Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 22:51
Behavioral task
behavioral1
Sample
JaffaCakes118_6ab502214306d67315c97f8332e381895b3b1283da3fb0c0169f3c4e1e8a426c.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_6ab502214306d67315c97f8332e381895b3b1283da3fb0c0169f3c4e1e8a426c.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_6ab502214306d67315c97f8332e381895b3b1283da3fb0c0169f3c4e1e8a426c.exe
-
Size
1.3MB
-
MD5
18fc1884afec2b329024ffb0880e50e7
-
SHA1
83e653a34e2f9b1276ed7286b7f9610e0b3779ae
-
SHA256
6ab502214306d67315c97f8332e381895b3b1283da3fb0c0169f3c4e1e8a426c
-
SHA512
61883463b929bd892a8e7b80e43b0b161ec5f6fb42755e9161a85ade0d6716e2eb6654d1686de5c2d68419515107c056fe4e030f8092c2407dbebbc43d65dd16
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1244 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1304 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1504 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1184 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1296 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 444 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1088 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1348 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1572 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2464 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 848 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 604 2604 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 2604 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000016ab9-9.dat dcrat behavioral1/memory/584-13-0x0000000000FE0000-0x00000000010F0000-memory.dmp dcrat behavioral1/memory/1240-122-0x0000000000990000-0x0000000000AA0000-memory.dmp dcrat behavioral1/memory/2016-181-0x0000000000380000-0x0000000000490000-memory.dmp dcrat behavioral1/memory/404-242-0x0000000001380000-0x0000000001490000-memory.dmp dcrat behavioral1/memory/2928-303-0x0000000000170000-0x0000000000280000-memory.dmp dcrat behavioral1/memory/376-363-0x0000000000A00000-0x0000000000B10000-memory.dmp dcrat behavioral1/memory/2800-424-0x00000000002D0000-0x00000000003E0000-memory.dmp dcrat behavioral1/memory/2620-485-0x0000000000AE0000-0x0000000000BF0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1620 powershell.exe 2288 powershell.exe 984 powershell.exe 580 powershell.exe 2196 powershell.exe 1948 powershell.exe 2484 powershell.exe 1836 powershell.exe 1648 powershell.exe 2320 powershell.exe 1660 powershell.exe 944 powershell.exe 2060 powershell.exe 2280 powershell.exe -
Executes dropped EXE 10 IoCs
pid Process 584 DllCommonsvc.exe 1240 csrss.exe 2016 csrss.exe 404 csrss.exe 2928 csrss.exe 376 csrss.exe 2800 csrss.exe 2620 csrss.exe 592 csrss.exe 1216 csrss.exe -
Loads dropped DLL 2 IoCs
pid Process 2208 cmd.exe 2208 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 29 raw.githubusercontent.com 32 raw.githubusercontent.com 12 raw.githubusercontent.com 18 raw.githubusercontent.com 22 raw.githubusercontent.com 25 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 15 raw.githubusercontent.com -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files\Windows Media Player\Media Renderer\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\wininit.exe DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\56085415360792 DllCommonsvc.exe File created C:\Program Files\Windows Media Player\Media Renderer\lsass.exe DllCommonsvc.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\lsass.exe DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ja-JP\dllhost.exe DllCommonsvc.exe File created C:\Windows\ja-JP\5940a34987c991 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6ab502214306d67315c97f8332e381895b3b1283da3fb0c0169f3c4e1e8a426c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1244 schtasks.exe 1504 schtasks.exe 2636 schtasks.exe 2904 schtasks.exe 2464 schtasks.exe 1984 schtasks.exe 2856 schtasks.exe 1632 schtasks.exe 1500 schtasks.exe 1088 schtasks.exe 1348 schtasks.exe 2916 schtasks.exe 604 schtasks.exe 1796 schtasks.exe 2120 schtasks.exe 1728 schtasks.exe 848 schtasks.exe 2528 schtasks.exe 1672 schtasks.exe 1028 schtasks.exe 832 schtasks.exe 1760 schtasks.exe 1572 schtasks.exe 1704 schtasks.exe 2260 schtasks.exe 444 schtasks.exe 2580 schtasks.exe 2896 schtasks.exe 2116 schtasks.exe 2548 schtasks.exe 2860 schtasks.exe 2868 schtasks.exe 2328 schtasks.exe 1184 schtasks.exe 1296 schtasks.exe 2296 schtasks.exe 2616 schtasks.exe 2668 schtasks.exe 1304 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 584 DllCommonsvc.exe 584 DllCommonsvc.exe 584 DllCommonsvc.exe 2060 powershell.exe 1620 powershell.exe 580 powershell.exe 2320 powershell.exe 1660 powershell.exe 2484 powershell.exe 944 powershell.exe 2280 powershell.exe 1648 powershell.exe 984 powershell.exe 2196 powershell.exe 1836 powershell.exe 1948 powershell.exe 2288 powershell.exe 1240 csrss.exe 2016 csrss.exe 404 csrss.exe 2928 csrss.exe 376 csrss.exe 2800 csrss.exe 2620 csrss.exe 592 csrss.exe 1216 csrss.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 584 DllCommonsvc.exe Token: SeDebugPrivilege 2060 powershell.exe Token: SeDebugPrivilege 1620 powershell.exe Token: SeDebugPrivilege 580 powershell.exe Token: SeDebugPrivilege 2320 powershell.exe Token: SeDebugPrivilege 1660 powershell.exe Token: SeDebugPrivilege 2484 powershell.exe Token: SeDebugPrivilege 944 powershell.exe Token: SeDebugPrivilege 2280 powershell.exe Token: SeDebugPrivilege 1648 powershell.exe Token: SeDebugPrivilege 984 powershell.exe Token: SeDebugPrivilege 2196 powershell.exe Token: SeDebugPrivilege 1836 powershell.exe Token: SeDebugPrivilege 1948 powershell.exe Token: SeDebugPrivilege 2288 powershell.exe Token: SeDebugPrivilege 1240 csrss.exe Token: SeDebugPrivilege 2016 csrss.exe Token: SeDebugPrivilege 404 csrss.exe Token: SeDebugPrivilege 2928 csrss.exe Token: SeDebugPrivilege 376 csrss.exe Token: SeDebugPrivilege 2800 csrss.exe Token: SeDebugPrivilege 2620 csrss.exe Token: SeDebugPrivilege 592 csrss.exe Token: SeDebugPrivilege 1216 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2076 2092 JaffaCakes118_6ab502214306d67315c97f8332e381895b3b1283da3fb0c0169f3c4e1e8a426c.exe 30 PID 2092 wrote to memory of 2076 2092 JaffaCakes118_6ab502214306d67315c97f8332e381895b3b1283da3fb0c0169f3c4e1e8a426c.exe 30 PID 2092 wrote to memory of 2076 2092 JaffaCakes118_6ab502214306d67315c97f8332e381895b3b1283da3fb0c0169f3c4e1e8a426c.exe 30 PID 2092 wrote to memory of 2076 2092 JaffaCakes118_6ab502214306d67315c97f8332e381895b3b1283da3fb0c0169f3c4e1e8a426c.exe 30 PID 2076 wrote to memory of 2208 2076 WScript.exe 32 PID 2076 wrote to memory of 2208 2076 WScript.exe 32 PID 2076 wrote to memory of 2208 2076 WScript.exe 32 PID 2076 wrote to memory of 2208 2076 WScript.exe 32 PID 2208 wrote to memory of 584 2208 cmd.exe 34 PID 2208 wrote to memory of 584 2208 cmd.exe 34 PID 2208 wrote to memory of 584 2208 cmd.exe 34 PID 2208 wrote to memory of 584 2208 cmd.exe 34 PID 584 wrote to memory of 1660 584 DllCommonsvc.exe 75 PID 584 wrote to memory of 1660 584 DllCommonsvc.exe 75 PID 584 wrote to memory of 1660 584 DllCommonsvc.exe 75 PID 584 wrote to memory of 2288 584 DllCommonsvc.exe 76 PID 584 wrote to memory of 2288 584 DllCommonsvc.exe 76 PID 584 wrote to memory of 2288 584 DllCommonsvc.exe 76 PID 584 wrote to memory of 1620 584 DllCommonsvc.exe 77 PID 584 wrote to memory of 1620 584 DllCommonsvc.exe 77 PID 584 wrote to memory of 1620 584 DllCommonsvc.exe 77 PID 584 wrote to memory of 2320 584 DllCommonsvc.exe 78 PID 584 wrote to memory of 2320 584 DllCommonsvc.exe 78 PID 584 wrote to memory of 2320 584 DllCommonsvc.exe 78 PID 584 wrote to memory of 2484 584 DllCommonsvc.exe 79 PID 584 wrote to memory of 2484 584 DllCommonsvc.exe 79 PID 584 wrote to memory of 2484 584 DllCommonsvc.exe 79 PID 584 wrote to memory of 1948 584 DllCommonsvc.exe 82 PID 584 wrote to memory of 1948 584 DllCommonsvc.exe 82 PID 584 wrote to memory of 1948 584 DllCommonsvc.exe 82 PID 584 wrote to memory of 1648 584 DllCommonsvc.exe 83 PID 584 wrote to memory of 1648 584 DllCommonsvc.exe 83 PID 584 wrote to memory of 1648 584 DllCommonsvc.exe 83 PID 584 wrote to memory of 580 584 DllCommonsvc.exe 85 PID 584 wrote to memory of 580 584 DllCommonsvc.exe 85 PID 584 wrote to memory of 580 584 DllCommonsvc.exe 85 PID 584 wrote to memory of 944 584 DllCommonsvc.exe 86 PID 584 wrote to memory of 944 584 DllCommonsvc.exe 86 PID 584 wrote to memory of 944 584 DllCommonsvc.exe 86 PID 584 wrote to memory of 1836 584 DllCommonsvc.exe 87 PID 584 wrote to memory of 1836 584 DllCommonsvc.exe 87 PID 584 wrote to memory of 1836 584 DllCommonsvc.exe 87 PID 584 wrote to memory of 984 584 DllCommonsvc.exe 88 PID 584 wrote to memory of 984 584 DllCommonsvc.exe 88 PID 584 wrote to memory of 984 584 DllCommonsvc.exe 88 PID 584 wrote to memory of 2060 584 DllCommonsvc.exe 89 PID 584 wrote to memory of 2060 584 DllCommonsvc.exe 89 PID 584 wrote to memory of 2060 584 DllCommonsvc.exe 89 PID 584 wrote to memory of 2280 584 DllCommonsvc.exe 90 PID 584 wrote to memory of 2280 584 DllCommonsvc.exe 90 PID 584 wrote to memory of 2280 584 DllCommonsvc.exe 90 PID 584 wrote to memory of 2196 584 DllCommonsvc.exe 91 PID 584 wrote to memory of 2196 584 DllCommonsvc.exe 91 PID 584 wrote to memory of 2196 584 DllCommonsvc.exe 91 PID 584 wrote to memory of 1792 584 DllCommonsvc.exe 98 PID 584 wrote to memory of 1792 584 DllCommonsvc.exe 98 PID 584 wrote to memory of 1792 584 DllCommonsvc.exe 98 PID 1792 wrote to memory of 1520 1792 cmd.exe 105 PID 1792 wrote to memory of 1520 1792 cmd.exe 105 PID 1792 wrote to memory of 1520 1792 cmd.exe 105 PID 1792 wrote to memory of 1240 1792 cmd.exe 106 PID 1792 wrote to memory of 1240 1792 cmd.exe 106 PID 1792 wrote to memory of 1240 1792 cmd.exe 106 PID 1240 wrote to memory of 376 1240 csrss.exe 107 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ab502214306d67315c97f8332e381895b3b1283da3fb0c0169f3c4e1e8a426c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ab502214306d67315c97f8332e381895b3b1283da3fb0c0169f3c4e1e8a426c.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Media Renderer\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Start Menu\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kpSUG0IuFT.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1520
-
-
C:\Users\Public\Downloads\csrss.exe"C:\Users\Public\Downloads\csrss.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat"7⤵PID:376
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1332
-
-
C:\Users\Public\Downloads\csrss.exe"C:\Users\Public\Downloads\csrss.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\16sHyqWYU0.bat"9⤵PID:1728
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:580
-
-
C:\Users\Public\Downloads\csrss.exe"C:\Users\Public\Downloads\csrss.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:404 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kp2dTY47HA.bat"11⤵PID:2068
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1692
-
-
C:\Users\Public\Downloads\csrss.exe"C:\Users\Public\Downloads\csrss.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat"13⤵PID:2076
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:3000
-
-
C:\Users\Public\Downloads\csrss.exe"C:\Users\Public\Downloads\csrss.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:376 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ESzt3JT3T8.bat"15⤵PID:1008
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2348
-
-
C:\Users\Public\Downloads\csrss.exe"C:\Users\Public\Downloads\csrss.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yWf31kVUUl.bat"17⤵PID:2288
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2176
-
-
C:\Users\Public\Downloads\csrss.exe"C:\Users\Public\Downloads\csrss.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat"19⤵PID:3016
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2744
-
-
C:\Users\Public\Downloads\csrss.exe"C:\Users\Public\Downloads\csrss.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:592 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\epFjAgKouK.bat"21⤵PID:1968
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1696
-
-
C:\Users\Public\Downloads\csrss.exe"C:\Users\Public\Downloads\csrss.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1216 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wxi7FenmH.bat"23⤵PID:2304
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1412
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\Media Renderer\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Media Renderer\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\Media Renderer\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Downloads\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\ja-JP\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ja-JP\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\ja-JP\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\providercommon\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Start Menu\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Start Menu\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\providercommon\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\providercommon\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53889445c6d0e3bd10706b2fb4958e610
SHA1732a8666d3554726fa6f01c0f3aea06cf021e382
SHA2564681788ec49cb9da75f4d3ea285d738d6d01b3f032eb9c882c3eaba4cf60996b
SHA512cae6fef9683ef1071a21597697e7d68c2bd8a6b6094116c0fe67b3742241c68d523e29ec3bcd9edbb875d04e80a56d272d5f1b6718de9cb5e82a24fd6f8649d5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ce3ec583fca0d8eb86c288049b9ba967
SHA1b67998a492ceeda3a5bdc1a7e1857cb0c9743478
SHA25667de02e5427c089a7473a17fe2004ad043c2eeae93ba20de4db294b21590ba25
SHA51291f7031d0cf4be167d706d862a23b8463de21644e5291d04b87939051cfdfa47b21d211bb5ecf0e655b68488fee946d924f2aee91de3084d4b85dabeb7463e0c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51af73f3f563d774f6f62c6fcbf330e33
SHA156618428dcc90ab83faf3807d7e34d3162c935e0
SHA256cfc7a77020590206d2c0360ef816ed816fa8479a193cd5fe85c812fc57b5ddbf
SHA512c1fda75b464c752435896bea371f909c4cdf1c337f01f2ceb3808f5bf649ad7a43e7249bf93dcd63d72641dfb67d6c144063da7cfaa2053e3142d2728ba53581
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD500d910fb0da403eb91f829707a105980
SHA1fc2defa99235506cf69edfcf4daab74c1df1a6ac
SHA256bf7ba7762d2fafbb5e67ecbc3f96cfd00678c7c7c2bb7a2aec40832566264ae0
SHA5122c18c8bb469904001d0041e4bad13c58ea88788b95dadc616ebe74e63209f3605b334e886c7a4765ac0a0112d08d87f0b0f5ae4a8de5309dc1ea4e0955bea118
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f5998ff5aa9629ddb8b6811c466eef44
SHA1720f12685e514ba54a9f59181d1e7b109d1aa49a
SHA256bed44cbc5784bf6a9883d9fbff60786df63b45bc3c6c4ec8ce0a49c6a2f8595b
SHA5120df67976efb57ab6cf2741d21cc7a6981cf7536eb4ed8ccb1bddfaba344b29c64db7863cd561f1bbb775684702b670ef30be62a63b97427e34ded261631e267d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ad7218990e67d0808756bfd3574b93c3
SHA1f984c4540d8c3423cf94e2a439d662f64cd5ca7f
SHA2564beb5742a5cd4aa19d0186dd2a13f592b02887de88a33a5f7b47a95df05d784b
SHA512bc7f59a4419e6a8c6747bba5ce2c9a73cc112feec3c8ef43094c3a38c49695572db1f4326ac71ffa4af04331579289050a338b25cf89c0cf8457e1d4b3f1551c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b6197e7212a415caf4d1fa6f75e1b6db
SHA1bc671b64941cebf0de0c74474d3c16540f2b542a
SHA256e3c0a419d796f0561a5141584ca5bb1c43db30385614447defad85b2a9a8f013
SHA51275ba9384b68e1406b9b312e1ec1631f962be3d554f171779e07de6c5ec6e17e0d295197fc7e4a1943e942da3ae0886123dd63e8873294573abed13ba8a23cbf5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD584edd7ac9af69f219a80a72a49d8fb2c
SHA1ab9b4c75e2916a89e73f53919233964f34abdfb2
SHA2564e45e68329c30881adfded4c8f88cead1cc9158161ee38a7f39192c8e5b225cf
SHA512b2fca1bf438e3a011e0ad3c4c7c2b88258ee515c43469c852c5abc51327249cae2c63b8360a522c900ac79850bbbcfd57e1f20a913440c348008096040ce3973
-
Filesize
200B
MD547658d36d9ee72770c1f14a02c5258e5
SHA10e961b92865f621538436e49f97edd92e80c0a8d
SHA2566ba1c436aaa7ba51900ebee22bc9b13f9e7c62817a506045bb3163f8344b3722
SHA51207d9b93618ba462818ee9960c08da0a86c3780f22cb2fc389779d90ffbda6941294bebfaa87486c844bf0a603e6a6f2ec1116bc38683ada42374970f8a6e7e1e
-
Filesize
200B
MD5c7fba418a2954138a9fac181cebaf25b
SHA1e32940df4937f6a3a2dad91ebf200773e156b567
SHA2565bb72204c4cdf158daa46f83c747f0b8081725c58aae4a343dcdcab01b471c9a
SHA512aa4165a509f8d375f2fb7f7713e86577851f3e67d1c0b06294cdadc07f8eb710935fb4b7d1719cb4df75126a2d7e94d929724979adc640f5bc572a4cedd42b74
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
200B
MD5f864e26839f7bdac55a0f3d48d47a5d4
SHA1a85323066b8ea350a3494866180a32f25c2a9fe7
SHA256d7abe72ed82ff8225378a2f4ee5f8ba2ff9570fe2b228d9e27a86e41b5e5e0e6
SHA5123aaf7bf963419d40a9c1d33c896a8c230f0dd879faf800946908c1720c55d2e507a52b8bfd75565834580f43349222878cebd38ad99b7d96f4d7ac7a7222cbec
-
Filesize
200B
MD562f32b418f86fcfee91b2b07a9f12505
SHA1f3b3ac341ee66fea35594c7ec86a0e16333343f1
SHA2560def46a90d727581364a2e83e45d219a5bf7f49f31df788204fa0d0f45764e1d
SHA5125eead02e0d00ff6aa865c74a0c02967a3bb8b0927597749ca86b78f84080a12c1e0e9378e120c21ee4d873814a9a78796ae585dd248374bb44cd8f111c1be11f
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
200B
MD5226ae9a6014a920740bedc8230d19a34
SHA10e30531ff11308d39b39cd0a682b1587b7e498a9
SHA256bb0ee5788489fcfe789d7ed22d71be19bec717c48ed9ff7166b79324d682121b
SHA512302ca34ba65a775cab0ac32fe7bfb7957e5bbe71d39045c2368933b2391dc11cf6c90b6278e00873d7d42b6549da0566acafa5eabf1d61b14d00ea4d1890b12c
-
Filesize
200B
MD5513914d64f7247967b0b6c53b29f9d3f
SHA12cb986b11d3372b527feeaf4837a5b2a7765ef2f
SHA256dd942be41c201289c6679f594943fc662ec838c1e0f7793c34d21b91e305f375
SHA512b4ff68e2f3ea2b269735e69f88b9f5d8fb6d2325de3626439816a2ef6ff93e0402bb00097171166f8b69b1e1f611b576a4f7c8385634f38ab97593d5abfbedf4
-
Filesize
200B
MD52bea50cdf53ba67e371792eb771f1104
SHA1bf84139ecc3732814d8ef5693b6426d164f13e90
SHA256d1a746a731f1140e3de8633193fd85c80860fd1895f46ac3dbdc2b9940e137f0
SHA51205eef5dc1fc94064f500c816fe0c46b878c1416f1d524c0f164a99f13450965208298a1e13a6bbbf7c43af193cf4a4a234fca7380224242084884bbfae490691
-
Filesize
200B
MD5b36f68554f2c12c1cbdfb0d610ae61ad
SHA18033a953664dfd22717ebc6249e8094b7fffa407
SHA256bd9e1922f23cfbc27844bce27e0e147079ef38040f360e6277553ea85bbc19de
SHA51249f0aee701da34bba6de43d899a25d0ddc60581192d334367f629e7cd2f2b9e337f0d5eb732c3f916b4fad521d7b73600ed9a865d445c046e975fefcf9d38752
-
Filesize
200B
MD5c4749e1bb3b41ebcb2fd44972836216b
SHA13d6ef8efc65515b6adb8edb169c6ff7f399a9f13
SHA256703876331be50bb7af201d36a0669050ff85fbae3470baa3bf6226c0326f8946
SHA512ac9b019be3a4fce2d3614ad33fb0ac31f4c666599e7a1646b888a297f164adb57266d431d25c736952b0bb3a758a53b0cbde6774db8d8cb52ccb90bb6fb367d2
-
Filesize
200B
MD57e47caad5398b71837e362782fdd814d
SHA1abadae756e1efe15af1475924e2a1d2868afa680
SHA2564cdde4d9bab5e41098bff519539799d4920adeef00cc7f8ebb395aefe9ad844a
SHA512c600979c545db0aee03835b043b47cb1bc95eb1ee8ebbccb50278d1740d73c18992d2ab74e40f6416186bc4297d24d61fa92c73229e378263f2d9de88dc214a6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD52e4ea6d76de2a65f95e078310e450079
SHA16de65634d79da780a7af8cc2567f1408a303cc24
SHA2563757cd0d1f197bc98e44fa8e472dad5efbfdda235991aa4a80c8311de83a5cf8
SHA512d63f1106ceaecf46bef28b830ac9162badcc30683f0df15348912d4fd3fc28866dc6bb4d59f81d3599787a6c3de250a9a7500a35ee826e0de334e1e0301e9f93
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394