Analysis
-
max time kernel
146s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 19:10
Behavioral task
behavioral1
Sample
JaffaCakes118_162ef61ca467861b098c2d2880b5db8992ffa5a505481b5116fbc90613f98b34.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_162ef61ca467861b098c2d2880b5db8992ffa5a505481b5116fbc90613f98b34.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_162ef61ca467861b098c2d2880b5db8992ffa5a505481b5116fbc90613f98b34.exe
-
Size
1.3MB
-
MD5
04c337f39690332378b2c42568efd2a3
-
SHA1
5f284376ff69b27bde39df7db9e25172418d7da4
-
SHA256
162ef61ca467861b098c2d2880b5db8992ffa5a505481b5116fbc90613f98b34
-
SHA512
4961dac264e8325f0c09a5cceb3520bafb43f5ddbcceb82de1df8d13ad684fd41334e910174ceed7168cb4f07209b566bde15386ed46a59c08b6e58a8a0e1822
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1216 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 576 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 592 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 856 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1364 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 292 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1288 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1280 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1864 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1756 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1304 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 2604 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 2604 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x00070000000173f3-12.dat dcrat behavioral1/memory/2812-13-0x0000000001000000-0x0000000001110000-memory.dmp dcrat behavioral1/memory/2016-105-0x0000000001070000-0x0000000001180000-memory.dmp dcrat behavioral1/memory/2488-164-0x0000000000020000-0x0000000000130000-memory.dmp dcrat behavioral1/memory/2084-224-0x0000000000800000-0x0000000000910000-memory.dmp dcrat behavioral1/memory/2836-284-0x0000000000880000-0x0000000000990000-memory.dmp dcrat behavioral1/memory/1500-345-0x0000000000F40000-0x0000000001050000-memory.dmp dcrat behavioral1/memory/1528-405-0x0000000001220000-0x0000000001330000-memory.dmp dcrat behavioral1/memory/2912-465-0x00000000012B0000-0x00000000013C0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1708 powershell.exe 700 powershell.exe 2108 powershell.exe 1416 powershell.exe 2052 powershell.exe 640 powershell.exe 1520 powershell.exe 568 powershell.exe 1712 powershell.exe 1600 powershell.exe 1700 powershell.exe 2452 powershell.exe 2460 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2812 DllCommonsvc.exe 2016 OSPPSVC.exe 2488 OSPPSVC.exe 2084 OSPPSVC.exe 2836 OSPPSVC.exe 1500 OSPPSVC.exe 1528 OSPPSVC.exe 2912 OSPPSVC.exe 3028 OSPPSVC.exe 2236 OSPPSVC.exe 2440 OSPPSVC.exe -
Loads dropped DLL 2 IoCs
pid Process 2848 cmd.exe 2848 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 5 raw.githubusercontent.com 9 raw.githubusercontent.com 16 raw.githubusercontent.com 20 raw.githubusercontent.com 27 raw.githubusercontent.com 4 raw.githubusercontent.com 23 raw.githubusercontent.com 31 raw.githubusercontent.com 34 raw.githubusercontent.com 12 raw.githubusercontent.com -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\Uninstall Information\Idle.exe DllCommonsvc.exe File created C:\Program Files\Uninstall Information\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\Adobe\Help\en_US\dllhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\Adobe\Help\en_US\5940a34987c991 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\088424020bedd6 DllCommonsvc.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Vss\Writers\Application\wininit.exe DllCommonsvc.exe File created C:\Windows\Vss\Writers\Application\56085415360792 DllCommonsvc.exe File created C:\Windows\Resources\Ease of Access Themes\wininit.exe DllCommonsvc.exe File created C:\Windows\Resources\Ease of Access Themes\56085415360792 DllCommonsvc.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe DllCommonsvc.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\f3b6ecef712a24 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_162ef61ca467861b098c2d2880b5db8992ffa5a505481b5116fbc90613f98b34.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2624 schtasks.exe 2100 schtasks.exe 1240 schtasks.exe 1288 schtasks.exe 2988 schtasks.exe 1536 schtasks.exe 2828 schtasks.exe 1364 schtasks.exe 1216 schtasks.exe 1756 schtasks.exe 1304 schtasks.exe 856 schtasks.exe 1864 schtasks.exe 1032 schtasks.exe 2956 schtasks.exe 1984 schtasks.exe 1280 schtasks.exe 2644 schtasks.exe 2444 schtasks.exe 2116 schtasks.exe 1152 schtasks.exe 2012 schtasks.exe 292 schtasks.exe 1592 schtasks.exe 2556 schtasks.exe 2964 schtasks.exe 2000 schtasks.exe 1664 schtasks.exe 1552 schtasks.exe 2440 schtasks.exe 2312 schtasks.exe 2176 schtasks.exe 1900 schtasks.exe 1660 schtasks.exe 576 schtasks.exe 592 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 2812 DllCommonsvc.exe 2812 DllCommonsvc.exe 2812 DllCommonsvc.exe 2812 DllCommonsvc.exe 2812 DllCommonsvc.exe 2812 DllCommonsvc.exe 2812 DllCommonsvc.exe 2812 DllCommonsvc.exe 2812 DllCommonsvc.exe 2812 DllCommonsvc.exe 2812 DllCommonsvc.exe 1708 powershell.exe 1700 powershell.exe 2452 powershell.exe 2108 powershell.exe 1416 powershell.exe 2052 powershell.exe 640 powershell.exe 568 powershell.exe 2460 powershell.exe 700 powershell.exe 1712 powershell.exe 1600 powershell.exe 1520 powershell.exe 2016 OSPPSVC.exe 2488 OSPPSVC.exe 2084 OSPPSVC.exe 2836 OSPPSVC.exe 1500 OSPPSVC.exe 1528 OSPPSVC.exe 2912 OSPPSVC.exe 3028 OSPPSVC.exe 2236 OSPPSVC.exe 2440 OSPPSVC.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2812 DllCommonsvc.exe Token: SeDebugPrivilege 1708 powershell.exe Token: SeDebugPrivilege 1700 powershell.exe Token: SeDebugPrivilege 2452 powershell.exe Token: SeDebugPrivilege 2108 powershell.exe Token: SeDebugPrivilege 1416 powershell.exe Token: SeDebugPrivilege 2052 powershell.exe Token: SeDebugPrivilege 640 powershell.exe Token: SeDebugPrivilege 568 powershell.exe Token: SeDebugPrivilege 2460 powershell.exe Token: SeDebugPrivilege 700 powershell.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeDebugPrivilege 1600 powershell.exe Token: SeDebugPrivilege 1520 powershell.exe Token: SeDebugPrivilege 2016 OSPPSVC.exe Token: SeDebugPrivilege 2488 OSPPSVC.exe Token: SeDebugPrivilege 2084 OSPPSVC.exe Token: SeDebugPrivilege 2836 OSPPSVC.exe Token: SeDebugPrivilege 1500 OSPPSVC.exe Token: SeDebugPrivilege 1528 OSPPSVC.exe Token: SeDebugPrivilege 2912 OSPPSVC.exe Token: SeDebugPrivilege 3028 OSPPSVC.exe Token: SeDebugPrivilege 2236 OSPPSVC.exe Token: SeDebugPrivilege 2440 OSPPSVC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2668 wrote to memory of 2804 2668 JaffaCakes118_162ef61ca467861b098c2d2880b5db8992ffa5a505481b5116fbc90613f98b34.exe 30 PID 2668 wrote to memory of 2804 2668 JaffaCakes118_162ef61ca467861b098c2d2880b5db8992ffa5a505481b5116fbc90613f98b34.exe 30 PID 2668 wrote to memory of 2804 2668 JaffaCakes118_162ef61ca467861b098c2d2880b5db8992ffa5a505481b5116fbc90613f98b34.exe 30 PID 2668 wrote to memory of 2804 2668 JaffaCakes118_162ef61ca467861b098c2d2880b5db8992ffa5a505481b5116fbc90613f98b34.exe 30 PID 2804 wrote to memory of 2848 2804 WScript.exe 31 PID 2804 wrote to memory of 2848 2804 WScript.exe 31 PID 2804 wrote to memory of 2848 2804 WScript.exe 31 PID 2804 wrote to memory of 2848 2804 WScript.exe 31 PID 2848 wrote to memory of 2812 2848 cmd.exe 33 PID 2848 wrote to memory of 2812 2848 cmd.exe 33 PID 2848 wrote to memory of 2812 2848 cmd.exe 33 PID 2848 wrote to memory of 2812 2848 cmd.exe 33 PID 2812 wrote to memory of 1708 2812 DllCommonsvc.exe 71 PID 2812 wrote to memory of 1708 2812 DllCommonsvc.exe 71 PID 2812 wrote to memory of 1708 2812 DllCommonsvc.exe 71 PID 2812 wrote to memory of 700 2812 DllCommonsvc.exe 72 PID 2812 wrote to memory of 700 2812 DllCommonsvc.exe 72 PID 2812 wrote to memory of 700 2812 DllCommonsvc.exe 72 PID 2812 wrote to memory of 2052 2812 DllCommonsvc.exe 73 PID 2812 wrote to memory of 2052 2812 DllCommonsvc.exe 73 PID 2812 wrote to memory of 2052 2812 DllCommonsvc.exe 73 PID 2812 wrote to memory of 1600 2812 DllCommonsvc.exe 74 PID 2812 wrote to memory of 1600 2812 DllCommonsvc.exe 74 PID 2812 wrote to memory of 1600 2812 DllCommonsvc.exe 74 PID 2812 wrote to memory of 2108 2812 DllCommonsvc.exe 75 PID 2812 wrote to memory of 2108 2812 DllCommonsvc.exe 75 PID 2812 wrote to memory of 2108 2812 DllCommonsvc.exe 75 PID 2812 wrote to memory of 1712 2812 DllCommonsvc.exe 76 PID 2812 wrote to memory of 1712 2812 DllCommonsvc.exe 76 PID 2812 wrote to memory of 1712 2812 DllCommonsvc.exe 76 PID 2812 wrote to memory of 1416 2812 DllCommonsvc.exe 77 PID 2812 wrote to memory of 1416 2812 DllCommonsvc.exe 77 PID 2812 wrote to memory of 1416 2812 DllCommonsvc.exe 77 PID 2812 wrote to memory of 1700 2812 DllCommonsvc.exe 78 PID 2812 wrote to memory of 1700 2812 DllCommonsvc.exe 78 PID 2812 wrote to memory of 1700 2812 DllCommonsvc.exe 78 PID 2812 wrote to memory of 640 2812 DllCommonsvc.exe 79 PID 2812 wrote to memory of 640 2812 DllCommonsvc.exe 79 PID 2812 wrote to memory of 640 2812 DllCommonsvc.exe 79 PID 2812 wrote to memory of 1520 2812 DllCommonsvc.exe 80 PID 2812 wrote to memory of 1520 2812 DllCommonsvc.exe 80 PID 2812 wrote to memory of 1520 2812 DllCommonsvc.exe 80 PID 2812 wrote to memory of 2452 2812 DllCommonsvc.exe 81 PID 2812 wrote to memory of 2452 2812 DllCommonsvc.exe 81 PID 2812 wrote to memory of 2452 2812 DllCommonsvc.exe 81 PID 2812 wrote to memory of 568 2812 DllCommonsvc.exe 82 PID 2812 wrote to memory of 568 2812 DllCommonsvc.exe 82 PID 2812 wrote to memory of 568 2812 DllCommonsvc.exe 82 PID 2812 wrote to memory of 2460 2812 DllCommonsvc.exe 83 PID 2812 wrote to memory of 2460 2812 DllCommonsvc.exe 83 PID 2812 wrote to memory of 2460 2812 DllCommonsvc.exe 83 PID 2812 wrote to memory of 1752 2812 DllCommonsvc.exe 97 PID 2812 wrote to memory of 1752 2812 DllCommonsvc.exe 97 PID 2812 wrote to memory of 1752 2812 DllCommonsvc.exe 97 PID 1752 wrote to memory of 2792 1752 cmd.exe 99 PID 1752 wrote to memory of 2792 1752 cmd.exe 99 PID 1752 wrote to memory of 2792 1752 cmd.exe 99 PID 1752 wrote to memory of 2016 1752 cmd.exe 100 PID 1752 wrote to memory of 2016 1752 cmd.exe 100 PID 1752 wrote to memory of 2016 1752 cmd.exe 100 PID 2016 wrote to memory of 1160 2016 OSPPSVC.exe 101 PID 2016 wrote to memory of 1160 2016 OSPPSVC.exe 101 PID 2016 wrote to memory of 1160 2016 OSPPSVC.exe 101 PID 1160 wrote to memory of 2908 1160 cmd.exe 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_162ef61ca467861b098c2d2880b5db8992ffa5a505481b5116fbc90613f98b34.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_162ef61ca467861b098c2d2880b5db8992ffa5a505481b5116fbc90613f98b34.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\Application\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Ease of Access Themes\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yxNQxpWx41.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2792
-
-
C:\providercommon\OSPPSVC.exe"C:\providercommon\OSPPSVC.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2908
-
-
C:\providercommon\OSPPSVC.exe"C:\providercommon\OSPPSVC.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sT6xLp4JQ8.bat"9⤵PID:2108
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:812
-
-
C:\providercommon\OSPPSVC.exe"C:\providercommon\OSPPSVC.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TEfATY8not.bat"11⤵PID:2912
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2220
-
-
C:\providercommon\OSPPSVC.exe"C:\providercommon\OSPPSVC.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat"13⤵PID:1692
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2116
-
-
C:\providercommon\OSPPSVC.exe"C:\providercommon\OSPPSVC.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat"15⤵PID:2864
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1864
-
-
C:\providercommon\OSPPSVC.exe"C:\providercommon\OSPPSVC.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat"17⤵PID:2180
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2724
-
-
C:\providercommon\OSPPSVC.exe"C:\providercommon\OSPPSVC.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8wkcP7O697.bat"19⤵PID:1992
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:340
-
-
C:\providercommon\OSPPSVC.exe"C:\providercommon\OSPPSVC.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bf2k7CZMYL.bat"21⤵PID:1668
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2588
-
-
C:\providercommon\OSPPSVC.exe"C:\providercommon\OSPPSVC.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat"23⤵PID:2716
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2020
-
-
C:\providercommon\OSPPSVC.exe"C:\providercommon\OSPPSVC.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\providercommon\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\Writers\Application\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\Vss\Writers\Application\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\Ease of Access Themes\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Ease of Access Themes\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a87edf074319f4312649002a2eea250b
SHA14ace86a2aa27c08d65eb593b77801be1ed27a09f
SHA256758a1d13c5999ced8e228917015b8ed601287b1c4278badedddf30f922fd7845
SHA512967693daea0001524280df6611a49fb496a73483b8c316fb1d36b4dbbb5bc1cc320a0ca47479a5546bd87c652b2d4fa5684a753dbb19094bfaf5295e4a99c8a8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b616ea94c15d12bfd34069b7bd307aa5
SHA1c301e2b22f19ad3d7173711e5d436e0fa45559af
SHA2560bfc7acc4e7838c61c82b11a8fb9ac658e4e3a1d7d14de46545cb13e65d6523f
SHA5128e607cda44d516431be450ea9769f09851cdb3f9299d7ddaf934c980299b3d4699cc6dc40d57468621d2400f8f5e490fb000129eb53bf9a8ab95ab391a46d7cb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD547acb7b89957bdda7427c953b57a04d7
SHA1c30e0fdbbfbe1107af1de489513f5cb8791ddb41
SHA256c7e778169953676ae1723300266b17bce07c1548a2e7bdcb50ce049fe718cf99
SHA51267d66ddfcf5e5ae90b41d45a70081aa36f5f3c2f921423c6811ccee6a94bcaf28b36a6bcf64028207870af891a982a13327f6400be204dff678b124a964d76ec
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e07a5f5344246fb6d91d41ab7f2cae9f
SHA160cdddaa73594a43ec05f2103ae7b976e0251655
SHA2560b8c67f9cf6edd0d17f80beabeab56ade6716ab1e2080b7be5873db2e954c2f3
SHA51264b067ada7ce98a8dda7cdff9393d2fcda05ac065d32519cbebe27fe34558c209ff3056bba476334d66d76f54d98d3839b80fbb2ff6d472a4ac4da6d1d5ad40e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d09c467a4344136f80b762d58c29e4e2
SHA1b29a1ffe3b8417b6decadb9d979e57996c1b04aa
SHA2565d2344cca933f041f84ccd8d365b02b102febb115154fed4d2b6b81e6e936c0e
SHA512f4098a7a20bb06fdba63ce050f8ff260ec4b5b0263239b0f71995b22a06b7c931ad3dd2dbb33e15e1be273cf4c9354aa71808bdf009920e5d4ec10ce7defefb9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5687ee400dee096eeb3aad6a76018e026
SHA1d670fdcaa85c92af38eac65cc241bb056a6da36e
SHA256f721d06f73c4ea8d204529caafaf7227dea9c149920086fc1655186db1100f4f
SHA51229fcbd28d2a4a18fcfb53d32fd7f685a86cc28db68bb19cc90f63bf1a2e71f9f15afee37bd1c3ef6acb645a3d3bc7fdc25c178ffbe838089ef4098adc289edb4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5de5de361b8291241eafd50fb36c92b59
SHA147c4f87ee83aafa3eaba495e8df30b452dea5518
SHA256de98a3d989fee354dbd6bd43713d4127d86e3414eb0c9709f2fd1d5a41bce8a9
SHA51283b9697ed1c5d0ebc35120efb9cd44f162b7073b6a5158c9c9f092c4cd77f3a5a0ad428e60bf47f5a18e9565a3475ae53c3f13cab73a228e1f936fc9055cdeb8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ae36c0fc40f1a3133ddf8c0a46cbb55f
SHA15ca4b0e1d61c55c53c8e92638b19c403678cb198
SHA256f02d7ad293ebf6e76d766446551f20928b5ebc5f3e39fd4b6f1dd17ce1eb66f9
SHA51277de8e267892a9b908e0c9d5ce892fb64baefc1e7e04f846b9d7abcc2a9eaf19f652ef3ff1922279300979ea138b25eaf691e678b30d72323c4620fe015a9f00
-
Filesize
194B
MD5a84364f5250138699f6522d214a7df94
SHA1fdeb183d9cc4a15bdc2560308d7e4e7fdb608d6d
SHA2560a7ae756e0ac80282e16a9f5785db6f0e6f69fca07a844cca8e5c4e2fd7aa44f
SHA51238ce5f10120949f1eb7315ea152aa7ab7eb1eafa227bc2e3549cb2ef571d9d1131b9ce5a819183246a58831c05464c0efa24a04a4219ed06958d9a5d4ffe8fbc
-
Filesize
194B
MD548fbf8b0421cfb3262e67cdf3d8cde17
SHA1d10ef9b6feca975d099464ac1f3c7b340b2f5ee4
SHA25634cb320feb43d0884237be08b69d4ad48d0e3def742441a7d4b8d3cc7d758b3d
SHA512fd5fa6bd9f1396b26c8898e69189f9691d2638fb4cd2208e7d235114c5ad0a8fe0e4e0f28753bf75ed5aec85b5f8f99c34adf57d7287a4739f1ea1649edbd0c1
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
194B
MD5d06f459ab561b13974cd72f0a3b8e413
SHA13b5314f1c40f7f142b3fbb8c472a15a298fb6b88
SHA256bdab5fbf8d07007fed2d2163edf01b131168e0599f34b337a173abc4d6a98d90
SHA512f906bcda6e438bfcb2b56418ead5b7175b76bee42959de29d5baa834d3296146ccdfdfc1d6499103bb6c8f9ceb88c23a6e02387273a3e3dabe8f0c2caa5d79fe
-
Filesize
194B
MD5e4264f0acc1465c8c2bb9af16c2e6570
SHA169132f342700ede02aaecaf9067aa503258f130f
SHA25632c83623c1e8024e9b7b16792b9060ec9e8dae47161c679024ee5eb08af8369c
SHA512fd55e587b4fb5dc6a30acce15fed5f91d5d219dd35032b8bba0e1feacc6fb0d41c56fb087357fec093d904378e8cee58f0583235f63ecfa52dac18bde5b01d37
-
Filesize
194B
MD5fc72a7a737ae1e3d5f35f742d0e35983
SHA1d43254b134261bbce74e38a82bdef61d94365c9e
SHA25601251d29ebd7447b12b82f8bd6fe70d467e121efaafdedd9cce35f01e6d47349
SHA5125e78d927abe9a39131fdd325e0f9f3150f46d6bbab6e44afcff80e6968eba3c318202580b570c19d772de17666771657da93def55b0c2f359108025c50ad6907
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
194B
MD5ca10c5c3cb1c6a5b69b88eaa19bdd3d4
SHA18dad9ec97d82110a74a7d584f652bf728b89a6e9
SHA2563be2a0931d85a16ff5d025c7180efe70946959ec5bc8d4afc7f1d9139310f054
SHA5125160c2bc2d20731efe7633ded7a8f4f291452c4f63242fa3b2a82cf9afa35ee5a63625d03085d8b3a7ccb33b09a13ecfb28e0e6b62c00ffe2e22daed9411dd02
-
Filesize
194B
MD5642b06050cd49834b93c1436c5e7aa75
SHA107e8a50f1d43b77bd50fad843844d29508fe5ce2
SHA256c14928a4ac3c1514664126a0bdde1d220607e30d6a5bd33617f4033cdc36d08c
SHA512e25250eef20718ca04dd87db206f53f4bd4759b4690a4ee77441a0ee7c569ba09bbf9c48c1ef45a157a57536e6fe86afc25448bb59090f2e09895b0ed9e03431
-
Filesize
194B
MD556cf152d14e1c95c6ec7ebadba45162a
SHA14ced0caa8d5721a02773158e12571c876b14d985
SHA2566b4721993be4817a351bd4de64d9ecbbf9fbe25c1aebe95ed0ac19a6bc0fdc09
SHA5128ea23e6bc22cfd6c8fa66cbc3b1ea79f5671c58ee5c376415dfe4363466d82bb9536c8d0c114455c7435e49b1057b17805fd26687c79b85665ba00a311e80c71
-
Filesize
194B
MD57ac67a5c96081b7e7d00a1d26c783855
SHA1d47ced332e9c6f48f7d369345c191dd7e5b34316
SHA25670a5acb3f6d08637701f0ce81d895d3f82c140d8732ade6ffadc5df347c5ac33
SHA5127bd1a1cb2e7142c0f894d1063be4a072e21d71cc42f9a4e221b36ca5073808f84d60387f27e8d2d66102404ca5c333ba6bd6dd70649fda5109f81e59764d5c74
-
Filesize
194B
MD5075fb204fa9dc93ee0427f63c9af5de7
SHA15e7bf68daf4e07fad8006eeb99f4e5cf6097054d
SHA256efb5248592ef7d511a5d1882b546876f0b0fa051cfecb95477eaad17e30d9910
SHA512e65356ecb88be609bbee36ce592936bbde97ef55e682aea5fa24b29429e988b1129ca1c138c576ac841b84d5cf8b3ab1342040566d50f288b6f43c1e96b72a9c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9LJ6BBYUU01CI4CRLDZ0.temp
Filesize7KB
MD51668d3ae06163e2253e9e9006a530689
SHA1ee585edab43dbc8da48851dc2d3fb04bb0efb37d
SHA256d79d0df9f60eac3a474eaf0a30ea70376782f294bed7a5dc11fd34b2d00cbbe1
SHA512ac3af362b1e5324efc3bf321e2c03144b651bb220e06bfd25a9c382a3d123113ba40e436c67c2a1cecbf900fb12fd233e58c5abca8420548b51810ee6cfe4527
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478