Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 23:19
Behavioral task
behavioral1
Sample
JaffaCakes118_ab6a565ec6c3b0bd1ecd2a061db936ada4b963602abfbf3755b8bf13230570be.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_ab6a565ec6c3b0bd1ecd2a061db936ada4b963602abfbf3755b8bf13230570be.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_ab6a565ec6c3b0bd1ecd2a061db936ada4b963602abfbf3755b8bf13230570be.exe
-
Size
1.3MB
-
MD5
e232528ddd6aa6256f1480cc472cc002
-
SHA1
778b038f3f1f5be1b6340c5f18d409a581a9834b
-
SHA256
ab6a565ec6c3b0bd1ecd2a061db936ada4b963602abfbf3755b8bf13230570be
-
SHA512
2b07cf4503081e7ca467d048f2c74fe5211371b36623fcc45a44127dc9d5fda93b10e02b2df854f28f8337dfd73e304c71c94858b26d4006771024c6626fd937
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 764 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1756 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1564 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 552 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 376 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 532 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 2620 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 912 2620 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x000e000000018676-12.dat dcrat behavioral1/memory/2896-13-0x0000000000DB0000-0x0000000000EC0000-memory.dmp dcrat behavioral1/memory/908-108-0x00000000009E0000-0x0000000000AF0000-memory.dmp dcrat behavioral1/memory/2648-167-0x0000000001290000-0x00000000013A0000-memory.dmp dcrat behavioral1/memory/1600-227-0x00000000002B0000-0x00000000003C0000-memory.dmp dcrat behavioral1/memory/1404-288-0x0000000000A80000-0x0000000000B90000-memory.dmp dcrat behavioral1/memory/852-348-0x0000000000020000-0x0000000000130000-memory.dmp dcrat behavioral1/memory/860-408-0x0000000000E20000-0x0000000000F30000-memory.dmp dcrat behavioral1/memory/2764-645-0x0000000000180000-0x0000000000290000-memory.dmp dcrat behavioral1/memory/1636-705-0x00000000011C0000-0x00000000012D0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1720 powershell.exe 920 powershell.exe 1000 powershell.exe 1704 powershell.exe 1796 powershell.exe 1312 powershell.exe 1780 powershell.exe 1776 powershell.exe 1516 powershell.exe 568 powershell.exe 2448 powershell.exe 1544 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2896 DllCommonsvc.exe 908 taskhost.exe 2648 taskhost.exe 1600 taskhost.exe 1404 taskhost.exe 852 taskhost.exe 860 taskhost.exe 820 taskhost.exe 2552 taskhost.exe 2276 taskhost.exe 2764 taskhost.exe 1636 taskhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2720 cmd.exe 2720 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 5 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 29 raw.githubusercontent.com 35 raw.githubusercontent.com 38 raw.githubusercontent.com 4 raw.githubusercontent.com 22 raw.githubusercontent.com 25 raw.githubusercontent.com 32 raw.githubusercontent.com 9 raw.githubusercontent.com -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Portable Devices\b75386f1303e64 DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\csrss.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\taskhost.exe DllCommonsvc.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\Branding\ShellBrd\spoolsv.exe DllCommonsvc.exe File created C:\Windows\Branding\ShellBrd\f3b6ecef712a24 DllCommonsvc.exe File created C:\Windows\Cursors\lsass.exe DllCommonsvc.exe File created C:\Windows\Cursors\6203df4a6bafc7 DllCommonsvc.exe File created C:\Windows\Speech\Engines\SR\es-ES\winlogon.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_ab6a565ec6c3b0bd1ecd2a061db936ada4b963602abfbf3755b8bf13230570be.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2192 schtasks.exe 1644 schtasks.exe 2776 schtasks.exe 2948 schtasks.exe 2236 schtasks.exe 2272 schtasks.exe 2952 schtasks.exe 2684 schtasks.exe 2780 schtasks.exe 2796 schtasks.exe 1844 schtasks.exe 2364 schtasks.exe 2596 schtasks.exe 2552 schtasks.exe 1620 schtasks.exe 376 schtasks.exe 532 schtasks.exe 2120 schtasks.exe 2956 schtasks.exe 2316 schtasks.exe 2740 schtasks.exe 552 schtasks.exe 1716 schtasks.exe 2512 schtasks.exe 912 schtasks.exe 3060 schtasks.exe 1564 schtasks.exe 1804 schtasks.exe 2964 schtasks.exe 764 schtasks.exe 1756 schtasks.exe 3016 schtasks.exe 2124 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2896 DllCommonsvc.exe 1776 powershell.exe 1704 powershell.exe 1544 powershell.exe 1312 powershell.exe 568 powershell.exe 920 powershell.exe 1000 powershell.exe 1516 powershell.exe 1780 powershell.exe 1720 powershell.exe 1796 powershell.exe 2448 powershell.exe 908 taskhost.exe 2648 taskhost.exe 1600 taskhost.exe 1404 taskhost.exe 852 taskhost.exe 860 taskhost.exe 820 taskhost.exe 2552 taskhost.exe 2276 taskhost.exe 2764 taskhost.exe 1636 taskhost.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2896 DllCommonsvc.exe Token: SeDebugPrivilege 1776 powershell.exe Token: SeDebugPrivilege 1704 powershell.exe Token: SeDebugPrivilege 1544 powershell.exe Token: SeDebugPrivilege 1312 powershell.exe Token: SeDebugPrivilege 568 powershell.exe Token: SeDebugPrivilege 920 powershell.exe Token: SeDebugPrivilege 1000 powershell.exe Token: SeDebugPrivilege 1516 powershell.exe Token: SeDebugPrivilege 1780 powershell.exe Token: SeDebugPrivilege 1720 powershell.exe Token: SeDebugPrivilege 1796 powershell.exe Token: SeDebugPrivilege 2448 powershell.exe Token: SeDebugPrivilege 908 taskhost.exe Token: SeDebugPrivilege 2648 taskhost.exe Token: SeDebugPrivilege 1600 taskhost.exe Token: SeDebugPrivilege 1404 taskhost.exe Token: SeDebugPrivilege 852 taskhost.exe Token: SeDebugPrivilege 860 taskhost.exe Token: SeDebugPrivilege 820 taskhost.exe Token: SeDebugPrivilege 2552 taskhost.exe Token: SeDebugPrivilege 2276 taskhost.exe Token: SeDebugPrivilege 2764 taskhost.exe Token: SeDebugPrivilege 1636 taskhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2344 wrote to memory of 1708 2344 JaffaCakes118_ab6a565ec6c3b0bd1ecd2a061db936ada4b963602abfbf3755b8bf13230570be.exe 30 PID 2344 wrote to memory of 1708 2344 JaffaCakes118_ab6a565ec6c3b0bd1ecd2a061db936ada4b963602abfbf3755b8bf13230570be.exe 30 PID 2344 wrote to memory of 1708 2344 JaffaCakes118_ab6a565ec6c3b0bd1ecd2a061db936ada4b963602abfbf3755b8bf13230570be.exe 30 PID 2344 wrote to memory of 1708 2344 JaffaCakes118_ab6a565ec6c3b0bd1ecd2a061db936ada4b963602abfbf3755b8bf13230570be.exe 30 PID 1708 wrote to memory of 2720 1708 WScript.exe 31 PID 1708 wrote to memory of 2720 1708 WScript.exe 31 PID 1708 wrote to memory of 2720 1708 WScript.exe 31 PID 1708 wrote to memory of 2720 1708 WScript.exe 31 PID 2720 wrote to memory of 2896 2720 cmd.exe 33 PID 2720 wrote to memory of 2896 2720 cmd.exe 33 PID 2720 wrote to memory of 2896 2720 cmd.exe 33 PID 2720 wrote to memory of 2896 2720 cmd.exe 33 PID 2896 wrote to memory of 1000 2896 DllCommonsvc.exe 68 PID 2896 wrote to memory of 1000 2896 DllCommonsvc.exe 68 PID 2896 wrote to memory of 1000 2896 DllCommonsvc.exe 68 PID 2896 wrote to memory of 568 2896 DllCommonsvc.exe 69 PID 2896 wrote to memory of 568 2896 DllCommonsvc.exe 69 PID 2896 wrote to memory of 568 2896 DllCommonsvc.exe 69 PID 2896 wrote to memory of 1516 2896 DllCommonsvc.exe 70 PID 2896 wrote to memory of 1516 2896 DllCommonsvc.exe 70 PID 2896 wrote to memory of 1516 2896 DllCommonsvc.exe 70 PID 2896 wrote to memory of 920 2896 DllCommonsvc.exe 71 PID 2896 wrote to memory of 920 2896 DllCommonsvc.exe 71 PID 2896 wrote to memory of 920 2896 DllCommonsvc.exe 71 PID 2896 wrote to memory of 2448 2896 DllCommonsvc.exe 72 PID 2896 wrote to memory of 2448 2896 DllCommonsvc.exe 72 PID 2896 wrote to memory of 2448 2896 DllCommonsvc.exe 72 PID 2896 wrote to memory of 1704 2896 DllCommonsvc.exe 73 PID 2896 wrote to memory of 1704 2896 DllCommonsvc.exe 73 PID 2896 wrote to memory of 1704 2896 DllCommonsvc.exe 73 PID 2896 wrote to memory of 1796 2896 DllCommonsvc.exe 74 PID 2896 wrote to memory of 1796 2896 DllCommonsvc.exe 74 PID 2896 wrote to memory of 1796 2896 DllCommonsvc.exe 74 PID 2896 wrote to memory of 1720 2896 DllCommonsvc.exe 75 PID 2896 wrote to memory of 1720 2896 DllCommonsvc.exe 75 PID 2896 wrote to memory of 1720 2896 DllCommonsvc.exe 75 PID 2896 wrote to memory of 1544 2896 DllCommonsvc.exe 76 PID 2896 wrote to memory of 1544 2896 DllCommonsvc.exe 76 PID 2896 wrote to memory of 1544 2896 DllCommonsvc.exe 76 PID 2896 wrote to memory of 1312 2896 DllCommonsvc.exe 77 PID 2896 wrote to memory of 1312 2896 DllCommonsvc.exe 77 PID 2896 wrote to memory of 1312 2896 DllCommonsvc.exe 77 PID 2896 wrote to memory of 1780 2896 DllCommonsvc.exe 78 PID 2896 wrote to memory of 1780 2896 DllCommonsvc.exe 78 PID 2896 wrote to memory of 1780 2896 DllCommonsvc.exe 78 PID 2896 wrote to memory of 1776 2896 DllCommonsvc.exe 79 PID 2896 wrote to memory of 1776 2896 DllCommonsvc.exe 79 PID 2896 wrote to memory of 1776 2896 DllCommonsvc.exe 79 PID 2896 wrote to memory of 1736 2896 DllCommonsvc.exe 92 PID 2896 wrote to memory of 1736 2896 DllCommonsvc.exe 92 PID 2896 wrote to memory of 1736 2896 DllCommonsvc.exe 92 PID 1736 wrote to memory of 2028 1736 cmd.exe 94 PID 1736 wrote to memory of 2028 1736 cmd.exe 94 PID 1736 wrote to memory of 2028 1736 cmd.exe 94 PID 1736 wrote to memory of 908 1736 cmd.exe 95 PID 1736 wrote to memory of 908 1736 cmd.exe 95 PID 1736 wrote to memory of 908 1736 cmd.exe 95 PID 908 wrote to memory of 1664 908 taskhost.exe 96 PID 908 wrote to memory of 1664 908 taskhost.exe 96 PID 908 wrote to memory of 1664 908 taskhost.exe 96 PID 1664 wrote to memory of 1160 1664 cmd.exe 98 PID 1664 wrote to memory of 1160 1664 cmd.exe 98 PID 1664 wrote to memory of 1160 1664 cmd.exe 98 PID 1664 wrote to memory of 2648 1664 cmd.exe 99 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab6a565ec6c3b0bd1ecd2a061db936ada4b963602abfbf3755b8bf13230570be.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab6a565ec6c3b0bd1ecd2a061db936ada4b963602abfbf3755b8bf13230570be.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\ShellBrd\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1312
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6ossFTShKU.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2028
-
-
C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GN7B3lpeta.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1160
-
-
C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat"9⤵PID:2524
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2616
-
-
C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hGj9C4kLBH.bat"11⤵PID:1008
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2364
-
-
C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\guIa2jZB2U.bat"13⤵PID:2040
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1596
-
-
C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:852 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1hmmkqxEk5.bat"15⤵PID:2372
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2968
-
-
C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F5GJdikwFG.bat"17⤵PID:1292
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:344
-
-
C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:820 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3dopRv074r.bat"19⤵PID:1736
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2972
-
-
C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VJj2LbMAw3.bat"21⤵PID:480
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1016
-
-
C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat"23⤵PID:1620
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2256
-
-
C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat"25⤵PID:1852
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2516
-
-
C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat"27⤵PID:2344
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:2596
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\Branding\ShellBrd\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\Branding\ShellBrd\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Cursors\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Recent\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Recent\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Recent\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Favorites\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c9e047d4fc123af4b43cdc19b3d8160c
SHA137afc7969774fe0204e34c953e139ee16cd761dd
SHA2560999c814db30920de0480bd5bcbacbbdf54b91a9feefdd5b78c733fe19a941a2
SHA51271972739786ad68805cd381e705da1bb22b5675204943cf107f3d72c86a765211bd4959b1d0e3d97379b1dbd6b329aa443e70c3f19ce90260341cb446051aff1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a46df1062a49a8c6f06ea2e2220d454d
SHA18e18165f1ca40f713711ad9c92226f41395d8abb
SHA256d7da292d0494ab778e0507c82cf4733589b4ce9cddb19fb4c1ebdc2e25f405a1
SHA512ee50b96e6722a38deba7ca9c72b62a924827fe722ca8f14c8f800012ff1898657cb67be0c21ffa851bbbfcf7ca5758b2edd2abcc3ee819501696312dcd4ed2de
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ab0955f94668df0766e42286152e2dde
SHA1d13f466033f4d83ee98837602b262ceff846ed67
SHA2561173edabfba010bfabbfe1bdde9f5b6c1599b2a01a4f3a5c600c69d6089e94ef
SHA5126318dedd61744691a2604d826375309cc8e004d39cf136b4ac527d37729990d130c632967774d0a4dad3ce71f459d3800c2c2054ab829e36036c4e0f8047a063
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c762abde7450865627400daccbc715cc
SHA131355cad7f503b37b936d61cb2e5e72b92d68d9f
SHA25623c2998c7b9a0031ec7b8c9cd5636048ba4e0d129c3ee5f0f701b0aa001d456a
SHA51211adac8c107fc81b213b2f3a7580161a5be00f995661c7d32d5f96f8925f82d74cecb2b871011dcd3b672aba1c1f112244e71a742195bb28c35577070e33b5af
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5570ff796d9f21d42146f8192b38a2ab8
SHA1959c788c5fb6aea63a6885e69d796d9708441b14
SHA2566896932059661eb364c8a04a81e819bff3cd98e36e8d772fd146e5dea3dc1535
SHA5121571e98960f1ae52532ae845a053a29720c47df84b4898fbf7351265c37049c341cc96959ff3bbef03f22eec6bf0ebfb28695c10000c0c8ae3ad8c5de6fcb3f6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD538798fee6885abd0a9ba19e48545ca9a
SHA1f652a523fe0e98839ca0aac0e8120c36568003fc
SHA25666b5e374e199dc46967643077fa1cc699370827f075cd39d56c41e30a76e33ea
SHA512597688f149160e49f95977ce24b0fcddf213138d7a2bc18a6f6d5d0422d738a3aa3c966e5122f3e924bc282bce1f125f2b5fcce4fe46c5e3c1897496723f7096
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD513cc978b95e08d8115f987d2c48a67c1
SHA131cc58f09d50b60bc9841e5dddf86e65074b9782
SHA2560fc90f97184de8d2a49aabe94f097f7d5cbec0230fcefa7ee68f3ed3fe9ec611
SHA5129066d0a2220a17be4d713aa03b432ebb90f889b3b1d84c53e6a70ca4f71c0dcb453f9e171b10e039bd23a9fa350a5e012a9b68d0c424faf4fd98789b4e6a7ede
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD534cce59a84abee7b8b585c5f960298d3
SHA1c9b724dd7a2ab564bf06ffa1beba863d40c94b46
SHA25642d32422e826b575f866c5930f57f6526adc3cd9ec61e771be011f1a3285d510
SHA5124cc53363d2526ccc1e8743cac4fdbf112f5a6cb9de9fd615bd62acd591f4708cd349e562e262d11098a9c89c1e2ab0cb23816087cddb01fdac8ba819f56382ee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55bde170653658bc3dc19c204c8f5fc6d
SHA142f2ca395c30994c3343c4ebb95dab91b06bd5a6
SHA256d98651bb344a3a486c8c8d028b7b4674fea03de4244038252d706876e964c0a7
SHA51244cc3fdc823c64fa6d454c6fca49f4c662aef925820c12efb15f39379d2ca79306937d9157c13621d6f9c8745687e194b00784811ac03c8fe25850405215bc8e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD581fbec55304e93bd7f25d6f1588af002
SHA129259fe64e2f8efa34c4902900e5b967be8ba482
SHA256b5c93fb024b32866ec7ee1b095bb86af908b38ccca6972d9de70df1daa1de55e
SHA5121064d179e4ce4495bbf5ac70e67605f6e2dd4e4ec466296b6e71825db70804fdcd5271a6d8bba73bf7322d810d3df71391106c48f5fb805dd8b82716fd560511
-
Filesize
225B
MD52499bf377a7d9393f0ca691087eaa508
SHA1394f87a3f124e6c6c307f3cf1066d2f2988dd381
SHA256ded1e2283aa2269920518b2ee2b631939db521a5772c811117665fc91cae8bdd
SHA51288234459ce2456ded8d0cfd3a3788b83be88ba4c220a061aa9c55f97424dc32ae6b24916f4ec33390238f884387e7ae0a717352aec2e9ed895338868b770f279
-
Filesize
225B
MD50434c8d082cbdd350ad3cc3ac89aeac3
SHA1fb6344a4bfcb5ea6f8b3b940c7902193d6872c6e
SHA256462ae3bf4766fe6ef67661ca9e75a3a988fa2dd831fb5c137db39ee72c7084b8
SHA512b17fd89f585dfa4fb0c95f69676b8dbe67602ab0172bc3a4fade77bd00d934e0c061973c8f0236661e3d73d194817b4fcba891267d75982a766e5b29fea23a82
-
Filesize
225B
MD57d4d7e12d276c70520acb134cc3480e2
SHA1c5de0dddcc73f8e09196601e79b0529def7d758a
SHA256bfb86963dec2ef4a0838599d354a959996d662f45844e1ad9a01f932ddae4389
SHA512d5c203dae672e34ae26f6cf97b87447cb7179944bac3afbc1ee8a413f836890b3650613f59c080b8c36f796b67a6cee5c145b65203f5409f50c590e8552e674d
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
225B
MD541301609f4fdcee807d88372a4ffc02e
SHA1adda93ceaedae9a420f4805511061d0250624202
SHA256f448fb543e328c12af9218341ddfa86aa276f10e46f3df998f506d7a1ef9305f
SHA51219e25540cba10b70f0727e8d1bd74b94fb6375d630584104fcf5f0782098d5a3091b9a2e276bf353e5ab46d24dc1172aab9b32646e79b71622fd1e0cc31949f0
-
Filesize
225B
MD50a0a92b623c3298047eb7216c31e59ef
SHA128a15a258b25589255cc20531a7b1da8642de905
SHA256a87fc3af747832ca2b17aff16eee8fe219542befe336322fb1415c0938ad8512
SHA51274a8a724d3c3a80c1a31be4cf89add53e456da39be68f8fd3e6121f446f7bcd2aec6c8c47508617d659bb9e3025992cd3a41de665a73e1967d4c669dc1635046
-
Filesize
225B
MD58cd15c7849dc2ea719532fd1e2c65e82
SHA13f444056de26416b9b423527d9f0f71ed53f1b3e
SHA256f99e1a3708415fd83c79337f91a0a3e0fc1ada2379d76cfc8afc827b33ac372e
SHA512ca74291c8d9377a8b6a1c9c3cdc63e67bc029b281776c610624bd03ec7ff24a4b3cbfc613cdd2e32bf6fff154c226dd8844641fea36fa52e53338dae62a954c2
-
Filesize
225B
MD5277e4a8c71b125af00c359a8d047645a
SHA1ec9113b505cc5b05c46c992e62c83a764153a145
SHA25614af811e0b7cf8b8fe2f71c08d18df6c6e5a287bbcb5dc4e52e2de16868192ef
SHA512c4f9994d789543f766352f382513c351b07e4054ae89e7dec85d3fa281ca44362c2f3c531c8dd6cfe41a95436c60dda2271c7a217c2cd8d834c6de0f4e04a52e
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
225B
MD54ad53f0762610dc1e38dc7d2adefea06
SHA1b4eeccda906e5c2be13a8ca1e4c468741a4aea41
SHA25672a86899e81ed242b5b8cae04edaa945f9881dc0ead14a87fcb38600f599317e
SHA512451d638363b570b0fe3aac92e6662132f4cab165ddad0cb7fc8d697ff125d29a3daf7aaf6744d358c3c91efd63ecf9bd1a28f2dd99c133dab6128811878822df
-
Filesize
225B
MD54da2012e9ddb373f537ed1998f1bb15a
SHA1ba98262e231050c781dd14cdc68bfe9029ebdc0a
SHA256d8fdb7cf5775c0add247828f86dbe6dd78f9f0175db48975ae13edd690dda5c3
SHA512249944d5abb7d6652471b98f978739b1a93e2a97f2ea94aa37ce409aa88b8149eb089c7c4f183f6a516efd88707354e2f6541b416661f6527b039ead1a7690bd
-
Filesize
225B
MD5b18e1d5cf1d0c7c12042d4bec1df8b8c
SHA1688a783fb6cd60d26135510b15d12558e83d5b3d
SHA256a50ecb9eac3335d1326b1827e6809b50874b2daccf8c1a391fd54e3d72f2b39a
SHA51250711c0bd0031d464e87a832ef8f763ac6f22c4ca5953d1dca60e495805b2ff559ed32abc6c9664aeeccb34b923101ab597a0d08d8de17241e39f7e7a10172b3
-
Filesize
225B
MD52344e81d19c1412cc2b42e7dcaa704fd
SHA1f2b7acc3070f3da44976676665b1d91b497c319a
SHA256aa86939ab737e0f6dd9f800991c5a37d755ceb7bcb289f94495711f744c11320
SHA51214e70cd6f4ea8ea478c07dd5bf4c27f0a1a5c05ddc0c2b007a8154e6c8b3523b08928937910b67025dc35fa19b747c5c817e831fc04fe5624310115df64567c7
-
Filesize
225B
MD50c0ce5d73de20728fdf42fcc48e853d5
SHA12f67c7a74bb235b864cdf4591ff708e80b53b0ee
SHA2563544a0d4d9e404c27185712ee19914d7624235eb969a298e17152c79785c71d3
SHA5123f2544096de1495ce671ef2352bf116afefec6bc41c710d466acbb8127f6c6c6d9c705ff770eb36e871077c00834a60f3a62f74c9e69dfd8764b5b97ab870f0c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OQE0AW5Y8YO05X2RREZC.temp
Filesize7KB
MD58fc9c8ea757313433384884e0384e0d5
SHA125b0fc7fa5d06e17147c981a04a78b35a0fe03c9
SHA256d07731188f7dfa9e2ab3ac7872e27e649d4d72b3de7041cf1a80d0c5f11d4829
SHA5126eb36190f826f4a136869ef92f21bb35863ea6bf2c3162ab413fad8e18d10535ebfee9ac7ecdf494a5be4c777e4114cdafa88b89e98eb65a43e8d7604600452d
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478