Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 22:36
Behavioral task
behavioral1
Sample
JaffaCakes118_48517d5fbcbe22246e742086f9f1e1e78eb4acb33af5858ab945aa0c4f4cb54e.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_48517d5fbcbe22246e742086f9f1e1e78eb4acb33af5858ab945aa0c4f4cb54e.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_48517d5fbcbe22246e742086f9f1e1e78eb4acb33af5858ab945aa0c4f4cb54e.exe
-
Size
1.3MB
-
MD5
00c111d9187729bbcf041d1ef2f72b28
-
SHA1
bfec5f22be47957c7d884a87cdeba70b6ae58ea8
-
SHA256
48517d5fbcbe22246e742086f9f1e1e78eb4acb33af5858ab945aa0c4f4cb54e
-
SHA512
84d1d432325679862ab38553d01a5e5dec7e5eb8e6a458e7a7fbe52cfbb3117e5cdd543cf8da3cc917b92695accaf6e8d4e82a1f2201ac4b450634cc4bc59ec9
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1904 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1052 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2812 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1880 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 888 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1260 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 768 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 708 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1100 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1132 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1096 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1316 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1256 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 792 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1252 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2636 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1188 2636 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016cd7-10.dat dcrat behavioral1/memory/2644-13-0x00000000001E0000-0x00000000002F0000-memory.dmp dcrat behavioral1/memory/656-96-0x0000000000A00000-0x0000000000B10000-memory.dmp dcrat behavioral1/memory/1748-180-0x0000000000D00000-0x0000000000E10000-memory.dmp dcrat behavioral1/memory/1052-360-0x0000000000FC0000-0x00000000010D0000-memory.dmp dcrat behavioral1/memory/2752-420-0x0000000000390000-0x00000000004A0000-memory.dmp dcrat behavioral1/memory/2664-480-0x0000000000EE0000-0x0000000000FF0000-memory.dmp dcrat behavioral1/memory/2692-540-0x00000000010F0000-0x0000000001200000-memory.dmp dcrat behavioral1/memory/796-600-0x00000000001C0000-0x00000000002D0000-memory.dmp dcrat behavioral1/memory/1872-660-0x00000000012E0000-0x00000000013F0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 956 powershell.exe 1740 powershell.exe 2408 powershell.exe 2380 powershell.exe 2472 powershell.exe 2060 powershell.exe 2976 powershell.exe 1680 powershell.exe 1812 powershell.exe 1984 powershell.exe 2056 powershell.exe 2484 powershell.exe 568 powershell.exe 1480 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2644 DllCommonsvc.exe 656 sppsvc.exe 1748 sppsvc.exe 2208 sppsvc.exe 1332 sppsvc.exe 1052 sppsvc.exe 2752 sppsvc.exe 2664 sppsvc.exe 2692 sppsvc.exe 796 sppsvc.exe 1872 sppsvc.exe 912 sppsvc.exe -
Loads dropped DLL 2 IoCs
pid Process 2836 cmd.exe 2836 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 9 raw.githubusercontent.com 16 raw.githubusercontent.com 29 raw.githubusercontent.com 35 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 22 raw.githubusercontent.com 25 raw.githubusercontent.com 32 raw.githubusercontent.com 12 raw.githubusercontent.com 19 raw.githubusercontent.com -
Drops file in Program Files directory 17 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\csrss.exe DllCommonsvc.exe File opened for modification C:\Program Files\Microsoft Office\csrss.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\b75386f1303e64 DllCommonsvc.exe File created C:\Program Files\Internet Explorer\de-DE\OSPPSVC.exe DllCommonsvc.exe File created C:\Program Files\Internet Explorer\de-DE\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Program Files\Microsoft Office\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\it-IT\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\audiodg.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\wininit.exe DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\56085415360792 DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\taskhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\lsass.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\Skins\dllhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\Skins\5940a34987c991 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\it-IT\smss.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_48517d5fbcbe22246e742086f9f1e1e78eb4acb33af5858ab945aa0c4f4cb54e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1188 schtasks.exe 2292 schtasks.exe 1844 schtasks.exe 1880 schtasks.exe 2192 schtasks.exe 2176 schtasks.exe 2204 schtasks.exe 2756 schtasks.exe 2036 schtasks.exe 1712 schtasks.exe 1096 schtasks.exe 1052 schtasks.exe 3024 schtasks.exe 2620 schtasks.exe 768 schtasks.exe 1132 schtasks.exe 2212 schtasks.exe 2216 schtasks.exe 3020 schtasks.exe 2812 schtasks.exe 2952 schtasks.exe 2884 schtasks.exe 708 schtasks.exe 1316 schtasks.exe 2524 schtasks.exe 2288 schtasks.exe 888 schtasks.exe 2236 schtasks.exe 2412 schtasks.exe 1100 schtasks.exe 1904 schtasks.exe 1260 schtasks.exe 2112 schtasks.exe 2116 schtasks.exe 3008 schtasks.exe 792 schtasks.exe 1256 schtasks.exe 1252 schtasks.exe 1584 schtasks.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 10 IoCs
pid Process 1748 sppsvc.exe 2208 sppsvc.exe 1332 sppsvc.exe 1052 sppsvc.exe 2752 sppsvc.exe 2664 sppsvc.exe 2692 sppsvc.exe 796 sppsvc.exe 1872 sppsvc.exe 912 sppsvc.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 2644 DllCommonsvc.exe 2644 DllCommonsvc.exe 2644 DllCommonsvc.exe 1984 powershell.exe 568 powershell.exe 1812 powershell.exe 956 powershell.exe 2380 powershell.exe 1480 powershell.exe 2976 powershell.exe 2060 powershell.exe 2408 powershell.exe 1680 powershell.exe 2056 powershell.exe 2472 powershell.exe 1740 powershell.exe 2484 powershell.exe 656 sppsvc.exe 1748 sppsvc.exe 2208 sppsvc.exe 1332 sppsvc.exe 1052 sppsvc.exe 2752 sppsvc.exe 2664 sppsvc.exe 2692 sppsvc.exe 796 sppsvc.exe 1872 sppsvc.exe 912 sppsvc.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 2644 DllCommonsvc.exe Token: SeDebugPrivilege 1984 powershell.exe Token: SeDebugPrivilege 568 powershell.exe Token: SeDebugPrivilege 1812 powershell.exe Token: SeDebugPrivilege 956 powershell.exe Token: SeDebugPrivilege 2380 powershell.exe Token: SeDebugPrivilege 1480 powershell.exe Token: SeDebugPrivilege 2976 powershell.exe Token: SeDebugPrivilege 2060 powershell.exe Token: SeDebugPrivilege 2408 powershell.exe Token: SeDebugPrivilege 1680 powershell.exe Token: SeDebugPrivilege 2056 powershell.exe Token: SeDebugPrivilege 2472 powershell.exe Token: SeDebugPrivilege 1740 powershell.exe Token: SeDebugPrivilege 2484 powershell.exe Token: SeDebugPrivilege 656 sppsvc.exe Token: SeDebugPrivilege 1748 sppsvc.exe Token: SeDebugPrivilege 2208 sppsvc.exe Token: SeDebugPrivilege 1332 sppsvc.exe Token: SeDebugPrivilege 1052 sppsvc.exe Token: SeDebugPrivilege 2752 sppsvc.exe Token: SeDebugPrivilege 2664 sppsvc.exe Token: SeDebugPrivilege 2692 sppsvc.exe Token: SeDebugPrivilege 796 sppsvc.exe Token: SeDebugPrivilege 1872 sppsvc.exe Token: SeDebugPrivilege 912 sppsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1420 wrote to memory of 2744 1420 JaffaCakes118_48517d5fbcbe22246e742086f9f1e1e78eb4acb33af5858ab945aa0c4f4cb54e.exe 30 PID 1420 wrote to memory of 2744 1420 JaffaCakes118_48517d5fbcbe22246e742086f9f1e1e78eb4acb33af5858ab945aa0c4f4cb54e.exe 30 PID 1420 wrote to memory of 2744 1420 JaffaCakes118_48517d5fbcbe22246e742086f9f1e1e78eb4acb33af5858ab945aa0c4f4cb54e.exe 30 PID 1420 wrote to memory of 2744 1420 JaffaCakes118_48517d5fbcbe22246e742086f9f1e1e78eb4acb33af5858ab945aa0c4f4cb54e.exe 30 PID 2744 wrote to memory of 2836 2744 WScript.exe 31 PID 2744 wrote to memory of 2836 2744 WScript.exe 31 PID 2744 wrote to memory of 2836 2744 WScript.exe 31 PID 2744 wrote to memory of 2836 2744 WScript.exe 31 PID 2836 wrote to memory of 2644 2836 cmd.exe 33 PID 2836 wrote to memory of 2644 2836 cmd.exe 33 PID 2836 wrote to memory of 2644 2836 cmd.exe 33 PID 2836 wrote to memory of 2644 2836 cmd.exe 33 PID 2644 wrote to memory of 956 2644 DllCommonsvc.exe 74 PID 2644 wrote to memory of 956 2644 DllCommonsvc.exe 74 PID 2644 wrote to memory of 956 2644 DllCommonsvc.exe 74 PID 2644 wrote to memory of 568 2644 DllCommonsvc.exe 75 PID 2644 wrote to memory of 568 2644 DllCommonsvc.exe 75 PID 2644 wrote to memory of 568 2644 DllCommonsvc.exe 75 PID 2644 wrote to memory of 2060 2644 DllCommonsvc.exe 76 PID 2644 wrote to memory of 2060 2644 DllCommonsvc.exe 76 PID 2644 wrote to memory of 2060 2644 DllCommonsvc.exe 76 PID 2644 wrote to memory of 1740 2644 DllCommonsvc.exe 77 PID 2644 wrote to memory of 1740 2644 DllCommonsvc.exe 77 PID 2644 wrote to memory of 1740 2644 DllCommonsvc.exe 77 PID 2644 wrote to memory of 2380 2644 DllCommonsvc.exe 78 PID 2644 wrote to memory of 2380 2644 DllCommonsvc.exe 78 PID 2644 wrote to memory of 2380 2644 DllCommonsvc.exe 78 PID 2644 wrote to memory of 2408 2644 DllCommonsvc.exe 79 PID 2644 wrote to memory of 2408 2644 DllCommonsvc.exe 79 PID 2644 wrote to memory of 2408 2644 DllCommonsvc.exe 79 PID 2644 wrote to memory of 2472 2644 DllCommonsvc.exe 80 PID 2644 wrote to memory of 2472 2644 DllCommonsvc.exe 80 PID 2644 wrote to memory of 2472 2644 DllCommonsvc.exe 80 PID 2644 wrote to memory of 2056 2644 DllCommonsvc.exe 81 PID 2644 wrote to memory of 2056 2644 DllCommonsvc.exe 81 PID 2644 wrote to memory of 2056 2644 DllCommonsvc.exe 81 PID 2644 wrote to memory of 2484 2644 DllCommonsvc.exe 82 PID 2644 wrote to memory of 2484 2644 DllCommonsvc.exe 82 PID 2644 wrote to memory of 2484 2644 DllCommonsvc.exe 82 PID 2644 wrote to memory of 1984 2644 DllCommonsvc.exe 83 PID 2644 wrote to memory of 1984 2644 DllCommonsvc.exe 83 PID 2644 wrote to memory of 1984 2644 DllCommonsvc.exe 83 PID 2644 wrote to memory of 1812 2644 DllCommonsvc.exe 84 PID 2644 wrote to memory of 1812 2644 DllCommonsvc.exe 84 PID 2644 wrote to memory of 1812 2644 DllCommonsvc.exe 84 PID 2644 wrote to memory of 1680 2644 DllCommonsvc.exe 85 PID 2644 wrote to memory of 1680 2644 DllCommonsvc.exe 85 PID 2644 wrote to memory of 1680 2644 DllCommonsvc.exe 85 PID 2644 wrote to memory of 1480 2644 DllCommonsvc.exe 86 PID 2644 wrote to memory of 1480 2644 DllCommonsvc.exe 86 PID 2644 wrote to memory of 1480 2644 DllCommonsvc.exe 86 PID 2644 wrote to memory of 2976 2644 DllCommonsvc.exe 88 PID 2644 wrote to memory of 2976 2644 DllCommonsvc.exe 88 PID 2644 wrote to memory of 2976 2644 DllCommonsvc.exe 88 PID 2644 wrote to memory of 656 2644 DllCommonsvc.exe 102 PID 2644 wrote to memory of 656 2644 DllCommonsvc.exe 102 PID 2644 wrote to memory of 656 2644 DllCommonsvc.exe 102 PID 2644 wrote to memory of 656 2644 DllCommonsvc.exe 102 PID 2644 wrote to memory of 656 2644 DllCommonsvc.exe 102 PID 656 wrote to memory of 3004 656 sppsvc.exe 103 PID 656 wrote to memory of 3004 656 sppsvc.exe 103 PID 656 wrote to memory of 3004 656 sppsvc.exe 103 PID 3004 wrote to memory of 1340 3004 cmd.exe 105 PID 3004 wrote to memory of 1340 3004 cmd.exe 105 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48517d5fbcbe22246e742086f9f1e1e78eb4acb33af5858ab945aa0c4f4cb54e.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48517d5fbcbe22246e742086f9f1e1e78eb4acb33af5858ab945aa0c4f4cb54e.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Local Settings\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Skins\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\de-DE\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Links\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\it-IT\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
-
C:\Users\Admin\Links\sppsvc.exe"C:\Users\Admin\Links\sppsvc.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xHU7fKnwSZ.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1340
-
-
C:\Users\Admin\Links\sppsvc.exe"C:\Users\Admin\Links\sppsvc.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat"8⤵PID:2416
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2784
-
-
C:\Users\Admin\Links\sppsvc.exe"C:\Users\Admin\Links\sppsvc.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r7gOBUt9HL.bat"10⤵PID:2644
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2484
-
-
C:\Users\Admin\Links\sppsvc.exe"C:\Users\Admin\Links\sppsvc.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1332 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat"12⤵PID:1712
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2204
-
-
C:\Users\Admin\Links\sppsvc.exe"C:\Users\Admin\Links\sppsvc.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TdlfhXh7Yo.bat"14⤵PID:2756
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2304
-
-
C:\Users\Admin\Links\sppsvc.exe"C:\Users\Admin\Links\sppsvc.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hlHmrlOhE6.bat"16⤵PID:1568
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2096
-
-
C:\Users\Admin\Links\sppsvc.exe"C:\Users\Admin\Links\sppsvc.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EqBdbgL5Ji.bat"18⤵PID:2988
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2844
-
-
C:\Users\Admin\Links\sppsvc.exe"C:\Users\Admin\Links\sppsvc.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat"20⤵PID:888
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2012
-
-
C:\Users\Admin\Links\sppsvc.exe"C:\Users\Admin\Links\sppsvc.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:796 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEoBbgPmrR.bat"22⤵PID:3016
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:712
-
-
C:\Users\Admin\Links\sppsvc.exe"C:\Users\Admin\Links\sppsvc.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lZfwAG7KGX.bat"24⤵PID:1796
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1028
-
-
C:\Users\Admin\Links\sppsvc.exe"C:\Users\Admin\Links\sppsvc.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Local Settings\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Local Settings\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Favorites\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Favorites\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\de-DE\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\de-DE\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\providercommon\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Links\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Links\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Links\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51236676ed610bb567642c214f30c8973
SHA13e42cff70bad649988ff3c56f2ead9ae6f1d7fd2
SHA2562bda146e3ecf046cd7ed2494c68fc15e76f5f47bb4e7748098d6fc3864a269bf
SHA512e83a324916c61f87e88c18814e626a896e6b26badfdec152ce13067349f7ff5edc579ff1a73b4bfd613e92fd011f3442f81cde8ddca315eac1f6dff63a6998a4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57a8bd87f0490dbe8f81b0a8aca622649
SHA1f634dfb23593418f2e591f34c7875c7f5a334965
SHA256cc54745d2144db05bc209ec534d680e847a8d76f661d0ce21fce4ba88bf37f68
SHA5126ef2c2e11c2067990aa3c67392c92d29a12c0a80f16c7acc66db3705a9da56ec97973f95321bccbb2fb122ad037e2a6a778581681b57020d77b4c0c0ea8363f9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD524b8e2f3a19e5caaf479174be89aeaec
SHA1f2ca89c3725b3ceb0cbba0318cc02ecb4f755ada
SHA2562a3d0f432ae9f13298d89d431183da309c7c426943e64fcd085fe90e0c23d434
SHA51227af5fc7467b2f2c49b0de87f4d52962a6b1ee72787b0019d9412aced92e627e88b1cc65f6132105ab841bec1c6aff6cb959866467647cc0f12c96b4b736e6d8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5faa82fd1e69962dc33b1134a11164472
SHA1239dc13272203a1c54ecba5e6806b04c87285db4
SHA256d37304520e97c40f658c35a716a4dd86d0a772ac20ee87061d0759c670b1b2f9
SHA512d9fda83543713b2cb4e31fce91d0938e43f3d3287c9144a2e988e33e9af7a3cb4568db36bda5f52b1062e206475838e36bb4cc39aebf5244178c6f73e498f08c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fa26dc336cc8a9a537ffb7e35f3ed30b
SHA1378c827d36cd6906cf306b13ee643b49021b3706
SHA256213542f6389f03cb07c9a70a0718362dccdc33fdf7e7eca2f08fe4b82f83bfae
SHA512773c894a9864ecea4eb7b64b23ce9e5d33fcf69f71dd1327acc066108d29739cd936289bc03b1bacdc4b96612344a07c796538f2c70e3458f700ac04cd56f2a8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51c851e0628ca22e230a41c784a9bef70
SHA11b455c32be6da2c2c245edd2c88cd2e2e3d6bd84
SHA2566d0d7f47e0ac8e1e37202bb83dd34e437e6686fbe3ff174fb2ca7018a0feaadb
SHA5126d45d634bcbc763c4e62ed496910805f9412f2a53741e47a3dd43abd962d23d38d6e7add41afa1e13d062e44cb884aceb926deca055958c15f60b9f688ca6cd3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD575bbca423bbd524318ba3ca5cfa373e5
SHA11d34645e1216d467c81ef11d9dcac8e38d5ef1c4
SHA2562be41b1b72280ec85ef82cf95883927339d181e5efdcdcbc444385f17191a635
SHA512c416bde653bf13c066dae3ace3d94bc379401c2e6910fd52d350bd38cb2c24fe27e52b5cb5f896ba50855f755ceea142106bf33f31931ae1ac0b055c93dcad22
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e5d5e1580bb5b13c80c20762361c5a3a
SHA1290831836afc71a117ba3f90afca3b4ecaf8df70
SHA25629af28139c40167ffe89287fc2b3bc9f0a58fa713790464a6bb808e03eedfbb3
SHA5120ef5edb17baa74c86a0660679521710f1b4301062fa58f7ea0ba855022111606ebb5f5d84be1e3fa74e1d8e75d1628d0913795c5506608402ff1b7424386f627
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD531d0f35fb930c7d244e27f5cbc16b879
SHA1dc3668fcef5bddc127d9261d184fb05e5a43f29c
SHA25600d1b676d47dd02fd523935aac40a83e8e069a73fbda51f9bf5fd23580a49bcb
SHA5129776c7e090649cb957bdefda8034e20f8be622223fd9a5f8341d2d20705fe6e371d00efca65b45343cb4fac9a4d9f4f55bec4f6e43b68dfe88b3fdd3c98df878
-
Filesize
196B
MD58a947240ce429238d3b7e0fce1e12fb4
SHA1938e85b0adff12e51aa8fee4702f7d8348a6b8d1
SHA2564fa665b7ff2cba655cd6dcb21b81832c764241c8dad22472a74cdf23b06708d8
SHA512fe4bf3839e21b78ac4d3db0acc4ef3b0e453d95ae766f36310194148dc3d5692d799686d19d271e7fc870ac1863dae85c6b43e5a49e7ec9eea52f3f1c96a54f1
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
196B
MD5574038fb17543e9aedb5456ff819ce2f
SHA11ed401b856583e07918c83a05a19fca84e9a7771
SHA256a350b7711a6e0a6bfea8c11b5ccc644799c2eebfe6755a32fa56603541a551e4
SHA51244c15b69b8751add9dca19036471b08d27620cffe10fd3f947df2fc3474afa9fa29d24c1b2fb7be02f530a128693a1490b74295586f4fc5be061fb6d901a61d3
-
Filesize
196B
MD5c808f89ca77f9647fbbc3d7b130e95ef
SHA1b00d482593d5ae6e76cb07fca021e23040220e14
SHA25644fc4d64a95d5b311ba4632d8bb1088d1b8f41fe66bf3cae2095467650ceacc0
SHA5126c7d3e26b4139e4e94816dc2352c37fed231eed4f1b8438fea20af3a775a331b9e08c6d56544f6f685cdf63993a110faf37f46bebba7167b8652452c0cc340b3
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
196B
MD54eac033597e2fe1e60b7199dd46cd05f
SHA10e12a9a769dbab0df17a1c80fb4def7ae6c44173
SHA256743eb21844c0c2717a7d3335e72dd6431cc335386c64b0b79ed67edfd0da2e73
SHA51243824c48bcc8c8ebd40f251fc9c8c8c6976325de4b86edd5e4934d4323483768e00fd1ba96363db706a3a886036125fc03d01c0d487245326932dd4aa42a306e
-
Filesize
196B
MD5c8744d1c8cf5fcc5381a365311249e18
SHA1f53da7ab28453ae598b5111e3e1eecd001c6ca05
SHA25669f3a2595066dcf3f86478562d5b51d95f3b68b92eb4c0e4d05b7228926e38f8
SHA512780c7e17bf8e80191030f6acb2d892e0732a97bc0ed2e7b4d3f55bed8a5ae1e9f35fb538c0f798378108125bfe92c941dd8be7ae96a69555c40ac98d935f1268
-
Filesize
196B
MD5b9a990a2156be130ea314d57949813cc
SHA1dd9e83cfb760eb1173967c01b5d61a85a1b3d18b
SHA25644cd338fa908da928226bb5716c0c97a66e2bf2546cc274f54f770c26588f16f
SHA512f03947faef78a11e730e46c078eff1953b3446278f81ea526f461af7a4aa7ae3a8b739654b6fe8712c7b336407612257c0de7384cbf05558516cd7f486cbf852
-
Filesize
196B
MD5b14c3fdceca4b2d21259cc7bc495de32
SHA1e8c67a10aececa006e58048016fc46f0cd1f9fb1
SHA2565b3988eb861b2cda4fb0d82346be6138c51803cd5831f9829baf0dcba1544b51
SHA512785306bbbbd68542952f45510b769fcb735d2c4a2b4e6186a21fff31b64836ccb111e73fbb6012737aa98f3c80a48f3665dd35e80d93dd8210d635cd047ec494
-
Filesize
196B
MD50c2bf4ea247689ac98da234a2d5e6577
SHA1af9e463b189ef3c96d7634195b1f10c8cd7df63b
SHA256b966a9a04b7c65fed2083f205b4a87ed68fffc97aeb4d710769c1b2fe0198150
SHA5124269c8ec1b161eae15e7dfcbb601cd9e06bf44c2a53722662764908ca6f38c6f78b18ac9e42873f2bce586d037bddc44475873703d03e7beb2067298033fdea0
-
Filesize
196B
MD5ade2575966019d05fd463d165e420905
SHA1e4ac83d5432eb1202b78121fadafe9f8072f138d
SHA25669d0b137c6a822b5a3e61a578f0ab5162809073de2e50bc2b2fae967cf24909c
SHA512b6c9ab473d062a4a08c1f777f0f0521c821741ee40035a5323f1eaa57d3fa1be6ebcb8cf70bbb737ab72343e91eb8c46cfdd5ac3139b65a7c0bc311e9037341b
-
Filesize
196B
MD56716b9575fdeb88b028a0d9590fbb640
SHA1386abb85e628a8f2034cab750b71e1f6e0fa9fa5
SHA25655bfd3d9c5a7894955f9675438406f9aef659f3ebc4436431661e2c8771a36fa
SHA51273d57aaf44c9f3e175a2785e736895da2ea70b5579c8c842750ecb537f90a0b6d2e45d0bfc4d8080507ca2df7fc718c0d7efd592f88d4e6cdd0a07383e3c3d42
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD532770983e1b5e9a7c1371c5e0793318e
SHA11fb7a9c1bd369e38fec73af7524902fd8766db0d
SHA25695d47c74ed0e73247673203d8deb7ab898b651ac5c6a823f9fc8ba1bd6a4f8b5
SHA51234a53a610c1e39261f1503dd83317bc38393ed85571a6bde4072842bdfc94facdcb19ac59c8dc9092d51019862da1f5cef993c23c83764d46cb324d34d4c93a5
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478