Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 20:18
Behavioral task
behavioral1
Sample
JaffaCakes118_c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670.exe
-
Size
1.3MB
-
MD5
5f8aa2c9c933251a7030f4ccd52d9144
-
SHA1
576b128311ebfaefacb64699b0b215a659e0f74a
-
SHA256
c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670
-
SHA512
64a88caac69853524b7604140aaeeeadb93cfcc4e05176bb07f14729a494f8196ea354281da6305c237bc03a06599572fe40c97b629b428d13bc5eb45e115b4b
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1404 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1220 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1564 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1180 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1436 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 860 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 328 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1060 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1456 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1204 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2220 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1384 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 1848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1412 1848 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0006000000019496-9.dat dcrat behavioral1/memory/2212-13-0x0000000000030000-0x0000000000140000-memory.dmp dcrat behavioral1/memory/2704-60-0x0000000000950000-0x0000000000A60000-memory.dmp dcrat behavioral1/memory/448-175-0x0000000001270000-0x0000000001380000-memory.dmp dcrat behavioral1/memory/2236-295-0x00000000012A0000-0x00000000013B0000-memory.dmp dcrat behavioral1/memory/2732-356-0x00000000002C0000-0x00000000003D0000-memory.dmp dcrat behavioral1/memory/864-416-0x0000000000810000-0x0000000000920000-memory.dmp dcrat behavioral1/memory/2336-476-0x00000000002D0000-0x00000000003E0000-memory.dmp dcrat behavioral1/memory/1456-536-0x0000000000AE0000-0x0000000000BF0000-memory.dmp dcrat behavioral1/memory/1308-596-0x0000000000160000-0x0000000000270000-memory.dmp dcrat behavioral1/memory/560-657-0x0000000000FD0000-0x00000000010E0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1668 powershell.exe 3028 powershell.exe 904 powershell.exe 1092 powershell.exe 560 powershell.exe 2236 powershell.exe 1328 powershell.exe 1416 powershell.exe 1884 powershell.exe 3020 powershell.exe 1536 powershell.exe 2204 powershell.exe 1088 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2212 DllCommonsvc.exe 2704 audiodg.exe 448 audiodg.exe 2204 audiodg.exe 2236 audiodg.exe 2732 audiodg.exe 864 audiodg.exe 2336 audiodg.exe 1456 audiodg.exe 1308 audiodg.exe 560 audiodg.exe -
Loads dropped DLL 2 IoCs
pid Process 2264 cmd.exe 2264 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 20 raw.githubusercontent.com 27 raw.githubusercontent.com 30 raw.githubusercontent.com 34 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 23 raw.githubusercontent.com 38 raw.githubusercontent.com -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Mail\it-IT\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\it-IT\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files\Windows NT\Accessories\en-US\cmd.exe DllCommonsvc.exe File created C:\Program Files\Windows NT\Accessories\en-US\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\wininit.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\56085415360792 DllCommonsvc.exe File created C:\Program Files\Microsoft Games\Solitaire\es-ES\Idle.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Games\Solitaire\es-ES\6ccacd8608530f DllCommonsvc.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\ehome\it-IT\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Windows\AppPatch\fr-FR\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\explorer.exe DllCommonsvc.exe File created C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\7a0fd90576e088 DllCommonsvc.exe File created C:\Windows\ehome\it-IT\sppsvc.exe DllCommonsvc.exe File created C:\Windows\Cursors\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Windows\it-IT\System.exe DllCommonsvc.exe File created C:\Windows\it-IT\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Windows\AppPatch\fr-FR\services.exe DllCommonsvc.exe File created C:\Windows\Cursors\services.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2556 schtasks.exe 2884 schtasks.exe 1220 schtasks.exe 2872 schtasks.exe 1436 schtasks.exe 328 schtasks.exe 1604 schtasks.exe 1060 schtasks.exe 2592 schtasks.exe 2580 schtasks.exe 2544 schtasks.exe 2588 schtasks.exe 1180 schtasks.exe 1456 schtasks.exe 2852 schtasks.exe 1564 schtasks.exe 1384 schtasks.exe 1028 schtasks.exe 3064 schtasks.exe 2432 schtasks.exe 1592 schtasks.exe 1728 schtasks.exe 1752 schtasks.exe 2764 schtasks.exe 3068 schtasks.exe 2524 schtasks.exe 1204 schtasks.exe 1412 schtasks.exe 2636 schtasks.exe 2420 schtasks.exe 2920 schtasks.exe 2220 schtasks.exe 1740 schtasks.exe 1404 schtasks.exe 860 schtasks.exe 1820 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 2212 DllCommonsvc.exe 2212 DllCommonsvc.exe 2212 DllCommonsvc.exe 1092 powershell.exe 1416 powershell.exe 3020 powershell.exe 904 powershell.exe 1884 powershell.exe 1668 powershell.exe 1536 powershell.exe 1328 powershell.exe 3028 powershell.exe 560 powershell.exe 2204 powershell.exe 1088 powershell.exe 2236 powershell.exe 2704 audiodg.exe 448 audiodg.exe 2204 audiodg.exe 2236 audiodg.exe 2732 audiodg.exe 864 audiodg.exe 2336 audiodg.exe 1456 audiodg.exe 1308 audiodg.exe 560 audiodg.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2212 DllCommonsvc.exe Token: SeDebugPrivilege 1092 powershell.exe Token: SeDebugPrivilege 1416 powershell.exe Token: SeDebugPrivilege 3020 powershell.exe Token: SeDebugPrivilege 904 powershell.exe Token: SeDebugPrivilege 1884 powershell.exe Token: SeDebugPrivilege 1668 powershell.exe Token: SeDebugPrivilege 2704 audiodg.exe Token: SeDebugPrivilege 1536 powershell.exe Token: SeDebugPrivilege 1328 powershell.exe Token: SeDebugPrivilege 3028 powershell.exe Token: SeDebugPrivilege 560 powershell.exe Token: SeDebugPrivilege 2204 powershell.exe Token: SeDebugPrivilege 1088 powershell.exe Token: SeDebugPrivilege 2236 powershell.exe Token: SeDebugPrivilege 448 audiodg.exe Token: SeDebugPrivilege 2204 audiodg.exe Token: SeDebugPrivilege 2236 audiodg.exe Token: SeDebugPrivilege 2732 audiodg.exe Token: SeDebugPrivilege 864 audiodg.exe Token: SeDebugPrivilege 2336 audiodg.exe Token: SeDebugPrivilege 1456 audiodg.exe Token: SeDebugPrivilege 1308 audiodg.exe Token: SeDebugPrivilege 560 audiodg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2256 wrote to memory of 2288 2256 JaffaCakes118_c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670.exe 31 PID 2256 wrote to memory of 2288 2256 JaffaCakes118_c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670.exe 31 PID 2256 wrote to memory of 2288 2256 JaffaCakes118_c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670.exe 31 PID 2256 wrote to memory of 2288 2256 JaffaCakes118_c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670.exe 31 PID 2288 wrote to memory of 2264 2288 WScript.exe 32 PID 2288 wrote to memory of 2264 2288 WScript.exe 32 PID 2288 wrote to memory of 2264 2288 WScript.exe 32 PID 2288 wrote to memory of 2264 2288 WScript.exe 32 PID 2264 wrote to memory of 2212 2264 cmd.exe 34 PID 2264 wrote to memory of 2212 2264 cmd.exe 34 PID 2264 wrote to memory of 2212 2264 cmd.exe 34 PID 2264 wrote to memory of 2212 2264 cmd.exe 34 PID 2212 wrote to memory of 1416 2212 DllCommonsvc.exe 72 PID 2212 wrote to memory of 1416 2212 DllCommonsvc.exe 72 PID 2212 wrote to memory of 1416 2212 DllCommonsvc.exe 72 PID 2212 wrote to memory of 1884 2212 DllCommonsvc.exe 73 PID 2212 wrote to memory of 1884 2212 DllCommonsvc.exe 73 PID 2212 wrote to memory of 1884 2212 DllCommonsvc.exe 73 PID 2212 wrote to memory of 1668 2212 DllCommonsvc.exe 75 PID 2212 wrote to memory of 1668 2212 DllCommonsvc.exe 75 PID 2212 wrote to memory of 1668 2212 DllCommonsvc.exe 75 PID 2212 wrote to memory of 560 2212 DllCommonsvc.exe 76 PID 2212 wrote to memory of 560 2212 DllCommonsvc.exe 76 PID 2212 wrote to memory of 560 2212 DllCommonsvc.exe 76 PID 2212 wrote to memory of 1536 2212 DllCommonsvc.exe 78 PID 2212 wrote to memory of 1536 2212 DllCommonsvc.exe 78 PID 2212 wrote to memory of 1536 2212 DllCommonsvc.exe 78 PID 2212 wrote to memory of 1092 2212 DllCommonsvc.exe 79 PID 2212 wrote to memory of 1092 2212 DllCommonsvc.exe 79 PID 2212 wrote to memory of 1092 2212 DllCommonsvc.exe 79 PID 2212 wrote to memory of 904 2212 DllCommonsvc.exe 80 PID 2212 wrote to memory of 904 2212 DllCommonsvc.exe 80 PID 2212 wrote to memory of 904 2212 DllCommonsvc.exe 80 PID 2212 wrote to memory of 3020 2212 DllCommonsvc.exe 81 PID 2212 wrote to memory of 3020 2212 DllCommonsvc.exe 81 PID 2212 wrote to memory of 3020 2212 DllCommonsvc.exe 81 PID 2212 wrote to memory of 3028 2212 DllCommonsvc.exe 83 PID 2212 wrote to memory of 3028 2212 DllCommonsvc.exe 83 PID 2212 wrote to memory of 3028 2212 DllCommonsvc.exe 83 PID 2212 wrote to memory of 2236 2212 DllCommonsvc.exe 88 PID 2212 wrote to memory of 2236 2212 DllCommonsvc.exe 88 PID 2212 wrote to memory of 2236 2212 DllCommonsvc.exe 88 PID 2212 wrote to memory of 1328 2212 DllCommonsvc.exe 89 PID 2212 wrote to memory of 1328 2212 DllCommonsvc.exe 89 PID 2212 wrote to memory of 1328 2212 DllCommonsvc.exe 89 PID 2212 wrote to memory of 2204 2212 DllCommonsvc.exe 92 PID 2212 wrote to memory of 2204 2212 DllCommonsvc.exe 92 PID 2212 wrote to memory of 2204 2212 DllCommonsvc.exe 92 PID 2212 wrote to memory of 1088 2212 DllCommonsvc.exe 95 PID 2212 wrote to memory of 1088 2212 DllCommonsvc.exe 95 PID 2212 wrote to memory of 1088 2212 DllCommonsvc.exe 95 PID 2212 wrote to memory of 2704 2212 DllCommonsvc.exe 98 PID 2212 wrote to memory of 2704 2212 DllCommonsvc.exe 98 PID 2212 wrote to memory of 2704 2212 DllCommonsvc.exe 98 PID 2704 wrote to memory of 1968 2704 audiodg.exe 99 PID 2704 wrote to memory of 1968 2704 audiodg.exe 99 PID 2704 wrote to memory of 1968 2704 audiodg.exe 99 PID 1968 wrote to memory of 2052 1968 cmd.exe 101 PID 1968 wrote to memory of 2052 1968 cmd.exe 101 PID 1968 wrote to memory of 2052 1968 cmd.exe 101 PID 1968 wrote to memory of 448 1968 cmd.exe 102 PID 1968 wrote to memory of 448 1968 cmd.exe 102 PID 1968 wrote to memory of 448 1968 cmd.exe 102 PID 448 wrote to memory of 2064 448 audiodg.exe 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\en-US\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\it-IT\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Solitaire\es-ES\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\it-IT\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\fr-FR\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
-
C:\Users\All Users\audiodg.exe"C:\Users\All Users\audiodg.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2052
-
-
C:\Users\All Users\audiodg.exe"C:\Users\All Users\audiodg.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat"8⤵PID:2064
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2888
-
-
C:\Users\All Users\audiodg.exe"C:\Users\All Users\audiodg.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nokcDIWAC5.bat"10⤵PID:1416
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2520
-
-
C:\Users\All Users\audiodg.exe"C:\Users\All Users\audiodg.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pksuDlslcW.bat"12⤵PID:2684
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2944
-
-
C:\Users\All Users\audiodg.exe"C:\Users\All Users\audiodg.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat"14⤵PID:2088
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:836
-
-
C:\Users\All Users\audiodg.exe"C:\Users\All Users\audiodg.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:864 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCeLVPpGxY.bat"16⤵PID:2636
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2156
-
-
C:\Users\All Users\audiodg.exe"C:\Users\All Users\audiodg.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat"18⤵PID:2080
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1588
-
-
C:\Users\All Users\audiodg.exe"C:\Users\All Users\audiodg.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpMZYQImRp.bat"20⤵PID:2460
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2568
-
-
C:\Users\All Users\audiodg.exe"C:\Users\All Users\audiodg.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat"22⤵PID:2120
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1136
-
-
C:\Users\All Users\audiodg.exe"C:\Users\All Users\audiodg.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:560 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat"24⤵PID:2580
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2104
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\providercommon\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\en-US\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\en-US\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\ehome\it-IT\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ehome\it-IT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\ehome\it-IT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\Cursors\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Cursors\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Games\Solitaire\es-ES\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Solitaire\es-ES\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\Solitaire\es-ES\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\it-IT\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\it-IT\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\it-IT\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\fr-FR\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\AppPatch\fr-FR\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\fr-FR\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD591c75befc5f7b58632b2a517aa060fc6
SHA16e7679f832ad6ee845629c1b77dac34aad3858cd
SHA25673f2ec4f9765a5a4e96e08b986f5c8cb78e9e5d1bce95d9a53ff114ad8613cc7
SHA51207e5a0c4110fc8435eb6f789bc0f54079449fc19fd7b48487f9bc8d551768f11c1f0950b04a45af6ee6403a474beda75196fc3273124676a1640985733e1f32c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5546493144b463b045436457c7e420950
SHA1e4558499e7387a89ebbad03c6e5b8278d6396f51
SHA2567b30f636858b5383a593f9c1dff8ebdf9b34249978c68d0f6c379152c5526be7
SHA512707edaed62375875692305e694ca23319d0819c2801e90e480806cf577a8ddad301c5dc0527cdb80ff213a06bfc9ea07e8675d355b475431265da8fb0506ee75
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51a2d866c55cb0b8ddef161d259753296
SHA1a4276708da79bfe6bb0102748260601d1a5b026c
SHA2564f3a1d61b75d8bce6b5b8b9a42931ecccfd0d17a4a27e2330b50ed6fa5f26711
SHA512ff062c3db7b8f31c7798c1ec195664a34a152eb95e1acff890c06b99677bf2eaed4060a2ce62b34deead0c6db1ec26c102d9f456aa22f2a9abe3beb2b0b455c6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dd3a8a20e93d5e3b829a2c007be73b10
SHA189a27e21a0f7ea41ad2e0277799fc35d5d497d18
SHA256fc92da839bf53d239f0033b2913d8c370aad2714eb259b902fee046bafe9f369
SHA512185ac26685be0a58c215820d793c563aa4a37b9c8f5a89bb79db4c341f7c4001661aea4a8bb62200435530a76e0a6802bd091508a2857c123193fb1f024640d7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59fb25a16e411439364073d7ff5d299ef
SHA1fcaa8c58c35142a5c1daedd2b2ddc67b5328735a
SHA256a4a7e8c14bd6909fe7c7a615e4e99f65646d4a1c0802dc296c5e4df70e4c966e
SHA512450212e11f6b605b55ba8ff9e0a9c46bfcba8ff72ea09c7b9dcb7a0d71b7993498dd4c0580173bb32bfdb1d62a325af2101233773c70fed62985d15911c4c1b8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55c5d1847891f6cd82798e7c2d7d5e9ce
SHA12dab39ca428ba341d5f569f67977d0c7c27a9dbe
SHA2561458666b0d08cf09768d8b12577db9523a18a04498f4ba6353e1b6e832ed474f
SHA51233736873cd5e28c9ebac11551f6ee4eeb92e96613fe92e4e33f8d3443fdcc36ecacf6baaa2b8a76797038259e0c87c27f2fede28442c9568b1ce5b01f31ecbd4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5193e440a65dbb69f3f2d51c24e1d2537
SHA195d9cd22c88d644a2d0946f9132f31014c581edd
SHA256942d6759354dee278c23572c42085cd6f4904d77b88db0ac0904fc645e65662e
SHA512afb9d1028a9c15893ceb50c6ff5a0903b5f760b9e753d1ba9c2d86321813ab7ebe798f52a2df6375ab7f2888f4188ae110b88934ff3f19f4913e786d090d55e1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5533d7ef0472994ba03b6a36b0936f8df
SHA100d95e1780bc2a4b787a53270162ec722396356d
SHA256c8de3387fb9038f84b8ee31c785fdefc25940ddfe6d4ce53f66fb1a2494bf62b
SHA5122b2a12316fe54ed7ff2c3b943497e64a1e9e514155a5e0f1d5ec53169af60b2023cd47684c552e8d114e92e5ec62afd840ac444685b97f797f5129a7f92d8930
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e0cd8705490193da4a1144174830ac92
SHA156b2cfc48f34e8672536011f62b635ada7402785
SHA25639904f69301ede8ffe5eff3c6167608bd0df92399168492e1b57c115c760667b
SHA512d1181c94d03b2a33da4e11610751a2e0e927d7030ee54f11b41ad4ded629a21a84e0e406e33d811d2a762310a4fa5e5358daab0bf2446f9c21f9f1af86f09b06
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
195B
MD5d367dd5cb11b15a36dbcda53af72aaa7
SHA15d04940db20abb91d579e8131d73a48125070ce5
SHA2565c77cc314b8e8d1e31ebfc87f2c1fff48815b6d9b2c75ed39b7877426993d51d
SHA5120380e1934781f3be4a6d8da4adec378dbb07301fad174e2b85a7671ea64567ba4af9f70176932603d8115bad10fef4a1a54ef279980de99d42a44d2a5f35c2da
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
195B
MD5ced0ebe80d287bf0aae4ee98d8821153
SHA1ba4e61efde40a1b1d171b4c96115948a92ba7202
SHA25693f8aa80023f01fa9ce1a8dfce6c7b072d93d65233696bf1515453fb65e0dc25
SHA512bf6ce4057596392abbd8cafa17477a299bf64c57c248c580b197ec8cdf0e1f0a3e6b304fe5a0f3f8edb9b7d14080ac1c2be45f8eb8c73a2581d1acb0dd10fa2b
-
Filesize
195B
MD576e7a69595f78d3ab3386dadc1536d5f
SHA1a4c3c04cfaf80c0ef492cc8184f0ab4fcadeeaba
SHA2567e248f1501dc9758e027f94f50d5a6b211b804a511a7c7e0b466094022ed0b9d
SHA5122de1dfb7f77de852065a857999b301d6a0aa630192bcd86c1f62e5871809096b0b6952ef0680329fbd0a5fee4cf3de8b258cfe5824ce8f053148ea06709ff224
-
Filesize
195B
MD5d9e210de73454ade6667ed8ebacaad57
SHA1e7e161624032027224e520222e4fafa96fe5dff2
SHA2563052d050f65c4f048d60246bc5b3de0843bafc44fc7f7e0067a3dc76388e9952
SHA512c429250f6b13848e08b356a5bb05b4878a5a165509faee3d65bb4ca9874d2e7ddc900c86d06efaa023067ed6acfced30ddf99df6759f59f0cc0edebafbcd5f7b
-
Filesize
195B
MD5f9240bcf4568fd7293d92aba7fb6fe6d
SHA1ad33fdaffaa04e03abe93901994f415c9bec39c8
SHA25624f885559ebb232f8778ba950df81737d04466900c17f3bc8ade2416c5712d73
SHA5125c596676f48a69e837165dbe08e0a03cd213ab123efd02b98c391aa37054c0bb9fbc18a1e90d49284ac91d3521416e2f518bdc85f88643d3f74477c541c78c95
-
Filesize
195B
MD50c0bbd2c1ab2d2f94dfb178335bf88eb
SHA1dc80453db985f0404e750b319492143f69f9f877
SHA256deb74eae27ebbe125cf6df3f9bfae4fa56171bab319cfc953eaaabebed37fbf0
SHA512cecd8d74a10daeb2ade2b0930caa8a4b2feaac7acf0f1511fedd82734ac5a8115c4449a8ef288c2e25f384d89b9d44ef43ec661c5bb85ca3fb9eef94dba9df32
-
Filesize
195B
MD528111f9c565fb00b126b8579fe89038e
SHA1d2a10955d0d1a92c154138ab4af125bc68eb2b0a
SHA2566bfc38d2521d0925cfb66fa31b0af61bc8d4d531cc7e69f6a25589aad7416c4f
SHA512c21c57e9479be8cf58dadad0c5d93a34634699854fb808647cf91805ef18ae3ce54b4d8a717ede1050e9e00c829ca7eaf7cb79d053ad359de549f971afcc18fd
-
Filesize
195B
MD575bb0690aa27fb2a8c5231ede4164eed
SHA17e2032386f3af2171479598dd2305ae7ff075e7e
SHA2567913b39728b5ae8f8295a21a788b8110633bafae3c93b64cd4a6a562aaded460
SHA51230998344e6cd95dc85ea1d7fa8bd45e0028882fdbf7beb699c63141fd7d29f763ccefda7a1f3f2d89a3662f8e58b497b23e37f1fba447acfc38bde8eb2bdb005
-
Filesize
195B
MD56d5276638e9f6dbb0ed07b46dabec55e
SHA1a1b554a1374b7edd17821b826b592f36cc7f6f6d
SHA256b367c419f72ca1a3c18408a5de18fc586d1b5db82e15e201edb0ec05150f2096
SHA512b314016185009c71ea53e73ca0eb436851b5e8d62ce85a12b2af305ba6eaaa3b8229a2eeb750db525763d7a6991a7f433ee551e5a8ddbe465972ec377a539078
-
Filesize
195B
MD5a8fd0462d7adb49736496777fd95a7f1
SHA13a75ff524c00a9318c7d614e69d4489b937aafe6
SHA256165af01afc1c6245660eb670e7feebab2a6f51df23d2d161c1197f4924a3a937
SHA512ddc59a39813660627aaacd74ba8b090f49fe3b76e69929aabd4538996dfd5a142ed71169c7350f78569e740ffac6bcbe8a18fb8044feaec52e27070766842325
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SCCDE22QEBFI8KO83V2K.temp
Filesize7KB
MD561b4b2b52a37096894a6931dbcf736a7
SHA107afef45a22a4902b33b2f032835bb8a92cb6680
SHA25687673569ca4ddadb8c1b3df8501212d1ebba9341591648258394d7694bcdf716
SHA512615ea5f8e215b8bddc7597111bcfbd1d4c788bacc4406821df88d4956c5edb68303abe4177d6c3cdbeee346e496276e98f3ad275f2a69ab26d100d2ef0460063
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394