exe 1612 powershell.exe 1716 powershell.exe 1812 powershell.exe 2484 powershell.exe 2476 powershell.exe 552 powershell.exe 1956 powershell.exe 3064 powershell.exe 2860 powershell.exe 1708 powershell.exe 2284 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2856 DllCommonsvc.exe 2052 wininit.exe 824 wininit.exe 2180 wininit.exe 2492 wininit.exe 1896 wininit.exe 680 wininit.exe 316 wininit.exe 2300 wininit.exe 2056 wininit.exe 1396 wininit.exe 2504 wininit.exe -
Loads dropped DLL 2 IoCs
pid Process 2708 cmd.exe 2708 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 19 raw.githubusercontent.com 25 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 35 raw.githubusercontent.com 9 raw.githubusercontent.com 22 raw.githubusercontent.com 29 raw.githubusercontent.com 32 raw.githubusercontent.com -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files (x86)\Uninstall Information\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\spoolsv.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\f3b6ecef712a24 DllCommonsvc.exe File created C:\Program Files\Windows NT\Accessories\taskhost.exe DllCommonsvc.exe File created C:\Program Files\Windows NT\Accessories\b75386f1303e64 DllCommonsvc.exe File created C:\Program Files (x86)\Uninstall Information\wininit.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Uninstall Information\wininit.exe DllCommonsvc.exe File created C:\Program Files (x86)\Uninstall Information\services.exe DllCommonsvc.exe File created C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Uninstall Information\56085415360792 DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\de-DE\lsass.exe DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\de-DE\6203df4a6bafc7 DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Vss\Writers\System\69ddcba757bf72 DllCommonsvc.exe File created C:\Windows\Vss\Writers\System\smss.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_e6aa9fb47d17ac820bbef21751e7b650cae1e4c62a681d6b030ab9b8e122e461.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1972 schtasks.exe 1676 schtasks.exe 628 schtasks.exe 484 schtasks.exe 1068 schtasks.exe 2972 schtasks.exe 872 schtasks.exe 1624 schtasks.exe 2348 schtasks.exe 2896 schtasks.exe 1988 schtasks.exe 1448 schtasks.exe 2340 schtasks.exe 1592 schtasks.exe 2960 schtasks.exe 1740 schtasks.exe 2360 schtasks.exe 1932 schtasks.exe 1300 schtasks.exe 880 schtasks.exe 3068 schtasks.exe 680 schtasks.exe 1640 schtasks.exe 748 schtasks.exe 2204 schtasks.exe 1792 schtasks.exe 1780 schtasks.exe 668 schtasks.exe 1968 schtasks.exe 2536 schtasks.exe 788 schtasks.exe 1104 schtasks.exe 2728 schtasks.exe 1076 schtasks.exe 1508 schtasks.exe 2864 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 2856 DllCommonsvc.exe 2856 DllCommonsvc.exe 2856 DllCommonsvc.exe 1716 powershell.exe 2476 powershell.exe 2284 powershell.exe 3064 powershell.exe 1708 powershell.exe 1812 powershell.exe 1956 powershell.exe 2644 powershell.exe 2860 powershell.exe 376 powershell.exe 1612 powershell.exe 2484 powershell.exe 552 powershell.exe 2052 wininit.exe 824 wininit.exe 2180 wininit.exe 2492 wininit.exe 1896 wininit.exe 680 wininit.exe 316 wininit.exe 2300 wininit.exe 2056 wininit.exe 1396 wininit.exe 2504 wininit.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 2856 DllCommonsvc.exe Token: SeDebugPrivilege 1716 powershell.exe Token: SeDebugPrivilege 2476 powershell.exe Token: SeDebugPrivilege 2284 powershell.exe Token: SeDebugPrivilege 3064 powershell.exe Token: SeDebugPrivilege 1708 powershell.exe Token: SeDebugPrivilege 1812 powershell.exe Token: SeDebugPrivilege 1956 powershell.exe Token: SeDebugPrivilege 2644 powershell.exe Token: SeDebugPrivilege 2860 powershell.exe Token: SeDebugPrivilege 376 powershell.exe Token: SeDebugPrivilege 1612 powershell.exe Token: SeDebugPrivilege 2484 powershell.exe Token: SeDebugPrivilege 552 powershell.exe Token: SeDebugPrivilege 2052 wininit.exe Token: SeDebugPrivilege 824 wininit.exe Token: SeDebugPrivilege 2180 wininit.exe Token: SeDebugPrivilege 2492 wininit.exe Token: SeDebugPrivilege 1896 wininit.exe Token: SeDebugPrivilege 680 wininit.exe Token: SeDebugPrivilege 316 wininit.exe Token: SeDebugPrivilege 2300 wininit.exe Token: SeDebugPrivilege 2056 wininit.exe Token: SeDebugPrivilege 1396 wininit.exe Token: SeDebugPrivilege 2504 wininit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2144 wrote to memory of 2752 2144 JaffaCakes118_e6aa9fb47d17ac820bbef21751e7b650cae1e4c62a681d6b030ab9b8e122e461.exe 30 PID 2144 wrote to memory of 2752 2144 JaffaCakes118_e6aa9fb47d17ac820bbef21751e7b650cae1e4c62a681d6b030ab9b8e122e461.exe 30 PID 2144 wrote to memory of 2752 2144 JaffaCakes118_e6aa9fb47d17ac820bbef21751e7b650cae1e4c62a681d6b030ab9b8e122e461.exe 30 PID 2144 wrote to memory of 2752 2144 JaffaCakes118_e6aa9fb47d17ac820bbef21751e7b650cae1e4c62a681d6b030ab9b8e122e461.exe 30 PID 2752 wrote to memory of 2708 2752 WScript.exe 31 PID 2752 wrote to memory of 2708 2752 WScript.exe 31 PID 2752 wrote to memory of 2708 2752 WScript.exe 31 PID 2752 wrote to memory of 2708 2752 WScript.exe 31 PID 2708 wrote to memory of 2856 2708 cmd.exe 33 PID 2708 wrote to memory of 2856 2708 cmd.exe 33 PID 2708 wrote to memory of 2856 2708 cmd.exe 33 PID 2708 wrote to memory of 2856 2708 cmd.exe 33 PID 2856 wrote to memory of 3064 2856 DllCommonsvc.exe 71 PID 2856 wrote to memory of 3064 2856 DllCommonsvc.exe 71 PID 2856 wrote to memory of 3064 2856 DllCommonsvc.exe 71 PID 2856 wrote to memory of 1956 2856 DllCommonsvc.exe 72 PID 2856 wrote to memory of 1956 2856 DllCommonsvc.exe 72 PID 2856 wrote to memory of 1956 2856 DllCommonsvc.exe 72 PID 2856 wrote to memory of 2860 2856 DllCommonsvc.exe 73 PID 2856 wrote to memory of 2860 2856 DllCommonsvc.exe 73 PID 2856 wrote to memory of 2860 2856 DllCommonsvc.exe 73 PID 2856 wrote to memory of 1612 2856 DllCommonsvc.exe 74 PID 2856 wrote to memory of 1612 2856 DllCommonsvc.exe 74 PID 2856 wrote to memory of 1612 2856 DllCommonsvc.exe 74 PID 2856 wrote to memory of 1716 2856 DllCommonsvc.exe 75 PID 2856 wrote to memory of 1716 2856 DllCommonsvc.exe 75 PID 2856 wrote to memory of 1716 2856 DllCommonsvc.exe 75 PID 2856 wrote to memory of 1708 2856 DllCommonsvc.exe 76 PID 2856 wrote to memory of 1708 2856 DllCommonsvc.exe 76 PID 2856 wrote to memory of 1708 2856 DllCommonsvc.exe 76 PID 2856 wrote to memory of 1812 2856 DllCommonsvc.exe 77 PID 2856 wrote to memory of 1812 2856 DllCommonsvc.exe 77 PID 2856 wrote to memory of 1812 2856 DllCommonsvc.exe 77 PID 2856 wrote to memory of 552 2856 DllCommonsvc.exe 78 PID 2856 wrote to memory of 552 2856 DllCommonsvc.exe 78 PID 2856 wrote to memory of 552 2856 DllCommonsvc.exe 78 PID 2856 wrote to memory of 2476 2856 DllCommonsvc.exe 79 PID 2856 wrote to memory of 2476 2856 DllCommonsvc.exe 79 PID 2856 wrote to memory of 2476 2856 DllCommonsvc.exe 79 PID 2856 wrote to memory of 2484 2856 DllCommonsvc.exe 80 PID 2856 wrote to memory of 2484 2856 DllCommonsvc.exe 80 PID 2856 wrote to memory of 2484 2856 DllCommonsvc.exe 80 PID 2856 wrote to memory of 376 2856 DllCommonsvc.exe 81 PID 2856 wrote to memory of 376 2856 DllCommonsvc.exe 81 PID 2856 wrote to memory of 376 2856 DllCommonsvc.exe 81 PID 2856 wrote to memory of 2284 2856 DllCommonsvc.exe 82 PID 2856 wrote to memory of 2284 2856 DllCommonsvc.exe 82 PID 2856 wrote to memory of 2284 2856 DllCommonsvc.exe 82 PID 2856 wrote to memory of 2644 2856 DllCommonsvc.exe 83 PID 2856 wrote to memory of 2644 2856 DllCommonsvc.exe 83 PID 2856 wrote to memory of 2644 2856 DllCommonsvc.exe 83 PID 2856 wrote to memory of 2652 2856 DllCommonsvc.exe 97 PID 2856 wrote to memory of 2652 2856 DllCommonsvc.exe 97 PID 2856 wrote to memory of 2652 2856 DllCommonsvc.exe 97 PID 2652 wrote to memory of 1772 2652 cmd.exe 99 PID 2652 wrote to memory of 1772 2652 cmd.exe 99 PID 2652 wrote to memory of 1772 2652 cmd.exe 99 PID 2652 wrote to memory of 2052 2652 cmd.exe 101 PID 2652 wrote to memory of 2052 2652 cmd.exe 101 PID 2652 wrote to memory of 2052 2652 cmd.exe 101 PID 2052 wrote to memory of 2932 2052 wininit.exe 102 PID 2052 wrote to memory of 2932 2052 wininit.exe 102 PID 2052 wrote to memory of 2932 2052 wininit.exe 102 PID 2932 wrote to memory of 1892 2932 cmd.exe 104 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e6aa9fb47d17ac820bbef21751e7b650cae1e4c62a681d6b030ab9b8e122e461.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e6aa9fb47d17ac820bbef21751e7b650cae1e4c62a681d6b030ab9b8e122e461.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\de-DE\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\System\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IzQjOCmvIu.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1772
-
-
C:\Program Files (x86)\Uninstall Information\wininit.exe"C:\Program Files (x86)\Uninstall Information\wininit.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1892
-
-
C:\Program Files (x86)\Uninstall Information\wininit.exe"C:\Program Files (x86)\Uninstall Information\wininit.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1XclINWiF.bat"9⤵PID:2128
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2680
-
-
C:\Program Files (x86)\Uninstall Information\wininit.exe"C:\Program Files (x86)\Uninstall Information\wininit.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WOs9W2tFAs.bat"11⤵PID:2648
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2652
-
-
C:\Program Files (x86)\Uninstall Information\wininit.exe"C:\Program Files (x86)\Uninstall Information\wininit.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wx0Tv0d3iA.bat"13⤵PID:340
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:984
-
-
C:\Program Files (x86)\Uninstall Information\wininit.exe"C:\Program Files (x86)\Uninstall Information\wininit.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat"15⤵PID:2552
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:848
-
-
C:\Program Files (x86)\Uninstall Information\wininit.exe"C:\Program Files (x86)\Uninstall Information\wininit.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:680 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J97QZsi4Oz.bat"17⤵PID:2812
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2348
-
-
C:\Program Files (x86)\Uninstall Information\wininit.exe"C:\Program Files (x86)\Uninstall Information\wininit.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:316 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat"19⤵PID:1592
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2568
-
-
C:\Program Files (x86)\Uninstall Information\wininit.exe"C:\Program Files (x86)\Uninstall Information\wininit.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I4yJNRBzAA.bat"21⤵PID:2752
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1072
-
-
C:\Program Files (x86)\Uninstall Information\wininit.exe"C:\Program Files (x86)\Uninstall Information\wininit.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\syea0WjfTx.bat"23⤵PID:1916
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2448
-
-
C:\Program Files (x86)\Uninstall Information\wininit.exe"C:\Program Files (x86)\Uninstall Information\wininit.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1396 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat"25⤵PID:1252
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2412
-
-
C:\Program Files (x86)\Uninstall Information\wininit.exe"C:\Program Files (x86)\Uninstall Information\wininit.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\de-DE\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\de-DE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\de-DE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Desktop\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Desktop\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\Vss\Writers\System\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\Vss\Writers\System\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a39d8097f7838f27cd1719c6a966e15f
SHA17126f8c2cba931dee1985db63807248548f16b67
SHA25630bddcd8fffa0f7cf1e39225cf4fc6ac7bf2ce1bf7954904eab251769bfcb964
SHA512399cd42bab18dcff47b85f3c77a9135a015297ac1a6cdda71c3a0a556d134732a08267c7a776f6c55aea0072c3be8121e4d1e11f50b6c0e375bc4d23d84edf9e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59f82094531b0b6a07c7fa91b729a9d09
SHA1451cc118852403df6029484ce09b4be59482532c
SHA25631e8cbba79a41c25dc8888805481583131b9b7dacaa40b08fac8ca2d1c322d23
SHA512e89e6ab9d58db1915e73f634901855d313be9ecbe7e6330fec4247ccb8030580dd076dba33c9c905b249e89738422bd438f58e87a5e0f8c112154e6b972f0610
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5547eb44ec6ce1ac180ca4633f8a39f8c
SHA1555db10556f524edc0895fce562b8267e8a0485a
SHA2565514d6bd6fbd743905db5646bf726aaef50cbea2adb6ecf078cea619896007b8
SHA51202c46b595d64c38107e41a3a82689a8b27f5e43af44339e4026a9229c757bf25bc06aa77cd512d61d56dcb03424da96ef8e3d339d4b005136015271de5a140e8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD535306ce1f35832f4854dd60cd88ecbf4
SHA1add68d11c651e3cc9e9ffdbfdd904ac228757fe3
SHA256c4835b4998d069d2fdfaa8719a48c3d4bcb85a2e7aed129a7cad0aa017ee402d
SHA512a62efe218b1b9c2c152b7bb7a41464b698133f29e681c828c5d0b395526ef41827277884c3e2c59a479d9b470e11da4c59899cb51afd6e9849ec8c07513cb695
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58b3c2eb4ac5d8b83546968cc3202e30b
SHA13a739f5bdd30d71275d2440ad62da1fc99963a0e
SHA256c454b16b3aa928eebcf50e9da000b5370d1103e548ce6b458b4894fa59af09c0
SHA512cec1ecfde26b8a04d83078439650b8be950e8cac871c948b74830770631761b9904fbcd199f071d23295709c0751de056e1799a5c8a80a4dba1eb14f1b0a8f82
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c167f17746f7d46ad7bc378a813cc0fd
SHA1e2288413ddef19d7881292b2314b9103c5cd8022
SHA256e8d27ad1992ee0f221c140383f5f83a0e0e9eac4816c1c391898ab2af6f832da
SHA512fe9606965a4ebc0fe2ec404d505e0e18648805920d8edd7482e3831d9594706bcf544031e4b60efcbb13aecfbe1cafc93e2ec0ee10f777c06b8962999c8d6d75
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58efaef6897eff20d161e9062ce7143f2
SHA190e6bb1bf2597c939b861e814116b3e104cb8e5b
SHA25661dcd83cc51b5e07fb6c19294c23883a43d1ec2732b6410311ad30e3e4323a46
SHA51268afde5abff6916c97065b0fc72c52c977effcb15d704a68d1e6bc3b768178de3b4155115dc1929d0829c05a302e6eb9da5ed96ce830fd16f4b0ee2f04b6bbe8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a4783c9c89ec83f487e9cdf1d8ffc01f
SHA150b98daf84dea958937b11c92996fcb127409d59
SHA2568b8b44789f6a7fdb54f5d43688995e6ae7ae23ce7223e13f39d3532e2ddf6a12
SHA5123e2f9bcaf8789a7b9c45916895b59cb520909fd4d7cf1ff8c190205cf64b3f39edb348fc6b63651c259011d39a179bd0df35a764913ed72cf6467397467301af
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5610337a22c5c0cbf8f62ba7fde226a4e
SHA1f121421a8ade0e9bac81f73bca90ee0a9c75d8a1
SHA2569dc25a0fda6ba9b48747233f49d89f307bdbbf8e19d838b17138f3a5c96a0c33
SHA512177cd4f4820ef735bfe3781591f0e9d307d6d01b258ddbc380df794ed99999d4fa8b70a528a8cf5a3480743a137676550533e91d70b55450d6f6bd428d505bac
-
Filesize
221B
MD5158085ccb70afc707c57e2246e910f83
SHA16ec07ac39215228b4a9e8c6b7f7bb6406014a045
SHA25661e00e905e08605690c9a990714e1770b09a58ea0f83b6be1665288bea0ca0b8
SHA51268a0056080b8293c42ce1994161374e4708b872772f462f6bd77ce8ab35470b9f8d36207928369794a0393045c0de07447219b9a317bcf230ef3bbaa4fad7e92
-
Filesize
221B
MD58368d791300a6a0fb202819b0986259a
SHA10a4775f6ede5f50f71ebd37e14d7ac922280e65e
SHA256439977e3c4d8455ab7561e628c7450f69d22a4f070769dfae5b423cef5444b57
SHA512516f1cb63d50027bbb5ca43c2bc6c2e64b23e612cb260aebf5aabbc33cf13447789a6ae8bf91e121c3496c8db318d1901bc544c985f64a87a908120dd5eeeb77
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
221B
MD56bcc5eacc5b76dcb2c5472549ed145c6
SHA113c566d321ec43800795b78991d9412ff0dd03b1
SHA256d0e636366af6b8bceca66a68dfe079714f44e0785957538e9bcfd31a677b402f
SHA51208173fc35b96a239ca27f31bfcaa819993b67afd8573ee05bf588b0ed7bf6245a76dd56523d1c33834684c3ff08b451f932126ca93ffccf13a918af8119ea335
-
Filesize
221B
MD5b71b08a46c33eec3120fc37c7c2873c9
SHA133e00f70f5573c9536c8ee9c400fbae5334846da
SHA25646ab11a0bca6ee9becc20f6b1b6c7f723700bdee18955686a1b3c0f47c760a6e
SHA5129d0bbf294069ae033802fa4b07905194df5e32b586dcedef9ec791f11aabc5424cee4c5e325648b9efb206d1054fc8cb3a8a72f454297927fdd3da631579a9ed
-
Filesize
221B
MD50bd67cef59c0103aabb7f9ca63165f6d
SHA123c9ab044348dcc90323cc5e5be1008655572038
SHA256739a69d7435458b0349073b58ca6abd567d5958fd25873d45500be39d45cfe9d
SHA512e5c00890a11e8b1a33b20b6a4e1506b8f0296f91f661245cade33be2a0aa32867fabba4a17edf9780e892608e7db74e6743609182ccc27152ebd874720510a2f
-
Filesize
221B
MD596276ecfbabbc2fbab78918257bdc079
SHA11ed238071fb773d94284ecd8f819d8e578dbc6fa
SHA256f548762cf1a50f25e931936032a45a1bdd210d7e469da5e1b85e821142342bd7
SHA5125b7fc3666b50d1bd98a68ac220469a5f0fb8645d5ec82efc67768db9565fcc1d36c6ab05229438aac848d12290b9caf2f3cb596ccb0ff978d2c014d34d11915a
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
221B
MD586a58623469030925c1be51b0560a7cf
SHA1513f36691506a2b2d56d936f91aae60c52828fe3
SHA2566d7dc7192a71d9a911ec2f5e8e3dd08e0a162c277ecbf8012b803c035d8f4ce0
SHA512102585d8ab4e11b5eeeed6fe3d7aee58c07cde4ac2fe46924edc8c2222f30410a6ef4739c2c8466bfbbc206e7a364d6662c2fdceeb3068cfd5b8322827c05c49
-
Filesize
221B
MD5bf410a594bb1af9fb347f0c58001f271
SHA158693ab54f879e27cad854ad4b8cdc7d367ef8f5
SHA256ed6c5972d194689f7000189b0452020964f889af4f5f4bdab03205efa9c81975
SHA51268a1ae9662f4cd99c4762f3f5dbd296a5ce899b00fd4af5ed946422c0a8afdd46ba967c2c82ceea2a371bac450b3246e43ddb3f722af052222019f51d06884e6
-
Filesize
221B
MD5d94378acd24f2b33ff2371036e94c87e
SHA1d7f14610df3083e12f5794cb6cf1c44b2a927e63
SHA256301d5fc93e221c4c3fe9e718950ea87ff3090e5a5f35b7aa997a73edb8676be8
SHA512c2ef6ff76828e8d43c8bad6fa5e4a8a5b50f5ea581247f553b4a29c978cacecd6c29a3848509336f582e8baf8c2254781ec702de561e971a631f4f04bdb62f5c
-
Filesize
221B
MD54c470289c5da9c58df0b318675c21b64
SHA1d7000fc715bc5920e91ac54ec2d4de37a28699fe
SHA25614211d0a61d9a46e1833a38e3e6d5128aa7557b0ea72082de707f11f084bf4cc
SHA512711b7488314ff4fc453fed5c78fce77c6e2035d3572d86af2fb04b28df99bfc0509edff9ec7e4101d0c883432631a8ef229421b3fc28a0695bac88c5150cdf64
-
Filesize
221B
MD5f37030fe85dbc169ee47dad2eb15f0f6
SHA14c733847bc6e438273cde39b9cd45127df5e6748
SHA25630340b7fa316842307e4566de5aabd455bd2f5c28e18f00c65d1b394eb386eb8
SHA512ceca3fa406411e15d9e165abe263e21e091d89ecfd46f902f6abb4851a39be016cd84fdac74752d8789191bf14df88addd08722d012f12388576149fe53065d7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5dfee59a88af5305600d635ddad8a15a3
SHA1ac522580988a1de6618e5d9c127f69a2dd2ce043
SHA256abef7635149a688cc101c1278b904e30542f55fc7c87f164a3e76864d09d601f
SHA512296c1780b052e990cdd9943e489c06fc7559259901fc4cc85ea4e3240cdaaa93f1ff66970e4061f2e2cbeec10b81e24ab8b4bd31ddb81dd92d04983f46f5fe4a
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478