Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 19:34
Behavioral task
behavioral1
Sample
JaffaCakes118_c19238382edbc6b885d3105f7134140d5bb1532c607868bdeb844ebe3c156e96.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c19238382edbc6b885d3105f7134140d5bb1532c607868bdeb844ebe3c156e96.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_c19238382edbc6b885d3105f7134140d5bb1532c607868bdeb844ebe3c156e96.exe
-
Size
1.3MB
-
MD5
fcf3b7201f583150d14839331b58b665
-
SHA1
71b2596496c2aee893cc738fbfa0fe6cfb438c47
-
SHA256
c19238382edbc6b885d3105f7134140d5bb1532c607868bdeb844ebe3c156e96
-
SHA512
8288669988c9c7151ba9c6a9d999d3731d94dd3f0e0972d92366f16e695b26c94a2acad1669fed882f5fd1e2a5af6157b502a15006d57779077dbb83c7fc76a1
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1304 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1272 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 468 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2300 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1364 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 916 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 688 2372 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 2372 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000016de4-9.dat dcrat behavioral1/memory/2676-13-0x00000000010F0000-0x0000000001200000-memory.dmp dcrat behavioral1/memory/2916-121-0x00000000012C0000-0x00000000013D0000-memory.dmp dcrat behavioral1/memory/2612-298-0x00000000012F0000-0x0000000001400000-memory.dmp dcrat behavioral1/memory/1928-358-0x0000000000090000-0x00000000001A0000-memory.dmp dcrat behavioral1/memory/1540-418-0x0000000000A40000-0x0000000000B50000-memory.dmp dcrat behavioral1/memory/1528-478-0x0000000000F70000-0x0000000001080000-memory.dmp dcrat behavioral1/memory/824-538-0x0000000000390000-0x00000000004A0000-memory.dmp dcrat behavioral1/memory/2188-598-0x0000000000070000-0x0000000000180000-memory.dmp dcrat behavioral1/memory/2144-658-0x0000000001030000-0x0000000001140000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1804 powershell.exe 2476 powershell.exe 1808 powershell.exe 1004 powershell.exe 1384 powershell.exe 1548 powershell.exe 2448 powershell.exe 1536 powershell.exe 848 powershell.exe 1684 powershell.exe 2152 powershell.exe 1688 powershell.exe 2424 powershell.exe 2012 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2676 DllCommonsvc.exe 2916 cmd.exe 1936 cmd.exe 2664 cmd.exe 2612 cmd.exe 1928 cmd.exe 1540 cmd.exe 1528 cmd.exe 824 cmd.exe 2188 cmd.exe 2144 cmd.exe 916 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 2140 cmd.exe 2140 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 25 raw.githubusercontent.com 28 raw.githubusercontent.com 31 raw.githubusercontent.com 38 raw.githubusercontent.com 9 raw.githubusercontent.com 13 raw.githubusercontent.com 16 raw.githubusercontent.com 17 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 21 raw.githubusercontent.com 34 raw.githubusercontent.com -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\Windows Media Player\ja-JP\sppsvc.exe DllCommonsvc.exe File created C:\Program Files\Windows Media Player\ja-JP\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\b75386f1303e64 DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\locale\cmd.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\locale\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\csrss.exe DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\en-US\System.exe DllCommonsvc.exe File opened for modification C:\Windows\en-US\System.exe DllCommonsvc.exe File created C:\Windows\en-US\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Windows\winsxs\DllCommonsvc.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c19238382edbc6b885d3105f7134140d5bb1532c607868bdeb844ebe3c156e96.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2672 schtasks.exe 2192 schtasks.exe 2440 schtasks.exe 2840 schtasks.exe 2964 schtasks.exe 1672 schtasks.exe 2560 schtasks.exe 2552 schtasks.exe 2856 schtasks.exe 2868 schtasks.exe 1272 schtasks.exe 1924 schtasks.exe 2188 schtasks.exe 2916 schtasks.exe 1956 schtasks.exe 1636 schtasks.exe 2608 schtasks.exe 1656 schtasks.exe 1304 schtasks.exe 2364 schtasks.exe 2968 schtasks.exe 2300 schtasks.exe 1364 schtasks.exe 3000 schtasks.exe 1540 schtasks.exe 1588 schtasks.exe 3004 schtasks.exe 2224 schtasks.exe 1156 schtasks.exe 2580 schtasks.exe 2632 schtasks.exe 1720 schtasks.exe 916 schtasks.exe 2032 schtasks.exe 1612 schtasks.exe 468 schtasks.exe 2472 schtasks.exe 2904 schtasks.exe 688 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2676 DllCommonsvc.exe 2676 DllCommonsvc.exe 2676 DllCommonsvc.exe 2676 DllCommonsvc.exe 2676 DllCommonsvc.exe 2012 powershell.exe 1384 powershell.exe 848 powershell.exe 1804 powershell.exe 1808 powershell.exe 1548 powershell.exe 1688 powershell.exe 2448 powershell.exe 2424 powershell.exe 2476 powershell.exe 2152 powershell.exe 1684 powershell.exe 1536 powershell.exe 1004 powershell.exe 2916 cmd.exe 1936 cmd.exe 2664 cmd.exe 2612 cmd.exe 1928 cmd.exe 1540 cmd.exe 1528 cmd.exe 824 cmd.exe 2188 cmd.exe 2144 cmd.exe 916 cmd.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 2676 DllCommonsvc.exe Token: SeDebugPrivilege 2012 powershell.exe Token: SeDebugPrivilege 1384 powershell.exe Token: SeDebugPrivilege 848 powershell.exe Token: SeDebugPrivilege 1804 powershell.exe Token: SeDebugPrivilege 1808 powershell.exe Token: SeDebugPrivilege 1548 powershell.exe Token: SeDebugPrivilege 1688 powershell.exe Token: SeDebugPrivilege 2448 powershell.exe Token: SeDebugPrivilege 2424 powershell.exe Token: SeDebugPrivilege 2476 powershell.exe Token: SeDebugPrivilege 2152 powershell.exe Token: SeDebugPrivilege 1684 powershell.exe Token: SeDebugPrivilege 1536 powershell.exe Token: SeDebugPrivilege 1004 powershell.exe Token: SeDebugPrivilege 2916 cmd.exe Token: SeDebugPrivilege 1936 cmd.exe Token: SeDebugPrivilege 2664 cmd.exe Token: SeDebugPrivilege 2612 cmd.exe Token: SeDebugPrivilege 1928 cmd.exe Token: SeDebugPrivilege 1540 cmd.exe Token: SeDebugPrivilege 1528 cmd.exe Token: SeDebugPrivilege 824 cmd.exe Token: SeDebugPrivilege 2188 cmd.exe Token: SeDebugPrivilege 2144 cmd.exe Token: SeDebugPrivilege 916 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2488 wrote to memory of 320 2488 JaffaCakes118_c19238382edbc6b885d3105f7134140d5bb1532c607868bdeb844ebe3c156e96.exe 31 PID 2488 wrote to memory of 320 2488 JaffaCakes118_c19238382edbc6b885d3105f7134140d5bb1532c607868bdeb844ebe3c156e96.exe 31 PID 2488 wrote to memory of 320 2488 JaffaCakes118_c19238382edbc6b885d3105f7134140d5bb1532c607868bdeb844ebe3c156e96.exe 31 PID 2488 wrote to memory of 320 2488 JaffaCakes118_c19238382edbc6b885d3105f7134140d5bb1532c607868bdeb844ebe3c156e96.exe 31 PID 320 wrote to memory of 2140 320 WScript.exe 32 PID 320 wrote to memory of 2140 320 WScript.exe 32 PID 320 wrote to memory of 2140 320 WScript.exe 32 PID 320 wrote to memory of 2140 320 WScript.exe 32 PID 2140 wrote to memory of 2676 2140 cmd.exe 34 PID 2140 wrote to memory of 2676 2140 cmd.exe 34 PID 2140 wrote to memory of 2676 2140 cmd.exe 34 PID 2140 wrote to memory of 2676 2140 cmd.exe 34 PID 2676 wrote to memory of 2152 2676 DllCommonsvc.exe 75 PID 2676 wrote to memory of 2152 2676 DllCommonsvc.exe 75 PID 2676 wrote to memory of 2152 2676 DllCommonsvc.exe 75 PID 2676 wrote to memory of 1808 2676 DllCommonsvc.exe 76 PID 2676 wrote to memory of 1808 2676 DllCommonsvc.exe 76 PID 2676 wrote to memory of 1808 2676 DllCommonsvc.exe 76 PID 2676 wrote to memory of 1004 2676 DllCommonsvc.exe 77 PID 2676 wrote to memory of 1004 2676 DllCommonsvc.exe 77 PID 2676 wrote to memory of 1004 2676 DllCommonsvc.exe 77 PID 2676 wrote to memory of 1384 2676 DllCommonsvc.exe 78 PID 2676 wrote to memory of 1384 2676 DllCommonsvc.exe 78 PID 2676 wrote to memory of 1384 2676 DllCommonsvc.exe 78 PID 2676 wrote to memory of 1536 2676 DllCommonsvc.exe 79 PID 2676 wrote to memory of 1536 2676 DllCommonsvc.exe 79 PID 2676 wrote to memory of 1536 2676 DllCommonsvc.exe 79 PID 2676 wrote to memory of 1548 2676 DllCommonsvc.exe 80 PID 2676 wrote to memory of 1548 2676 DllCommonsvc.exe 80 PID 2676 wrote to memory of 1548 2676 DllCommonsvc.exe 80 PID 2676 wrote to memory of 1688 2676 DllCommonsvc.exe 81 PID 2676 wrote to memory of 1688 2676 DllCommonsvc.exe 81 PID 2676 wrote to memory of 1688 2676 DllCommonsvc.exe 81 PID 2676 wrote to memory of 848 2676 DllCommonsvc.exe 82 PID 2676 wrote to memory of 848 2676 DllCommonsvc.exe 82 PID 2676 wrote to memory of 848 2676 DllCommonsvc.exe 82 PID 2676 wrote to memory of 1684 2676 DllCommonsvc.exe 83 PID 2676 wrote to memory of 1684 2676 DllCommonsvc.exe 83 PID 2676 wrote to memory of 1684 2676 DllCommonsvc.exe 83 PID 2676 wrote to memory of 1804 2676 DllCommonsvc.exe 84 PID 2676 wrote to memory of 1804 2676 DllCommonsvc.exe 84 PID 2676 wrote to memory of 1804 2676 DllCommonsvc.exe 84 PID 2676 wrote to memory of 2448 2676 DllCommonsvc.exe 85 PID 2676 wrote to memory of 2448 2676 DllCommonsvc.exe 85 PID 2676 wrote to memory of 2448 2676 DllCommonsvc.exe 85 PID 2676 wrote to memory of 2424 2676 DllCommonsvc.exe 86 PID 2676 wrote to memory of 2424 2676 DllCommonsvc.exe 86 PID 2676 wrote to memory of 2424 2676 DllCommonsvc.exe 86 PID 2676 wrote to memory of 2476 2676 DllCommonsvc.exe 87 PID 2676 wrote to memory of 2476 2676 DllCommonsvc.exe 87 PID 2676 wrote to memory of 2476 2676 DllCommonsvc.exe 87 PID 2676 wrote to memory of 2012 2676 DllCommonsvc.exe 88 PID 2676 wrote to memory of 2012 2676 DllCommonsvc.exe 88 PID 2676 wrote to memory of 2012 2676 DllCommonsvc.exe 88 PID 2676 wrote to memory of 2344 2676 DllCommonsvc.exe 103 PID 2676 wrote to memory of 2344 2676 DllCommonsvc.exe 103 PID 2676 wrote to memory of 2344 2676 DllCommonsvc.exe 103 PID 2916 wrote to memory of 1164 2916 cmd.exe 107 PID 2916 wrote to memory of 1164 2916 cmd.exe 107 PID 2916 wrote to memory of 1164 2916 cmd.exe 107 PID 1164 wrote to memory of 2640 1164 cmd.exe 109 PID 1164 wrote to memory of 2640 1164 cmd.exe 109 PID 1164 wrote to memory of 2640 1164 cmd.exe 109 PID 1164 wrote to memory of 1936 1164 cmd.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c19238382edbc6b885d3105f7134140d5bb1532c607868bdeb844ebe3c156e96.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c19238382edbc6b885d3105f7134140d5bb1532c607868bdeb844ebe3c156e96.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\locale\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\ja-JP\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ZCIspfaYe.bat"5⤵PID:2344
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1316
-
-
C:\Program Files\VideoLAN\VLC\locale\cmd.exe"C:\Program Files\VideoLAN\VLC\locale\cmd.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2640
-
-
C:\Program Files\VideoLAN\VLC\locale\cmd.exe"C:\Program Files\VideoLAN\VLC\locale\cmd.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat"9⤵PID:2004
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1808
-
-
C:\Program Files\VideoLAN\VLC\locale\cmd.exe"C:\Program Files\VideoLAN\VLC\locale\cmd.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat"11⤵PID:2448
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2964
-
-
C:\Program Files\VideoLAN\VLC\locale\cmd.exe"C:\Program Files\VideoLAN\VLC\locale\cmd.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eG7Plib0M1.bat"13⤵PID:2588
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1980
-
-
C:\Program Files\VideoLAN\VLC\locale\cmd.exe"C:\Program Files\VideoLAN\VLC\locale\cmd.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVu5YTRuDT.bat"15⤵PID:568
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1012
-
-
C:\Program Files\VideoLAN\VLC\locale\cmd.exe"C:\Program Files\VideoLAN\VLC\locale\cmd.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\y17QM3q8Rw.bat"17⤵PID:2280
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2468
-
-
C:\Program Files\VideoLAN\VLC\locale\cmd.exe"C:\Program Files\VideoLAN\VLC\locale\cmd.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1hmmkqxEk5.bat"19⤵PID:2600
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1072
-
-
C:\Program Files\VideoLAN\VLC\locale\cmd.exe"C:\Program Files\VideoLAN\VLC\locale\cmd.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rZY5mW9Lj2.bat"21⤵PID:2716
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2160
-
-
C:\Program Files\VideoLAN\VLC\locale\cmd.exe"C:\Program Files\VideoLAN\VLC\locale\cmd.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDq7RH5Uwz.bat"23⤵PID:2872
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2684
-
-
C:\Program Files\VideoLAN\VLC\locale\cmd.exe"C:\Program Files\VideoLAN\VLC\locale\cmd.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat"25⤵PID:1048
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2204
-
-
C:\Program Files\VideoLAN\VLC\locale\cmd.exe"C:\Program Files\VideoLAN\VLC\locale\cmd.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\en-US\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\locale\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\locale\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\providercommon\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\providercommon\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\ja-JP\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\ja-JP\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\providercommon\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58030123a5606b6186912c275c8e0bec2
SHA17c5429745d7d898fe99de07ea80aa6b2aba138ea
SHA2563ba9cbad65ecae46bb81a6a31d0c6f045dfc83dcb7ae75b29e9d1d3ea96b6849
SHA512bf9ee4bdd712e4d9f11084a5fdac9b835eb372040d7cda0ca71ab6af160a07a1299c1ee1cea0de472d1d1ea40693caf0171c16a0cb749a47fc3b79ec0d5cc62f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53d6986776397276f574527893c77975e
SHA1353791187cf90fe161d6253110403f8cf88d9f3e
SHA2568a6e263b5aaf764d512dc80aa92e7c11fb1755a418f8f975fd284a7487673bc6
SHA51217a491dd09e7e3ab074ebeb5f0ff747c358191adbeb77d63dabb97dbcc256241a010071dc5e199490da59dc24ddabaa72839a93478e886a2a8a628c4c3ba2918
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5939bc51fdea01cd0364047951fab3933
SHA112c850019985145b7f60ed5409762019c3c8bf43
SHA25686ac34e61459fa44ae6a6dfada441a764119b7266950b5e5c27e9481886d544c
SHA512a4234492d796f8effb1072bb0971fd5e9cf624f07cfa42a40a67cee3222a72d2758e367d8c2b7a185908d6bbc61e7b7a45607e095f24675187e298dc1f9b8c6a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a8d338f10584c8b849dae9d27192946b
SHA1783a8d4cd2e63ab9f6df36da667b007399e5c3c8
SHA256ac0b880749fa5cb698799dcdcd4b08bada2087b2946c8c9ee08c2d8bab0f9358
SHA512353a2d82f4cfee1152a6765cc632d5d5aeae7a04d5b8ac1ff49b2fbf1c98390190046235a6318e32e965565341d4aca97aadc791bd2485677f02778fd55c4ea7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54c39ae1a312828e9edb3e083fc65082c
SHA11da08f437d6df06892eb2cf4db4190132ee5ebe7
SHA256b1a319037c58da1cc89d8728c48da82cc31485de9ecfb85cc24979ae59aaa22f
SHA512de80393f5d113ec150de39da65494605f0255bf52c4a0593266efb78dd7b476b172bd0768f7707148d441bdb74d05007151224fa21329f565842213378674b64
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c6f805648e99d432166b8c1875f052ff
SHA16459321be4d5b7766164f9e130ab82da3878b7c7
SHA256e8817eb1d01d3b5b987b38248be536af55996c91f6a180da8fad50cff3d6cc2d
SHA512d332a0ac4926ef2ad1b671da72cd21d3fd8c258a4e9afd383e5f6c46898d14f6d2613d94a19bbe22428fd48e147a937886c7e59d4e43e16cae79e0c1ddc07711
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54c4efc82cb697181f1806f4391ebd4fd
SHA1ed47367ac8c5bbc7fd5d2501284cecc771291b9c
SHA256839dea610bf4b5649684c967e7daebf4fbb7b52d8a9c1bdc8d83c99bf174956f
SHA5129906cf533cfb07e08591b8d64c850968ff0deb82f85133024aa369593d5b3a56b25be45fbfccdfb0c387fec1517fc21dab5e3fce9054359279c712fb15291d28
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54451cd95b4d1f100a05dec84cef6c7e9
SHA172cb3c3fcfbcb9a424973f5279c4e1fdd5896bf3
SHA25677d5c0aef9684d70fc015856e675accb9e3233edc8cc1dbb44eb56da3835c811
SHA5122b387c278d04e9cad699caf684324a2e0e9f18d1d5bdf36f7640b2be63e140476430c8902f4ef73138df5425f61ecb5e894eddd033a0dbdc7f1da9b254c99fa1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e714e175e2409e133dffe806fc0dd2b0
SHA1502c211e1fc065ebe0feb700f08ce7b71e1b59b7
SHA256266d7b20b2e9e2a9152a53c51c4ac3be05cbeb3cbe53e2b9871ab042b81db104
SHA512c14704b56ed3c6960aa4d55e9f87d3953c89c6fba30c5ebded7bd99e8cdf9ca5089cee9f8f4bacf50dbf73c6684436799d1f0c0ded4c6473f92b197f59662e40
-
Filesize
209B
MD56600d4baa81492e6daa73a65e945084f
SHA1a1e3967505d8425fa7b7b047cb148de620be564e
SHA256924cc44230ca5234852864edd66425ec884d4d56fc9c989517acedf6f446b9d1
SHA51238a2ebcb8f931a57694899e6dc93ccbd35673191133e92d2b2a510d09e447fb4c03f01b861bea308d2ac7c57c8cac7a8b43a35a684ea431d36f5aa09c49baa12
-
Filesize
209B
MD551c2b6a3fa3326927e6d592f38bda4a3
SHA1ebd4aca826b3569b19f6bcee59ab1a909dffd1a0
SHA2564d2a5bdc6f2d987e28948b9ca2586cae589a3e08c10d96dcd743f4105b52247e
SHA512247607cab8d674962829433fa817bc6a6bed463c66ab34b87926b3e437bc7c500c9d0713c3a85924ec0b0ae8c9acd9287db1fe99307debb8ea680c0154a3af16
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
209B
MD51c8292770f440d96275230e3a610bcc8
SHA17c7f35bdfa30f881d2d0b51d2ddfd1669f6aed50
SHA2567fafaddb6605813646ec6d1fad2254cbe5a9868779794494fabc8c7a6baf59c6
SHA5129c576089ed8db92423591284d0ec1853b21550fd5c27f868789da95c61aa37359d6d2890ee1aec22c830af906c9702514fdeabb216a68dc8777f66e352e864cc
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
209B
MD521f1ec4cb6f70bfa85fce799ba56a688
SHA19943761742a0c229125d2a48864dcd40fa130524
SHA2562ea86445205059286985a8d1a19087dfe15e8172271599d8fefb2c8ada74dea1
SHA512690b746c3beb9cf56f42f879825731446b6163e4071a49657e53af9ac177dfef5626a67d54b67ea5f381459bef1e681fb97c41b0e90515eb226cef7ccb1ba478
-
Filesize
209B
MD5931d7489a2755b52dd662b540d58416e
SHA15b9d500bd7de03e756873d55efe823ce45035809
SHA2561b56a33070d45edd028d503a70b45814d6136a76af6e029d05ed66296743c6da
SHA512d96e5df3a43eed592d7a4d20e1343adcd0d5279efe899054fe8e4e003d1213f37fb5b266a1ef66caa8f27637fe35315f63485e1881d44298c9ce788e2a5219d6
-
Filesize
209B
MD520e770b5805fee72ee0e06f0c16f8644
SHA139d3edb5bb1221dde4ee601081a9bac9f9ed0d17
SHA256acc08e9d245a5a68e7b7e73c6ed399a922397f073c2ac27ad5d1ac37e3fd2876
SHA5126e05a85c3a8c62a039721484f299e47cfddcd19c561eff31d9bf8bc1c3f9ff189c9cb77ca3bcde7acf4484dbcb233974526e194aabac1e481bb3997c63c2b8cf
-
Filesize
209B
MD5bfd7f813712639279e849119b9c89ac1
SHA19dad3dd2a860b3f9761ed6506b7d8125b7045051
SHA2567e12c0d8e195eb61b595f45fa4c7bba6ead596561e82bba1393a053fd6a4a020
SHA5122b8d09ca90344a1a46c51972282c70aef6034eefd685594bc4c7006e71e4571a58d638f0c975a961f2dae99feb63dfce248ac0bc981631e09911057ccd703be1
-
Filesize
209B
MD53d60d4fd7735c82ba0746442a5859d55
SHA108c2437498e21640ae701b76a4ebdbbac428739e
SHA25678d89778ae653cf358fc2203057da76b8909f0464e66eb6e6cf9ff258651ab55
SHA512b4e5262ff53c5b571866bcd2a57d7d1c8ca21bf6a65c7a35335ded200f287323045d605f0cd664e667e48b5ac08e0c261fe3a1f3d956a9c6bc9d828b41630bc8
-
Filesize
209B
MD579bf2e1971aecd52d155e080f70a9ee0
SHA12819b04507615c0cf4a3b06cbb0ba4a47c73fd78
SHA256d2776b4c0f06c7d57058cb2de3e12d9dbe6b705688ea3710adc07217621f9b28
SHA512e36f9575d6001d373b509be06b56b28d753e3e8d78c06959a380242f2008933106933fd03a75d50c849bd8a4ffafaafe5a07b88ccd4dc42d7ef5dea341a809dc
-
Filesize
209B
MD5b0bf11a689bf0cb90d38795eaad3716d
SHA1279f0a8ebdbf525dc2a0ff992abc70cf2d98ba6b
SHA25638fa12182884c3104f3c65f0306b3d07f667d509c55da684ab8730f1227dd67c
SHA5120cc504316dc8886cf3480c76d9ebea4dcf6745fcd119aaaeaeea381da167172f9a24ecf7b2efcf9df8d78c8fc3842d0e07c9dd0c7391f497c92a40865631e969
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5e5102a3d8a541c5595b8e0d74146df53
SHA14cb5309b3374730388bedcfbf4cb8ce5646d5de1
SHA2562c9f5b6c613f15312dfef2561bee1e24e87cfa813cb5ed9feabef03124e8ac74
SHA5128f8996bbb8da1f5707421a0627085a20d0cc99e966b332e4b66955b4fc48e5896a3797303d7ba50bb458464b3f23c28e67d585d20320c0878a7d5411ce891ff2
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394