Analysis
-
max time kernel
146s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 22:23
Behavioral task
behavioral1
Sample
JaffaCakes118_ea8ccdbe0f65376c5efde32a0bd812aca5d6339498cc8240d1c14626ebd3de81.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_ea8ccdbe0f65376c5efde32a0bd812aca5d6339498cc8240d1c14626ebd3de81.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_ea8ccdbe0f65376c5efde32a0bd812aca5d6339498cc8240d1c14626ebd3de81.exe
-
Size
1.3MB
-
MD5
affa00e7521ab3d3d637a9ff294ecccb
-
SHA1
c9cf1f0ca3f8a2f97b1a88a0b9f656641263cbcf
-
SHA256
ea8ccdbe0f65376c5efde32a0bd812aca5d6339498cc8240d1c14626ebd3de81
-
SHA512
9cbbdad39a61cb67c23157bdbb9ec043d0175961d9d84b36d7653c55331c71d2babc785b4a8aaec875c67c6be23cbd0b15e46f30d9a78047bc063f626f584589
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1420 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1388 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 324 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1572 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1904 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 272 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1100 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1308 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 844 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 908 2796 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x000700000001921d-9.dat dcrat behavioral1/memory/3048-13-0x0000000000B20000-0x0000000000C30000-memory.dmp dcrat behavioral1/memory/2152-115-0x00000000013E0000-0x00000000014F0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2168 powershell.exe 2864 powershell.exe 2624 powershell.exe 1612 powershell.exe 1264 powershell.exe 3032 powershell.exe 2012 powershell.exe 536 powershell.exe 288 powershell.exe 1480 powershell.exe 696 powershell.exe 1644 powershell.exe 1956 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 3048 DllCommonsvc.exe 2152 audiodg.exe 2684 audiodg.exe 904 audiodg.exe 2944 audiodg.exe 2484 audiodg.exe 2924 audiodg.exe 904 audiodg.exe 2668 audiodg.exe 680 audiodg.exe 1568 audiodg.exe 2024 audiodg.exe -
Loads dropped DLL 2 IoCs
pid Process 3016 cmd.exe 3016 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 4 raw.githubusercontent.com 35 raw.githubusercontent.com 22 raw.githubusercontent.com 26 raw.githubusercontent.com 29 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com 18 raw.githubusercontent.com 32 raw.githubusercontent.com -
Drops file in Program Files directory 9 IoCs
description ioc Process File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\088424020bedd6 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\Accessories\es-ES\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\services.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\Accessories\es-ES\services.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\f3b6ecef712a24 DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\de-DE\csrss.exe DllCommonsvc.exe File created C:\Windows\de-DE\886983d96e3d3e DllCommonsvc.exe File created C:\Windows\Resources\Ease of Access Themes\dllhost.exe DllCommonsvc.exe File created C:\Windows\Resources\Ease of Access Themes\5940a34987c991 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_ea8ccdbe0f65376c5efde32a0bd812aca5d6339498cc8240d1c14626ebd3de81.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2664 schtasks.exe 2544 schtasks.exe 1636 schtasks.exe 324 schtasks.exe 1552 schtasks.exe 1652 schtasks.exe 2528 schtasks.exe 1848 schtasks.exe 1572 schtasks.exe 2708 schtasks.exe 1308 schtasks.exe 1720 schtasks.exe 2548 schtasks.exe 1420 schtasks.exe 2444 schtasks.exe 1620 schtasks.exe 2856 schtasks.exe 2956 schtasks.exe 1908 schtasks.exe 2596 schtasks.exe 908 schtasks.exe 1904 schtasks.exe 1692 schtasks.exe 2020 schtasks.exe 272 schtasks.exe 1808 schtasks.exe 2816 schtasks.exe 2456 schtasks.exe 1388 schtasks.exe 2480 schtasks.exe 2396 schtasks.exe 2824 schtasks.exe 2772 schtasks.exe 2828 schtasks.exe 1100 schtasks.exe 844 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 3048 DllCommonsvc.exe 1480 powershell.exe 288 powershell.exe 536 powershell.exe 2864 powershell.exe 2012 powershell.exe 1264 powershell.exe 2624 powershell.exe 3032 powershell.exe 1956 powershell.exe 1644 powershell.exe 696 powershell.exe 1612 powershell.exe 2168 powershell.exe 2152 audiodg.exe 2684 audiodg.exe 904 audiodg.exe 2944 audiodg.exe 2484 audiodg.exe 2924 audiodg.exe 904 audiodg.exe 2668 audiodg.exe 680 audiodg.exe 1568 audiodg.exe 2024 audiodg.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 3048 DllCommonsvc.exe Token: SeDebugPrivilege 1480 powershell.exe Token: SeDebugPrivilege 288 powershell.exe Token: SeDebugPrivilege 536 powershell.exe Token: SeDebugPrivilege 2864 powershell.exe Token: SeDebugPrivilege 2012 powershell.exe Token: SeDebugPrivilege 1264 powershell.exe Token: SeDebugPrivilege 2624 powershell.exe Token: SeDebugPrivilege 3032 powershell.exe Token: SeDebugPrivilege 1956 powershell.exe Token: SeDebugPrivilege 1644 powershell.exe Token: SeDebugPrivilege 696 powershell.exe Token: SeDebugPrivilege 1612 powershell.exe Token: SeDebugPrivilege 2168 powershell.exe Token: SeDebugPrivilege 2152 audiodg.exe Token: SeDebugPrivilege 2684 audiodg.exe Token: SeDebugPrivilege 904 audiodg.exe Token: SeDebugPrivilege 2944 audiodg.exe Token: SeDebugPrivilege 2484 audiodg.exe Token: SeDebugPrivilege 2924 audiodg.exe Token: SeDebugPrivilege 904 audiodg.exe Token: SeDebugPrivilege 2668 audiodg.exe Token: SeDebugPrivilege 680 audiodg.exe Token: SeDebugPrivilege 1568 audiodg.exe Token: SeDebugPrivilege 2024 audiodg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2052 wrote to memory of 2484 2052 JaffaCakes118_ea8ccdbe0f65376c5efde32a0bd812aca5d6339498cc8240d1c14626ebd3de81.exe 30 PID 2052 wrote to memory of 2484 2052 JaffaCakes118_ea8ccdbe0f65376c5efde32a0bd812aca5d6339498cc8240d1c14626ebd3de81.exe 30 PID 2052 wrote to memory of 2484 2052 JaffaCakes118_ea8ccdbe0f65376c5efde32a0bd812aca5d6339498cc8240d1c14626ebd3de81.exe 30 PID 2052 wrote to memory of 2484 2052 JaffaCakes118_ea8ccdbe0f65376c5efde32a0bd812aca5d6339498cc8240d1c14626ebd3de81.exe 30 PID 2484 wrote to memory of 3016 2484 WScript.exe 31 PID 2484 wrote to memory of 3016 2484 WScript.exe 31 PID 2484 wrote to memory of 3016 2484 WScript.exe 31 PID 2484 wrote to memory of 3016 2484 WScript.exe 31 PID 3016 wrote to memory of 3048 3016 cmd.exe 33 PID 3016 wrote to memory of 3048 3016 cmd.exe 33 PID 3016 wrote to memory of 3048 3016 cmd.exe 33 PID 3016 wrote to memory of 3048 3016 cmd.exe 33 PID 3048 wrote to memory of 1480 3048 DllCommonsvc.exe 72 PID 3048 wrote to memory of 1480 3048 DllCommonsvc.exe 72 PID 3048 wrote to memory of 1480 3048 DllCommonsvc.exe 72 PID 3048 wrote to memory of 1612 3048 DllCommonsvc.exe 73 PID 3048 wrote to memory of 1612 3048 DllCommonsvc.exe 73 PID 3048 wrote to memory of 1612 3048 DllCommonsvc.exe 73 PID 3048 wrote to memory of 2624 3048 DllCommonsvc.exe 75 PID 3048 wrote to memory of 2624 3048 DllCommonsvc.exe 75 PID 3048 wrote to memory of 2624 3048 DllCommonsvc.exe 75 PID 3048 wrote to memory of 2864 3048 DllCommonsvc.exe 76 PID 3048 wrote to memory of 2864 3048 DllCommonsvc.exe 76 PID 3048 wrote to memory of 2864 3048 DllCommonsvc.exe 76 PID 3048 wrote to memory of 2168 3048 DllCommonsvc.exe 77 PID 3048 wrote to memory of 2168 3048 DllCommonsvc.exe 77 PID 3048 wrote to memory of 2168 3048 DllCommonsvc.exe 77 PID 3048 wrote to memory of 288 3048 DllCommonsvc.exe 78 PID 3048 wrote to memory of 288 3048 DllCommonsvc.exe 78 PID 3048 wrote to memory of 288 3048 DllCommonsvc.exe 78 PID 3048 wrote to memory of 536 3048 DllCommonsvc.exe 79 PID 3048 wrote to memory of 536 3048 DllCommonsvc.exe 79 PID 3048 wrote to memory of 536 3048 DllCommonsvc.exe 79 PID 3048 wrote to memory of 1956 3048 DllCommonsvc.exe 80 PID 3048 wrote to memory of 1956 3048 DllCommonsvc.exe 80 PID 3048 wrote to memory of 1956 3048 DllCommonsvc.exe 80 PID 3048 wrote to memory of 696 3048 DllCommonsvc.exe 81 PID 3048 wrote to memory of 696 3048 DllCommonsvc.exe 81 PID 3048 wrote to memory of 696 3048 DllCommonsvc.exe 81 PID 3048 wrote to memory of 1264 3048 DllCommonsvc.exe 82 PID 3048 wrote to memory of 1264 3048 DllCommonsvc.exe 82 PID 3048 wrote to memory of 1264 3048 DllCommonsvc.exe 82 PID 3048 wrote to memory of 1644 3048 DllCommonsvc.exe 83 PID 3048 wrote to memory of 1644 3048 DllCommonsvc.exe 83 PID 3048 wrote to memory of 1644 3048 DllCommonsvc.exe 83 PID 3048 wrote to memory of 3032 3048 DllCommonsvc.exe 84 PID 3048 wrote to memory of 3032 3048 DllCommonsvc.exe 84 PID 3048 wrote to memory of 3032 3048 DllCommonsvc.exe 84 PID 3048 wrote to memory of 2012 3048 DllCommonsvc.exe 85 PID 3048 wrote to memory of 2012 3048 DllCommonsvc.exe 85 PID 3048 wrote to memory of 2012 3048 DllCommonsvc.exe 85 PID 3048 wrote to memory of 1464 3048 DllCommonsvc.exe 94 PID 3048 wrote to memory of 1464 3048 DllCommonsvc.exe 94 PID 3048 wrote to memory of 1464 3048 DllCommonsvc.exe 94 PID 1464 wrote to memory of 2868 1464 cmd.exe 100 PID 1464 wrote to memory of 2868 1464 cmd.exe 100 PID 1464 wrote to memory of 2868 1464 cmd.exe 100 PID 1464 wrote to memory of 2152 1464 cmd.exe 101 PID 1464 wrote to memory of 2152 1464 cmd.exe 101 PID 1464 wrote to memory of 2152 1464 cmd.exe 101 PID 2152 wrote to memory of 1728 2152 audiodg.exe 102 PID 2152 wrote to memory of 1728 2152 audiodg.exe 102 PID 2152 wrote to memory of 1728 2152 audiodg.exe 102 PID 1728 wrote to memory of 3036 1728 cmd.exe 104 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ea8ccdbe0f65376c5efde32a0bd812aca5d6339498cc8240d1c14626ebd3de81.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ea8ccdbe0f65376c5efde32a0bd812aca5d6339498cc8240d1c14626ebd3de81.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\es-ES\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Ease of Access Themes\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5a9ShOQM99.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2868
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aPx44ABVco.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:3036
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"9⤵PID:968
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2340
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVopF68B7o.bat"11⤵PID:2532
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2096
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2mwtwHUJyt.bat"13⤵PID:1260
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1440
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hYa1c8p3ob.bat"15⤵PID:1804
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1864
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat"17⤵PID:1116
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1588
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat"19⤵PID:1420
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2852
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GN7B3lpeta.bat"21⤵PID:2588
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2552
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:680 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HKL0gj8mBn.bat"23⤵PID:2864
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1612
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat"25⤵PID:1512
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2752
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\de-DE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\de-DE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Music\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Music\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Documents\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Documents\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Documents\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\providercommon\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Resources\Ease of Access Themes\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\Ease of Access Themes\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD518a2bc30aa88cdb1c6eae12c5cd8bcfc
SHA1e1e79334c861c5b3ce14b320460b898a0d0f51f7
SHA2562ba6d684b2a894a44784aa0f6725e42c1feb62bbb1b4bab17afdcd7ff605e915
SHA512f6d7df7a581ef6eb5976df6d172c2b63a1e5732dbcd8ef9c9380ec16cadc6fa18e994d34c7b052ff930464252d123794fa817af60a161da5307f5bc87dcbb13d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f801f8522811e4379e0c08d0527986f1
SHA1c49c6f59b6c2ac60f9b2cc759839d73eb0b60a7c
SHA2563b5be4e62418b30625ab6e94f8a759c77cbdf33da288b0709ca9df8f6db19bec
SHA512d27cced31c60e3c7fd584b77451a295c168bb06036aac37ac7bfd4c456649ac3131ce2bc09e08d61c02a12ea84dc4a08c730b60df0d5ec355b79e17ef42e824a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a3af627e5f8dab6d68cb621073fe5fda
SHA1f135932ff8816411f0daca16e47499c0bb793dda
SHA256c5334b8fdf6109174ab42303fe21d532f9cc4c433048927ab60b528dcdbfd853
SHA512af9f79c713108aa23169e4925a8871454ff83b09185ce6d22f37551706f62ee7aa494401eb18007ba3103c4c58a7527d9cabee223a644a93c1a86c00334c7f2a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f15af2964e1f128e17d25a3f596ebe23
SHA163461b683627858fc492f4a1cc355adabc15c4ca
SHA256ff180ffa8acc4eef1d755228e487c4770a758437b40198fee5a7995f8595a41d
SHA512c4dfeb42c2f16676161f9dc2633c73b9e8cab3f257bd09af0258a21c92868797b3e337b449dd73130650cbdc133bad8cb791058e9b26b1983a38b048974ab716
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD502090401ce08f5ce9669d7fc855b8c11
SHA1e397b672e8be96b8b1e98c26c9f50c0329d30b5b
SHA256bc6ea61fc02d48bd032cc6d258b6ba856110bba9d55e54d88ceda31c9d0de9f2
SHA5120a7541a537f1f19aae86f179279e0024001de32477cb674f104d84673a353035f802587a99990890f9bd7ff69840440b55fd53c5c48367bb969f48c22fb95297
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5371fa15d9bb8e3ed30ce03ecc11fb851
SHA112a69ec6113d93840a8d4dbce1178a3e2870ad9b
SHA2569b983a755344793e290677dfab0641df7f772ac4b43aba32ee4cf85730820903
SHA512dcb06ae7abfd9b7d2ca646c3721a72f5e9ddf83160c950433b1929197b536aae71f2e4299139669937db694d85359db27faa87f752fc6b3c68385ed42ed8d64c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59873a7f00c2d79217c20d10a21fb4bc0
SHA16a1e8b2ad7f6f6d4bab51148b05b1a0af6111c9c
SHA256495dde5ab802d5bc02726ca3bcdecf859a28062a514799c61632cd75ff8f25cb
SHA5125af22c31b94b13659f8939a506215b0c9fd370a72b80efeb4856bd2533790eed8700bd91448ce24760b21748bed1ce5e89dd897c72e343ff0d06c130984c8082
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD599bdf4fb04a5e844d9aaee441e983dfa
SHA1108da9c85e172b5f87f8cdfa32600a9608f3f2e0
SHA2568c9a91a8deba6564d8dd21163ca17a8ea3dfdf4f77a3f1d724020f4f473b0cef
SHA512ee2951cb0773cb8a38612d26ad8aa2832a345cebb1f2e9c5350a7b41f6cdc8303f4725d3beb937f7eb2835cedb9c25e4cddfbecc39b183328ddec8eb9428a8be
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53e61ce9022f2385cf9b24c3d6774854f
SHA1fb2850baff4408a06bb2ae85b60c4db16c2296c4
SHA256b1f69f234d00bd7765405f9e630d39c5953ad81e9a35a1578a5bdc1cd99cce16
SHA5123a5e8ba4b3d56cbdaef5ebfde92a244f922a5801b1d92c3483a4e3d0a497a914dfac6b3fdf125652b6b9c88ce99294e219b5bca4ca6f008b50ba341d9e8c1257
-
Filesize
225B
MD58acd16ba4f2b96e55786b8ea36d2fdb7
SHA18e5b30d0461d748b4cec3a7fee4e12fdb4a68781
SHA256dd141e6af614baecfb31bd25419f606afbc24183983d38eac7580896b0c6878e
SHA5125bb7931661dec2686522be8e07377cfaf16c14c2003991a5aeb7a44699c24cdd75e9c6f228764429e53fcdb58ca0b94e71574975868b71680023e6dbbc190029
-
Filesize
225B
MD5852f479aec6c431285bdb7ff4422ac04
SHA1eec8079d3b4fb4ec8acd25a43d99b270308d3581
SHA2561526a18589a446819570cb1f8c10605cbdfd4100d990b0e0226a16a8050a9639
SHA5124d84ceaff671e47433dfc2ec0d281bb6f4301cd7bad4399ad6ddc7262670a83d4db1ace7c2b1fa5b5b9609f5662bd46ca6fb948d9671c48d4374cb22c4ab4b0f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
225B
MD5c4d5d9e3969578c0f52716cf2904be61
SHA10c0d8706ccc41f013b0b0ad1d6041d207f16448e
SHA256d260a1b72f0aaacdef39189412d90ce0a899662bd1aae3753d2ec7b727f926df
SHA5122b27c633f7ed39d14fb3eede00389939546c032ea34110e5b60d132f3f8d7d21391ecae8b5f29e37b9ef85791855d53a975a87fee182bf7ab16cbd1b9397fc8d
-
Filesize
225B
MD5e22d26061c29881e9f633a4b4559075a
SHA18f67bc36152be558038ff1b6fd2d413e6279508a
SHA25654c270beb5832a5ad5ac0b6c91e96b387096645cddac631043e1299e08462dbd
SHA5123e2e03978890858628b2638180c51676207951df5ff61b189ed10257a38caef967e6dd06a94eecf6764d8062a196a5e2036e5abde16ef7f6f425f7798e00d9b3
-
Filesize
225B
MD591b5b1b4b2113972dba25f6bedd43e55
SHA16ea9b77596e2ec77f46603c16cec778f75254bcf
SHA256374947104588a526bedb76c5e5174f0c6851460cc3e0c043f2c3ce03727b1236
SHA51254e2b4a417a14f76c8db19defe969444ec9e14f368558470858fdb756044ffec69ce7b5aada27f9cbe1e5f6a34bc7fafd5b05b8898bfa058e1ca4fbc4228f35b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
225B
MD5fd070d63a4ca3a5304fa3fdf16574103
SHA1f13330819f89de41be70e94801d9c1ac5d4738d5
SHA256c0fbc5632e0232411eb85bdf61a4909b072427a801eec0511c04afd4c901f739
SHA51205fccef82c0645b95f002d22f00fa887a2d7f358017bdcaec500a6adb1d6079abf1384692eab6be473e4825a1c622c6f7a25817083be80b5392fff7e1247f16b
-
Filesize
225B
MD573e2138afa5df0f632f8130d3093af32
SHA1d3f68102d0a0b8d02ba5c6d1dae29949f614f4a5
SHA2566be8c11b6eb5e3be19a00e2227a6ac760a8e955d8dd45862191d177c658196f3
SHA5121e9004f6880219d8d5a6007ee10d4c3792ea39503c4f4381d3baf13ccd523cf7465f0ff6add15ee001e3574ad7a9a80f413305a336cdeee4afd536702308596f
-
Filesize
225B
MD585e5717f5c7cf59308bac17cbc9aa2c3
SHA107b803a4ee2c811905512514c8d697933bbd1d06
SHA2564534d3a5f4aa28f66b961595f9534d78870726fe6b2f7b61348eb06b37d814bf
SHA512126958b67ff634ec1f22774c60745854594355f3a8ac707ac167902439488cfcfc5f6a9dfb60f817edb8d3ced854c9548ab4e0bbcf5c32019fa837693af77332
-
Filesize
225B
MD53dbbe7c5b1adc3c02fe49550a7430628
SHA10d19fe94f68d2bad012b9715cdf3e7572810a676
SHA25682a0dc6ac9fb11f9a03e41c9d790e45b6b30ca8de71e2c7834f64aaafa6ec1cb
SHA5123df3df764e2caa4e61103df4717d3e7e348fa19d0e10f84bee57b181dba686cfb00e48a55d02d3ec6ec544b1049e5a9ed9cfb7be3f4d77d0376650c8134f96d7
-
Filesize
225B
MD50e88a05c7e858b5d24bd9f1a0d2e07b6
SHA156f1130e3c2a16425044614a5d48ac4f509a87ad
SHA256fadc18ddc942e02f3beded37b490e4519f55155a79ce8058fedfa283cda418fa
SHA512a15b42033388489456724315efc1c6f9e80be1e7693bec9d36cd869f247878ca29f12c3158ea74d5945a340eda221ac2cebc579abe76e3894063cf1d7dbccd8f
-
Filesize
225B
MD55d8f208f2f3b0b0a8953f33d42c89ca4
SHA127c51dc35ca8e5cf0060678e8995b8c6719c8284
SHA256228d74a4260efab0fd6282be347b9f647bb2b5a992333e563bcb541a0f4f5aee
SHA512561c491d0f715ee896ac96f7cb979e1face1b48ab1d93e4ae2caa807a8d5b659fdb4de03f44bbd158e8aaaf0c90fb4c59a08d75f997e526be093119d5c2b29c2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD510ae1d92bf8f0a0b999a73ac4b72b280
SHA1179706b1cee7259c51273b5552d054300a5b0097
SHA256f309527e34bb6ad8db9b5220f2ff57e9c3f9629de88b373c5a0bec338f86f789
SHA51243140c61f30c4237de033b39b3545ef3039cefed8098fe616bba8373e5ec74579a29e9ef0e597a578161ee312708f8d7774be9e21c8c6f97a2e858ae8a44c048
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394