Analysis
-
max time kernel
148s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 19:28
Behavioral task
behavioral1
Sample
JaffaCakes118_d22f009a20fb95264177d12691cab97999e999aa63fb24655a173b902a680b9f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_d22f009a20fb95264177d12691cab97999e999aa63fb24655a173b902a680b9f.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_d22f009a20fb95264177d12691cab97999e999aa63fb24655a173b902a680b9f.exe
-
Size
1.3MB
-
MD5
f4537084c9f4fca4794b870232a7823c
-
SHA1
e498bf69bb3fbab576eaa5f0db888dfeac132d95
-
SHA256
d22f009a20fb95264177d12691cab97999e999aa63fb24655a173b902a680b9f
-
SHA512
b191cad986263a1c54b797ae068bf2bc6fd155c8745803c1f1abdf1a5383b65cec68dc64cc3a81cfaae92012e1ce9a789acd9a1cb74f3ba27aeecc5d369c197a
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 2848 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 316 2848 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2848 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2848 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 2848 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 2848 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016399-10.dat dcrat behavioral1/memory/2736-13-0x0000000000CD0000-0x0000000000DE0000-memory.dmp dcrat behavioral1/memory/900-28-0x00000000002A0000-0x00000000003B0000-memory.dmp dcrat behavioral1/memory/1696-104-0x0000000001040000-0x0000000001150000-memory.dmp dcrat behavioral1/memory/2732-164-0x0000000000190000-0x00000000002A0000-memory.dmp dcrat behavioral1/memory/600-224-0x0000000000C20000-0x0000000000D30000-memory.dmp dcrat behavioral1/memory/2432-284-0x0000000001330000-0x0000000001440000-memory.dmp dcrat behavioral1/memory/2012-344-0x0000000000250000-0x0000000000360000-memory.dmp dcrat behavioral1/memory/1020-405-0x0000000001340000-0x0000000001450000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2216 powershell.exe 2500 powershell.exe 2084 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2736 DllCommonsvc.exe 900 System.exe 1696 System.exe 2732 System.exe 600 System.exe 2432 System.exe 2012 System.exe 1020 System.exe 2808 System.exe 772 System.exe 2608 System.exe -
Loads dropped DLL 2 IoCs
pid Process 1968 cmd.exe 1968 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 23 raw.githubusercontent.com 33 raw.githubusercontent.com 4 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com 19 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 26 raw.githubusercontent.com 30 raw.githubusercontent.com -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files\Uninstall Information\lsass.exe DllCommonsvc.exe File created C:\Program Files\Uninstall Information\6203df4a6bafc7 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_d22f009a20fb95264177d12691cab97999e999aa63fb24655a173b902a680b9f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2832 schtasks.exe 316 schtasks.exe 2652 schtasks.exe 2620 schtasks.exe 2684 schtasks.exe 1688 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2736 DllCommonsvc.exe 2216 powershell.exe 2084 powershell.exe 2500 powershell.exe 900 System.exe 1696 System.exe 2732 System.exe 600 System.exe 2432 System.exe 2012 System.exe 1020 System.exe 2808 System.exe 772 System.exe 2608 System.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 2736 DllCommonsvc.exe Token: SeDebugPrivilege 900 System.exe Token: SeDebugPrivilege 2216 powershell.exe Token: SeDebugPrivilege 2084 powershell.exe Token: SeDebugPrivilege 2500 powershell.exe Token: SeDebugPrivilege 1696 System.exe Token: SeDebugPrivilege 2732 System.exe Token: SeDebugPrivilege 600 System.exe Token: SeDebugPrivilege 2432 System.exe Token: SeDebugPrivilege 2012 System.exe Token: SeDebugPrivilege 1020 System.exe Token: SeDebugPrivilege 2808 System.exe Token: SeDebugPrivilege 772 System.exe Token: SeDebugPrivilege 2608 System.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3044 wrote to memory of 2540 3044 JaffaCakes118_d22f009a20fb95264177d12691cab97999e999aa63fb24655a173b902a680b9f.exe 30 PID 3044 wrote to memory of 2540 3044 JaffaCakes118_d22f009a20fb95264177d12691cab97999e999aa63fb24655a173b902a680b9f.exe 30 PID 3044 wrote to memory of 2540 3044 JaffaCakes118_d22f009a20fb95264177d12691cab97999e999aa63fb24655a173b902a680b9f.exe 30 PID 3044 wrote to memory of 2540 3044 JaffaCakes118_d22f009a20fb95264177d12691cab97999e999aa63fb24655a173b902a680b9f.exe 30 PID 2540 wrote to memory of 1968 2540 WScript.exe 31 PID 2540 wrote to memory of 1968 2540 WScript.exe 31 PID 2540 wrote to memory of 1968 2540 WScript.exe 31 PID 2540 wrote to memory of 1968 2540 WScript.exe 31 PID 1968 wrote to memory of 2736 1968 cmd.exe 33 PID 1968 wrote to memory of 2736 1968 cmd.exe 33 PID 1968 wrote to memory of 2736 1968 cmd.exe 33 PID 1968 wrote to memory of 2736 1968 cmd.exe 33 PID 2736 wrote to memory of 2500 2736 DllCommonsvc.exe 41 PID 2736 wrote to memory of 2500 2736 DllCommonsvc.exe 41 PID 2736 wrote to memory of 2500 2736 DllCommonsvc.exe 41 PID 2736 wrote to memory of 2084 2736 DllCommonsvc.exe 42 PID 2736 wrote to memory of 2084 2736 DllCommonsvc.exe 42 PID 2736 wrote to memory of 2084 2736 DllCommonsvc.exe 42 PID 2736 wrote to memory of 2216 2736 DllCommonsvc.exe 43 PID 2736 wrote to memory of 2216 2736 DllCommonsvc.exe 43 PID 2736 wrote to memory of 2216 2736 DllCommonsvc.exe 43 PID 2736 wrote to memory of 900 2736 DllCommonsvc.exe 46 PID 2736 wrote to memory of 900 2736 DllCommonsvc.exe 46 PID 2736 wrote to memory of 900 2736 DllCommonsvc.exe 46 PID 900 wrote to memory of 2576 900 System.exe 49 PID 900 wrote to memory of 2576 900 System.exe 49 PID 900 wrote to memory of 2576 900 System.exe 49 PID 2576 wrote to memory of 1376 2576 cmd.exe 51 PID 2576 wrote to memory of 1376 2576 cmd.exe 51 PID 2576 wrote to memory of 1376 2576 cmd.exe 51 PID 2576 wrote to memory of 1696 2576 cmd.exe 52 PID 2576 wrote to memory of 1696 2576 cmd.exe 52 PID 2576 wrote to memory of 1696 2576 cmd.exe 52 PID 1696 wrote to memory of 2092 1696 System.exe 53 PID 1696 wrote to memory of 2092 1696 System.exe 53 PID 1696 wrote to memory of 2092 1696 System.exe 53 PID 2092 wrote to memory of 2212 2092 cmd.exe 55 PID 2092 wrote to memory of 2212 2092 cmd.exe 55 PID 2092 wrote to memory of 2212 2092 cmd.exe 55 PID 2092 wrote to memory of 2732 2092 cmd.exe 56 PID 2092 wrote to memory of 2732 2092 cmd.exe 56 PID 2092 wrote to memory of 2732 2092 cmd.exe 56 PID 2732 wrote to memory of 572 2732 System.exe 57 PID 2732 wrote to memory of 572 2732 System.exe 57 PID 2732 wrote to memory of 572 2732 System.exe 57 PID 572 wrote to memory of 784 572 cmd.exe 59 PID 572 wrote to memory of 784 572 cmd.exe 59 PID 572 wrote to memory of 784 572 cmd.exe 59 PID 572 wrote to memory of 600 572 cmd.exe 60 PID 572 wrote to memory of 600 572 cmd.exe 60 PID 572 wrote to memory of 600 572 cmd.exe 60 PID 600 wrote to memory of 1828 600 System.exe 61 PID 600 wrote to memory of 1828 600 System.exe 61 PID 600 wrote to memory of 1828 600 System.exe 61 PID 1828 wrote to memory of 1056 1828 cmd.exe 63 PID 1828 wrote to memory of 1056 1828 cmd.exe 63 PID 1828 wrote to memory of 1056 1828 cmd.exe 63 PID 1828 wrote to memory of 2432 1828 cmd.exe 64 PID 1828 wrote to memory of 2432 1828 cmd.exe 64 PID 1828 wrote to memory of 2432 1828 cmd.exe 64 PID 2432 wrote to memory of 2984 2432 System.exe 65 PID 2432 wrote to memory of 2984 2432 System.exe 65 PID 2432 wrote to memory of 2984 2432 System.exe 65 PID 2984 wrote to memory of 1952 2984 cmd.exe 67 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d22f009a20fb95264177d12691cab97999e999aa63fb24655a173b902a680b9f.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d22f009a20fb95264177d12691cab97999e999aa63fb24655a173b902a680b9f.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Re4gxnF4du.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1376
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I0OceA6Xfh.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2212
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tGPC7CVf0d.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:784
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M2NHsv551y.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1056
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I0OceA6Xfh.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1952
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat"16⤵PID:2604
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1636
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tiBdOqTAMf.bat"18⤵PID:2160
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2672
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AMKHlt6LWj.bat"20⤵PID:2552
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1612
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:772 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat"22⤵PID:1656
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2924
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dc205e857e1518c3a1da4161d01e7e30
SHA1dd13ff1c16a5d8c4c57c52d9c5e0cf73facc7534
SHA25627a8750f1b62f6592f9f6c38e08928ba781b0ea1f356138e3d1adae7d1038291
SHA5127d6cf046303174cba7080bf0040d302be84444e3773aa984ff951dc69e87f64847ac67ef36011a5236457553ab2388ec4af19d42bf2426369496bf811b6845cd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5044bc137634b1376a8d085dd40617c00
SHA16585ffb679eb3a1a41f20e5cd92ff369f76c2a4e
SHA256ebaf357507cbf3c9c9414293bd753c2c9acf8f207058702166661e447229e53a
SHA5128f97abd29f96cceb22ca53b5ca297c5f63266fb4366bd4b6ea7bb7f321b63036b59bdb2d77f3d8a3ad9ceca1bdd4c5b5338e70ef34f67fbb894d8f2fe3ba6a33
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57cab828c8e0d7b519398e2d787242c6d
SHA1a9e9e5b1d57289b14273f1ed40024cfd8c162ab2
SHA25608b13ca8c8d3be475a7d7f68878de5a0f997321a3230bb400cb37b5be3dd9474
SHA512212b50d0132cbacd51cb7779479ebdf57c89218c1ffdc5511c771a47b2e94c6eb7c5a2c71b21c2e8a13e2fa8a5f27dda1bcb9b5daec34d7137f15891037a87ea
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD533a775851ce129a3c5451c77006e99b6
SHA119df232926b518ad0d2e0da178694c78a7b42a27
SHA256215406c0e7dc52e9502f39a558f0909b10f2510c1595f6c6df05aef6c8b16804
SHA5123e6813239052df804c7f1f16fc9583db089a109311c2870a5fb8bf3dbfef0809ad689e7fef0169a912f4b6bce14540b49da8f2e49f1c49db4896103a4a460e94
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a8b5ee7e86f39516082fd00c3d5a3cad
SHA100f0a355fc408a5f808c69188227d60e998699de
SHA256f06d9352f8fb70591933eb5c5029680d618ac9bf5fa4fae319c071f30088de13
SHA512e13ed946947775e837ca860b6d5c75dfde76b45d914a40aa76b3d9c48469908934b1654378dac79235094f824921f2090c8b40c58fc8de8db8ae5dd202cb3cef
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD554001f54efed702a889e782ce060987e
SHA1ae6c2e40adb54fb56ce7f873f7238c428b2f5587
SHA2566080aa005275017810d9ed2ab6e574eb1ff346fed0ace79447fb06d21312d793
SHA512c59d153da275726c4eb4b90d1e1a5a674e8c6f9db4f5e8ede271e375e573a846f291d993dea7105ff2b05a8db5a6ea272194641dc59a9655020fd09b06fcae4c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5196d652f954a98e0b0e70298320c66b3
SHA17afcccdb14272236fae90be768606101756c8482
SHA2567821fdb0b59c204e8aad56f9b739e6c2a6fa2e25ad07f3fc88765b829ffd6740
SHA5124ac37c6c9b380c2454c6fbb6a6b6c9187001f3e2e5272217c989d106753bd592d89ee5e52fccef006d0899e7848bbed7ff16b9bba43800783e22cf853bccef15
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55a8c0b413f1972642c679e89f19f1cb9
SHA18c1e8e56d9fe6941612af43f1a22ab389c309dbe
SHA2568bb8768fa4c0d86f6706f373821ab71641b687ecc054e7cf469c9652d5e2cd61
SHA512802962f3f69de49b9124be4ec75aed88308622a885705b84b0c7bc5b4f49643e3d29213c8467e1bed96d4f6a84b9edf6b60deff0557a2497704db69d54b774bb
-
Filesize
223B
MD5bc59ab085588364e29a0bb69a92cba22
SHA106d9148913799ff3c7a21c29dd079dfb998feae6
SHA2563bec172913ce52e4df9c0403e070162372ee48dcdc213ba086512f3d93253d5c
SHA5125b70c327ea3e18ea65f3ad452641a64dc50d03dd28617225eb1369c72329de56ca215950095be822c0313efdc62e709f0d24c0fde327284f4f709e27af75a40f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
223B
MD51c57eae0809ea4c4d51202c87bf9086e
SHA1f9264d1a1b1b3dbc8c898fb8c93a7c21d827f9a2
SHA25609688726178e8aff722be31972eb1500d939f929f399a55cfd4cd32963043920
SHA512214b4fac8c209506d8a7c77c94aa4db77817eadb9373c6f26fcf85939e20d3897b5cbeb8daa587d6bef8acd6cf4e4c30cb3903e4463224377584720d62a25497
-
Filesize
223B
MD5f8ab8cff5a51cadf7578edaa05640ea5
SHA12ff68fe6347ea23c2d9efaadd03614fe273c0a15
SHA256a577a6bebd178b947a5fd49359fa3e99034fc0334f5ddcb1ecaa97125276894a
SHA512923de77a886f28703c5f6e8ad1e16f6d04902b3a7a4f1b6fafc2b40d8ccdd42865e67c9921a192dcb018085f18d2c727f3995999e280b9526ebd58c6ae1b124a
-
Filesize
223B
MD5e5a0aa1b192c969d957143be47a31cdf
SHA168fd7002d829f99efbabf1a0741c193f3f9a5d03
SHA256253e391b464a755f970d699bf7fa5eebd74e01ec36ef6979e0249989d6916a5b
SHA5120c27d1133f39f9bcba97021af5e8033894edeadf325aedc72344a2eb405803339136a6f3e34ba8cd6b8ff8f3b56bb9c59b1573885156b9a54f32bf57fcba4aa0
-
Filesize
223B
MD58fea5128b1ad69c83cc548d6d5e784b5
SHA142a2509a94a24697c1ba669073c407ae54c09040
SHA2561f06a04ea7199094f863442fa3e6a5b6fc45d27b0a6d818158d7553abcf0fc98
SHA512c9aa31d7751234b25512c90efa45103654686b5ea5613aa717588ff70b69704f314658eb4b7b61ee513450d76f366e4bad0a20053868eaf93ae5b4c229b09287
-
Filesize
223B
MD5872a0f86237e32b7178b77cdbf370fa7
SHA1eb9447a771c156c51969e88073d0bd131b6af48e
SHA256ff7583810a6919ca8bfa605e8a24d2b2cb478a52349e59ea4c7afadc719a156b
SHA512bb458b11208d09c4dcf747d794dd835d6fad73478510169721c323b125fa247edc0e6011a7957d6df8f7c87d451ebf3d3d6a0c76d4eb82e9a71b5b555eb9e900
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
223B
MD51bc3ba2ddb20ea8e77b184c2273682b8
SHA19de85ddb9442bbca18f2b4c0275e9293711f2aef
SHA2560d0bf7e6eec5e969465860482b10a9362fbc62b5eed6679176eeef7b0ce70ed3
SHA5122ec36c71c09c373bcbf06909bf03689c7795243de22e9e5452ff74995bf3492b465ffce682d87d63650221c76c755db5bc1a3c4c51e644f20b36ab0a49bb5fe5
-
Filesize
223B
MD54a351ecbf3ad706c5b8bf09d726fd644
SHA146153e4a4818d0acc9d6a54c92e4ccc0f05ee1f7
SHA256cdafed9d61dfb44163e6c098283857da3fdb768897e572baf5bb2abf99dbcc90
SHA512902521787f1afcd9e80f0513f4e4809621e3f15a9df83323e3fbf0f39b9b7abee5e6155d004aee5c8d7e5cc58532a1f91ecff310d4524818cae93f811ff387f0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD56f7bb42551bbcd07c1d13d69c07f2a0e
SHA1a1008dfcb2835962c2f9d69ab1cc7106810ec34f
SHA256379274c7892d428bbdfbf7732f902dd820be7c0c77d2073ec2ae8bdea2c6192c
SHA512d9e59aa9bc9ee256e8f8f4af7920f23d0705af11e317da23b25a079ff5939697fbcde7864320f60605a87026c6fc2e174814e23e6bf95221d8fa18d322f2548a
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478