Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 20:18
Behavioral task
behavioral1
Sample
JaffaCakes118_b58e7b37c0480353b20287494b9a4c86d135c2262fb976f3cb932c8892215edd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_b58e7b37c0480353b20287494b9a4c86d135c2262fb976f3cb932c8892215edd.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_b58e7b37c0480353b20287494b9a4c86d135c2262fb976f3cb932c8892215edd.exe
-
Size
1.3MB
-
MD5
79c251d41d9c2d82f6edc3a6ab8006a8
-
SHA1
8e7ba5a29674e151d8f6b90b41ab130acf7243fe
-
SHA256
b58e7b37c0480353b20287494b9a4c86d135c2262fb976f3cb932c8892215edd
-
SHA512
6a7a9cb0ac0a5ae8f539334f332140b3c2110d40e07542995a5a56b769d026eeb4ae87a46aa9ac2f1177dabea966fb514805313dd6d4f5473ce538368e2c8017
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 876 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1504 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1312 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2460 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 332 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1320 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 296 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2800 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1776 2800 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000016858-9.dat dcrat behavioral1/memory/2168-13-0x0000000000060000-0x0000000000170000-memory.dmp dcrat behavioral1/memory/3068-50-0x00000000002C0000-0x00000000003D0000-memory.dmp dcrat behavioral1/memory/2664-180-0x0000000000950000-0x0000000000A60000-memory.dmp dcrat behavioral1/memory/3008-240-0x0000000000260000-0x0000000000370000-memory.dmp dcrat behavioral1/memory/1300-301-0x0000000000850000-0x0000000000960000-memory.dmp dcrat behavioral1/memory/1556-362-0x0000000000C30000-0x0000000000D40000-memory.dmp dcrat behavioral1/memory/772-422-0x0000000000180000-0x0000000000290000-memory.dmp dcrat behavioral1/memory/2704-482-0x0000000000250000-0x0000000000360000-memory.dmp dcrat behavioral1/memory/2132-543-0x0000000000F30000-0x0000000001040000-memory.dmp dcrat behavioral1/memory/2192-663-0x00000000011D0000-0x00000000012E0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2660 powershell.exe 1484 powershell.exe 2336 powershell.exe 988 powershell.exe 1044 powershell.exe 1896 powershell.exe 1764 powershell.exe 1668 powershell.exe 2656 powershell.exe 1544 powershell.exe 712 powershell.exe 2224 powershell.exe 2312 powershell.exe 2524 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2168 DllCommonsvc.exe 3068 csrss.exe 2664 csrss.exe 3008 csrss.exe 1300 csrss.exe 1556 csrss.exe 772 csrss.exe 2704 csrss.exe 2132 csrss.exe 2316 csrss.exe 2192 csrss.exe -
Loads dropped DLL 2 IoCs
pid Process 772 cmd.exe 772 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 25 raw.githubusercontent.com 29 raw.githubusercontent.com 35 raw.githubusercontent.com 4 raw.githubusercontent.com 17 raw.githubusercontent.com 21 raw.githubusercontent.com 32 raw.githubusercontent.com 39 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 13 raw.githubusercontent.com -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files (x86)\Windows NT\Accessories\en-US\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files (x86)\Uninstall Information\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Uninstall Information\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\Windows NT\TableTextService\es-ES\winlogon.exe DllCommonsvc.exe File created C:\Program Files\Windows NT\TableTextService\es-ES\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\audiodg.exe DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0C0A\DllCommonsvc.exe DllCommonsvc.exe File created C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0C0A\a76d7bf15d8370 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b58e7b37c0480353b20287494b9a4c86d135c2262fb976f3cb932c8892215edd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1792 schtasks.exe 2216 schtasks.exe 1528 schtasks.exe 2912 schtasks.exe 2952 schtasks.exe 1932 schtasks.exe 2540 schtasks.exe 2296 schtasks.exe 2816 schtasks.exe 1312 schtasks.exe 2136 schtasks.exe 1240 schtasks.exe 2856 schtasks.exe 2036 schtasks.exe 2200 schtasks.exe 2324 schtasks.exe 2560 schtasks.exe 1504 schtasks.exe 1776 schtasks.exe 2744 schtasks.exe 2604 schtasks.exe 2664 schtasks.exe 2056 schtasks.exe 332 schtasks.exe 1476 schtasks.exe 2292 schtasks.exe 876 schtasks.exe 2896 schtasks.exe 2460 schtasks.exe 2956 schtasks.exe 2964 schtasks.exe 1320 schtasks.exe 1716 schtasks.exe 2700 schtasks.exe 2652 schtasks.exe 1784 schtasks.exe 296 schtasks.exe 1848 schtasks.exe 2756 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 2168 DllCommonsvc.exe 1044 powershell.exe 1764 powershell.exe 1668 powershell.exe 1544 powershell.exe 2224 powershell.exe 1484 powershell.exe 2336 powershell.exe 2312 powershell.exe 712 powershell.exe 1896 powershell.exe 2660 powershell.exe 2524 powershell.exe 2656 powershell.exe 988 powershell.exe 3068 csrss.exe 2664 csrss.exe 3008 csrss.exe 1300 csrss.exe 1556 csrss.exe 772 csrss.exe 2704 csrss.exe 2132 csrss.exe 2316 csrss.exe 2192 csrss.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 2168 DllCommonsvc.exe Token: SeDebugPrivilege 1044 powershell.exe Token: SeDebugPrivilege 1764 powershell.exe Token: SeDebugPrivilege 3068 csrss.exe Token: SeDebugPrivilege 1668 powershell.exe Token: SeDebugPrivilege 1544 powershell.exe Token: SeDebugPrivilege 2224 powershell.exe Token: SeDebugPrivilege 1484 powershell.exe Token: SeDebugPrivilege 2336 powershell.exe Token: SeDebugPrivilege 2312 powershell.exe Token: SeDebugPrivilege 712 powershell.exe Token: SeDebugPrivilege 1896 powershell.exe Token: SeDebugPrivilege 2660 powershell.exe Token: SeDebugPrivilege 2524 powershell.exe Token: SeDebugPrivilege 2656 powershell.exe Token: SeDebugPrivilege 988 powershell.exe Token: SeDebugPrivilege 2664 csrss.exe Token: SeDebugPrivilege 3008 csrss.exe Token: SeDebugPrivilege 1300 csrss.exe Token: SeDebugPrivilege 1556 csrss.exe Token: SeDebugPrivilege 772 csrss.exe Token: SeDebugPrivilege 2704 csrss.exe Token: SeDebugPrivilege 2132 csrss.exe Token: SeDebugPrivilege 2316 csrss.exe Token: SeDebugPrivilege 2192 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1236 wrote to memory of 2008 1236 JaffaCakes118_b58e7b37c0480353b20287494b9a4c86d135c2262fb976f3cb932c8892215edd.exe 30 PID 1236 wrote to memory of 2008 1236 JaffaCakes118_b58e7b37c0480353b20287494b9a4c86d135c2262fb976f3cb932c8892215edd.exe 30 PID 1236 wrote to memory of 2008 1236 JaffaCakes118_b58e7b37c0480353b20287494b9a4c86d135c2262fb976f3cb932c8892215edd.exe 30 PID 1236 wrote to memory of 2008 1236 JaffaCakes118_b58e7b37c0480353b20287494b9a4c86d135c2262fb976f3cb932c8892215edd.exe 30 PID 2008 wrote to memory of 772 2008 WScript.exe 32 PID 2008 wrote to memory of 772 2008 WScript.exe 32 PID 2008 wrote to memory of 772 2008 WScript.exe 32 PID 2008 wrote to memory of 772 2008 WScript.exe 32 PID 772 wrote to memory of 2168 772 cmd.exe 34 PID 772 wrote to memory of 2168 772 cmd.exe 34 PID 772 wrote to memory of 2168 772 cmd.exe 34 PID 772 wrote to memory of 2168 772 cmd.exe 34 PID 2168 wrote to memory of 1764 2168 DllCommonsvc.exe 75 PID 2168 wrote to memory of 1764 2168 DllCommonsvc.exe 75 PID 2168 wrote to memory of 1764 2168 DllCommonsvc.exe 75 PID 2168 wrote to memory of 1044 2168 DllCommonsvc.exe 76 PID 2168 wrote to memory of 1044 2168 DllCommonsvc.exe 76 PID 2168 wrote to memory of 1044 2168 DllCommonsvc.exe 76 PID 2168 wrote to memory of 712 2168 DllCommonsvc.exe 77 PID 2168 wrote to memory of 712 2168 DllCommonsvc.exe 77 PID 2168 wrote to memory of 712 2168 DllCommonsvc.exe 77 PID 2168 wrote to memory of 2524 2168 DllCommonsvc.exe 78 PID 2168 wrote to memory of 2524 2168 DllCommonsvc.exe 78 PID 2168 wrote to memory of 2524 2168 DllCommonsvc.exe 78 PID 2168 wrote to memory of 1668 2168 DllCommonsvc.exe 79 PID 2168 wrote to memory of 1668 2168 DllCommonsvc.exe 79 PID 2168 wrote to memory of 1668 2168 DllCommonsvc.exe 79 PID 2168 wrote to memory of 2660 2168 DllCommonsvc.exe 80 PID 2168 wrote to memory of 2660 2168 DllCommonsvc.exe 80 PID 2168 wrote to memory of 2660 2168 DllCommonsvc.exe 80 PID 2168 wrote to memory of 2224 2168 DllCommonsvc.exe 81 PID 2168 wrote to memory of 2224 2168 DllCommonsvc.exe 81 PID 2168 wrote to memory of 2224 2168 DllCommonsvc.exe 81 PID 2168 wrote to memory of 2656 2168 DllCommonsvc.exe 82 PID 2168 wrote to memory of 2656 2168 DllCommonsvc.exe 82 PID 2168 wrote to memory of 2656 2168 DllCommonsvc.exe 82 PID 2168 wrote to memory of 1484 2168 DllCommonsvc.exe 83 PID 2168 wrote to memory of 1484 2168 DllCommonsvc.exe 83 PID 2168 wrote to memory of 1484 2168 DllCommonsvc.exe 83 PID 2168 wrote to memory of 2336 2168 DllCommonsvc.exe 84 PID 2168 wrote to memory of 2336 2168 DllCommonsvc.exe 84 PID 2168 wrote to memory of 2336 2168 DllCommonsvc.exe 84 PID 2168 wrote to memory of 1544 2168 DllCommonsvc.exe 85 PID 2168 wrote to memory of 1544 2168 DllCommonsvc.exe 85 PID 2168 wrote to memory of 1544 2168 DllCommonsvc.exe 85 PID 2168 wrote to memory of 1896 2168 DllCommonsvc.exe 86 PID 2168 wrote to memory of 1896 2168 DllCommonsvc.exe 86 PID 2168 wrote to memory of 1896 2168 DllCommonsvc.exe 86 PID 2168 wrote to memory of 2312 2168 DllCommonsvc.exe 87 PID 2168 wrote to memory of 2312 2168 DllCommonsvc.exe 87 PID 2168 wrote to memory of 2312 2168 DllCommonsvc.exe 87 PID 2168 wrote to memory of 988 2168 DllCommonsvc.exe 88 PID 2168 wrote to memory of 988 2168 DllCommonsvc.exe 88 PID 2168 wrote to memory of 988 2168 DllCommonsvc.exe 88 PID 2168 wrote to memory of 3068 2168 DllCommonsvc.exe 103 PID 2168 wrote to memory of 3068 2168 DllCommonsvc.exe 103 PID 2168 wrote to memory of 3068 2168 DllCommonsvc.exe 103 PID 3068 wrote to memory of 1288 3068 csrss.exe 104 PID 3068 wrote to memory of 1288 3068 csrss.exe 104 PID 3068 wrote to memory of 1288 3068 csrss.exe 104 PID 1288 wrote to memory of 2676 1288 cmd.exe 106 PID 1288 wrote to memory of 2676 1288 cmd.exe 106 PID 1288 wrote to memory of 2676 1288 cmd.exe 106 PID 1288 wrote to memory of 2664 1288 cmd.exe 107 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b58e7b37c0480353b20287494b9a4c86d135c2262fb976f3cb932c8892215edd.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b58e7b37c0480353b20287494b9a4c86d135c2262fb976f3cb932c8892215edd.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:772 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\MSDN\8.0\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\en-US\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\es-ES\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0C0A\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\NetHood\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988
-
-
C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe"C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YUw1O57cI2.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2676
-
-
C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe"C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat"8⤵PID:1784
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2172
-
-
C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe"C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fZs2sOO0th.bat"10⤵PID:2184
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2240
-
-
C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe"C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat"12⤵PID:1712
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2560
-
-
C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe"C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\t6OOvELCCF.bat"14⤵PID:1000
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:3052
-
-
C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe"C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:772 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nokcDIWAC5.bat"16⤵PID:1904
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2380
-
-
C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe"C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat"18⤵PID:1288
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1728
-
-
C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe"C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VF9LbKHiRa.bat"20⤵PID:3056
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1600
-
-
C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe"C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat"22⤵PID:1072
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1040
-
-
C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe"C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat"24⤵PID:2532
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:344
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\MSDN\8.0\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\MSDN\8.0\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft\MSDN\8.0\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0C0A\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0C0A\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0C0A\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\NetHood\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\NetHood\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c3d3fd79ca5b3c02bd52c54e5d29dfc6
SHA1658b6e193a2795cb22e8bfc79a2825bf42c0683b
SHA25668052ef1c9f05b33a16806410b9d2082f9352bb713e8e0cb121e3a1816725261
SHA51253f82f2be66e8457f9f4a794f4fb62c0db1bb622be70bb6df07b0176e38384477ab1859c07f1155362297742d762a2ae2489937f596eaac91b04eb65feaa5195
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5644a036c43cd4bf8cb69eb97d7dc13da
SHA16304514b21aead71ec58611ae7341beb914ca6ec
SHA256e136da7d2641abafe3031fdaa564748a0b974901a826c40c59e55c1ca3abdec9
SHA512e3a9fa613d3015f0bfe834f17685384b0e5398b7289d5a5ffbacb120c43b91c180730a61baceabc869ed59fef37ec92408eb709265b1bba70ec5dd3c0d401d41
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bbc1be3726abd233da1cf49906e03946
SHA184aa6733d83de89a58ba10ccee3438cdaf2acdb8
SHA256883bdd2fcf661bb1a9347e15995db3e6ea846f7a132e94a2e3f6408aca9c8fdf
SHA5123ed44ba32de9b7ddafeed30ac650163456e3672ce3e3ed2c02bd5d63917815d42808e1d3b5bf65c2b4c2490d5e0d72f133132f2fa42cf522272e007ffe09d146
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b67fff3ce5e0a5bad26a6a181d2c9487
SHA1f1497d6491705c56d8370a22e1f87a0c6b350e24
SHA2568fe234b79849e88aa71c5225ce738d1957c3303501ac923fbc8f76f45ba357ee
SHA512e5460a59156bda1444ef13e984f55fb470a9f83525647fe4e387d0ddd24a957565b4e95224f77a2cc0a0586f96ba05d1d191434daedbda2729e8a0bd76f0ef4b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f6c0ff0cf76d3023867a3b7d84115a0e
SHA122ee3245a58516bc02b56550488d1224a6eb4be5
SHA25617b0856c48c92346851e1ec318dccbccbc50efa1b301af14794ac292c3a46941
SHA51211ee576bffb5f3c6c4acc8c33e458a5aae9ce5a23f8a5580d1bb4d3d3c60bdcded0f37f39e3317bee0a15007bc12516fb0fe6d0f9f3cecbe0a0af5fec92d82d5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD587425fdabfb1eee25e208c840998d9a2
SHA1bf265e9a07db885cbce8050f85cf1aa844f563a4
SHA2566190b6e7030b314a3f253a23512a65d081d5721edc67ae08faabd6b430a043d9
SHA51278a10faf90ba7eb7cf33516c61c4c797dd9d90034c65951b91c598cdb3622e449bb722a553d7f6eeff02d7a7460c2078117359a5227eaf30dad96c6f2e5d58f1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53c4e0a1ca141ece6b366f407b5efc0ee
SHA14c47453522a2061e6cf8d9ac5b2ae67242779b39
SHA2565950fc5cf0c767c1f12819eacc1436a1c0e97ff8d37e0a799bdc7112f292ea4d
SHA5125766e9ecffe9b76a8b5fb2113e55679595c7f531a7d5e718383ee989223a07736dde08054aaa8ade0f37353bfc811e2ace57f42867f51b368e9e4e5dcba0a11a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b3f5d6219277d59bb3dc0662252f922f
SHA13cfc3aa8c999e872ecfc71f51974483a0d926e27
SHA25678fe164a51ba9eab43adcc57031721d5fa5098ebfcd4fe60c261286932c5641f
SHA51247f571c40f608131130b71b18c10fdcfee5f7f9726aeca8ee28d84adee1c1ddcdc8c2b698f858c579c041b293399ebcfae89f71c94bd90fab9390880bc6e1ad6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e4e17320f816641be1445561a25165f7
SHA15183818a1b369d9528f8f9da3486560ba9fde0a7
SHA2563f751fb046d37251b37ed141ef24fcbb9207c36e134126ee9f84b7a89cd0d870
SHA51264b25f87273fcf4c94ce14f78aa088aff2457b696ef91f4053dea7a08de754f1c7732386076b884c36c557e9603689d9b1111f2c956c307f19f562aa5b9b8cdc
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
234B
MD55727eaba871181c991dd3933d9f3e132
SHA171eb5b0b166f9604a443e4373a1360cafb7a7ae1
SHA2560b43d6231b91703e63bba8824b2584ccfbd1a44edab2c18912487858c8f3d38b
SHA512eb27c5e3ec52cbd93821ec55fee76ff8086fb2df80bedbe8d3fbf8bae9b3c02f86095f0dfd9bf2bb2d5e31f951141e5c984bac353c4b5a0bcf464ad061c1e4ab
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
234B
MD506f8dfc272f1f692826e91080a9854ef
SHA147238cd3b82ce41cbb8f621a56e6f4766698c5e5
SHA256dabcde72c43be21f5a6031ea3047e5455f1c970decd786397d038bb993dda43b
SHA512a8e82ac0152b5850158279666ca0dbfab268075b45e7878669c0bf629d8469dd65a2a605bfada8ac7ad217c0a68c471932f0ad38bd26afb329cd103f43d0cff7
-
Filesize
234B
MD555adb786c1f3009878a51cdee7512f75
SHA16a2fd3741658514ef8d1913d99b8b35f0c6bafb2
SHA256d682ec606c31177a1e8a80d941ec6a7145b32cb002e147947ccfd7f74959ef58
SHA5123dfb2e1e5c307cf13bb5b9737c1e7c6c3cd061f4fad4b836ec9c6ca380a555c210318550986b499e02765292c0ff31e327511f4e8e39f1b76732754230dc6c03
-
Filesize
234B
MD5119b8c9a7fe2c2bd891bb80b3471edcd
SHA1a11c70f0ecd12549c7b1d7881fabc6a799349119
SHA25670a9906ed880f8013e506d816e53df14165f4110540b9934ee26e4d330469d39
SHA5121ab018eedb3b00bab65ab64921acb075a96a89b367ae8dcfffe8980f4e0407b5fee7580ca0b2165ceca8a0b117efbc3700019432bebd20ae0616ba41292a7157
-
Filesize
234B
MD538584ae1eeb5a724445c2a22ecc803df
SHA127add8df279c611709107bffdf7e0b9de5346e36
SHA25694c261a029f0ba9f2657993d7d21f75f9121f2cf9befcecbbf47acb82961ab0f
SHA512a68517ae7a8a005e4c91bf1fba18332aa426eae762a5f56856ad21166f6c47c5ac4493fcf869aa7b94b2ae49084cb6bce32bb23306b1f6f5ff27089d4e60adf2
-
Filesize
234B
MD55e100b9743ecf0bacc5724cd3c7613ae
SHA1e12539ac9a8f3b50f61f279b7c54d90d36f91269
SHA256e00eafefd6755885956e02a093114ca1e43faead228403d1f8697b6f17f68bdb
SHA512acfc3ba775abdc0bd9381b97aed7d41a38565edf8132a1fd216cd083d69d2dc42e4ea280198c760044ce74a17efa132af789a203cd6fccfdd6664bb2770d9f6f
-
Filesize
234B
MD52a415e99875f16bca25995b3fd0ef0ab
SHA19f6ca8d4f01a8cf02bf179df1db7f7a8946b5810
SHA256c7c5333057f79b0d19de530d0cc9ae76c4e0d0abe92754bf8886a330a36f346e
SHA5129e273491877db72831d8ac7d63e20bcbea65a601bc03ba26a1f063c2146475d6bcb152aefa8fa996fc7b520c8b8ab97dca4d4b5cb3eca7f6ac172ea2a888cf4f
-
Filesize
234B
MD5d3b24040f9e93cda12b575892db442ff
SHA13015f35aef18a80bc57d573d7fa72ffc7a133029
SHA256e2e483ad5ce9eb15c3676463e22da633027c564561009cdbc9345bb2d2651603
SHA5124f34b55bd5214a3b50160c90bb8066f7fe63abb573d118d5de389cb9e9eb50bcefbb1d31102d6d3382fe6b01af27c856329957e68f4402c1fad654e65d14d3ab
-
Filesize
234B
MD5dfe767460b1d28e0e6014194b0718cd8
SHA165d4d3e268360fcdb87cd47e838cdb6d3cd6d781
SHA256006c174ad6c986230fea23da3d88f385e2d3e9b60e00e4ca1aea0df13676f081
SHA5124f2d8cc41fec3ee8e8b1739d8c1f4d07f990c97d8e1fa3e4a1cbde871be8fbde8a4a6f61716f408b2f88530a93ee18b89c355809877f9c3bd66e6d409ac9bdf5
-
Filesize
234B
MD553629de887bb2121f97cbb1b2312b68d
SHA15467cfdb954823f85bac5af78766c1b683c74f22
SHA2569a57385001b85bda3bd6af6b9c29e806f313349f30e1fe5eeaf169fc420ff7b4
SHA5127f9b368e8bf042d2cd48fb9891f84fac4d73872ee6a1d3ebfe17e9879b836a46e325161d4b658cb1a35ecbd668933d7cbdb599bf84158403fb78bb673742d257
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c7c9a63e42d4616dee55cbbeb3a4bf8c
SHA1b149ecc2d78d660f1101377b7f1a8bae6a092207
SHA25626a72093c47564705f375f86287982deec2208e3e1aa57d76a65c4fa0c1d8cd5
SHA512f6542fbd9c08fe9d907c2ffdfd139af1bae045be50539b9a680d61135b202ba86982c60aea879d9b381da7d3bfb7ab23fce707e31c742709d2298cde76babee8
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394