Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 19:48
Behavioral task
behavioral1
Sample
JaffaCakes118_d94196b6e505115ee655effe75994d4a249a9dccf70eb2b35f050dbdea61b8f2.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_d94196b6e505115ee655effe75994d4a249a9dccf70eb2b35f050dbdea61b8f2.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_d94196b6e505115ee655effe75994d4a249a9dccf70eb2b35f050dbdea61b8f2.exe
-
Size
1.3MB
-
MD5
cfb6e71af6e06abbf0a43c41f75afa4c
-
SHA1
2ec007bed8ec35c8a48b62f2620b05bf7eed77bb
-
SHA256
d94196b6e505115ee655effe75994d4a249a9dccf70eb2b35f050dbdea61b8f2
-
SHA512
aa26f2e7066afb1694dba0e5b9ba426ce0be1ebb5b78dcb87cb2beea43ba896dc311d88d20c2a134798f2755889f4170cd634b88df1f928ef15d4addc35c66bb
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 884 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2568 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1488 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 604 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1252 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 784 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1456 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1096 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 932 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 716 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 372 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1008 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 2904 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 544 2904 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x000900000001660b-12.dat dcrat behavioral1/memory/2784-13-0x00000000013B0000-0x00000000014C0000-memory.dmp dcrat behavioral1/memory/2012-129-0x00000000001B0000-0x00000000002C0000-memory.dmp dcrat behavioral1/memory/2164-188-0x0000000000160000-0x0000000000270000-memory.dmp dcrat behavioral1/memory/1732-249-0x0000000001140000-0x0000000001250000-memory.dmp dcrat behavioral1/memory/2260-486-0x0000000000820000-0x0000000000930000-memory.dmp dcrat behavioral1/memory/2876-546-0x00000000011A0000-0x00000000012B0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2276 powershell.exe 2292 powershell.exe 928 powershell.exe 860 powershell.exe 852 powershell.exe 1328 powershell.exe 908 powershell.exe 1668 powershell.exe 1460 powershell.exe 1464 powershell.exe 2120 powershell.exe 1388 powershell.exe 2540 powershell.exe 1900 powershell.exe 1672 powershell.exe -
Executes dropped EXE 9 IoCs
pid Process 2784 DllCommonsvc.exe 2012 cmd.exe 2164 cmd.exe 1732 cmd.exe 1704 cmd.exe 2592 cmd.exe 2308 cmd.exe 2260 cmd.exe 2876 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 3064 cmd.exe 3064 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
flow ioc 12 raw.githubusercontent.com 16 raw.githubusercontent.com 21 raw.githubusercontent.com 25 raw.githubusercontent.com 29 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 17 raw.githubusercontent.com 32 raw.githubusercontent.com -
Drops file in Program Files directory 9 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Defender\cmd.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files\Uninstall Information\System.exe DllCommonsvc.exe File created C:\Program Files\Uninstall Information\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\smss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\24dbde2999530e DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\Icons\conhost.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_d94196b6e505115ee655effe75994d4a249a9dccf70eb2b35f050dbdea61b8f2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2772 schtasks.exe 884 schtasks.exe 2576 schtasks.exe 2964 schtasks.exe 2332 schtasks.exe 372 schtasks.exe 544 schtasks.exe 2560 schtasks.exe 3008 schtasks.exe 2336 schtasks.exe 2484 schtasks.exe 1860 schtasks.exe 1680 schtasks.exe 2952 schtasks.exe 2076 schtasks.exe 2468 schtasks.exe 1456 schtasks.exe 2708 schtasks.exe 2968 schtasks.exe 2580 schtasks.exe 2920 schtasks.exe 2236 schtasks.exe 2168 schtasks.exe 2568 schtasks.exe 604 schtasks.exe 1732 schtasks.exe 1032 schtasks.exe 1912 schtasks.exe 2328 schtasks.exe 1036 schtasks.exe 1488 schtasks.exe 2144 schtasks.exe 784 schtasks.exe 1096 schtasks.exe 1008 schtasks.exe 2516 schtasks.exe 2700 schtasks.exe 3020 schtasks.exe 1252 schtasks.exe 1976 schtasks.exe 932 schtasks.exe 716 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2784 DllCommonsvc.exe 1388 powershell.exe 2276 powershell.exe 1464 powershell.exe 2120 powershell.exe 1668 powershell.exe 2540 powershell.exe 852 powershell.exe 2292 powershell.exe 928 powershell.exe 1328 powershell.exe 1672 powershell.exe 860 powershell.exe 908 powershell.exe 1460 powershell.exe 1900 powershell.exe 2012 cmd.exe 2164 cmd.exe 1732 cmd.exe 1704 cmd.exe 2592 cmd.exe 2308 cmd.exe 2260 cmd.exe 2876 cmd.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2784 DllCommonsvc.exe Token: SeDebugPrivilege 1388 powershell.exe Token: SeDebugPrivilege 2276 powershell.exe Token: SeDebugPrivilege 1464 powershell.exe Token: SeDebugPrivilege 2120 powershell.exe Token: SeDebugPrivilege 1668 powershell.exe Token: SeDebugPrivilege 2540 powershell.exe Token: SeDebugPrivilege 852 powershell.exe Token: SeDebugPrivilege 2292 powershell.exe Token: SeDebugPrivilege 928 powershell.exe Token: SeDebugPrivilege 1328 powershell.exe Token: SeDebugPrivilege 1672 powershell.exe Token: SeDebugPrivilege 860 powershell.exe Token: SeDebugPrivilege 908 powershell.exe Token: SeDebugPrivilege 1460 powershell.exe Token: SeDebugPrivilege 1900 powershell.exe Token: SeDebugPrivilege 2012 cmd.exe Token: SeDebugPrivilege 2164 cmd.exe Token: SeDebugPrivilege 1732 cmd.exe Token: SeDebugPrivilege 1704 cmd.exe Token: SeDebugPrivilege 2592 cmd.exe Token: SeDebugPrivilege 2308 cmd.exe Token: SeDebugPrivilege 2260 cmd.exe Token: SeDebugPrivilege 2876 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2736 wrote to memory of 2480 2736 JaffaCakes118_d94196b6e505115ee655effe75994d4a249a9dccf70eb2b35f050dbdea61b8f2.exe 30 PID 2736 wrote to memory of 2480 2736 JaffaCakes118_d94196b6e505115ee655effe75994d4a249a9dccf70eb2b35f050dbdea61b8f2.exe 30 PID 2736 wrote to memory of 2480 2736 JaffaCakes118_d94196b6e505115ee655effe75994d4a249a9dccf70eb2b35f050dbdea61b8f2.exe 30 PID 2736 wrote to memory of 2480 2736 JaffaCakes118_d94196b6e505115ee655effe75994d4a249a9dccf70eb2b35f050dbdea61b8f2.exe 30 PID 2480 wrote to memory of 3064 2480 WScript.exe 31 PID 2480 wrote to memory of 3064 2480 WScript.exe 31 PID 2480 wrote to memory of 3064 2480 WScript.exe 31 PID 2480 wrote to memory of 3064 2480 WScript.exe 31 PID 3064 wrote to memory of 2784 3064 cmd.exe 33 PID 3064 wrote to memory of 2784 3064 cmd.exe 33 PID 3064 wrote to memory of 2784 3064 cmd.exe 33 PID 3064 wrote to memory of 2784 3064 cmd.exe 33 PID 2784 wrote to memory of 1388 2784 DllCommonsvc.exe 77 PID 2784 wrote to memory of 1388 2784 DllCommonsvc.exe 77 PID 2784 wrote to memory of 1388 2784 DllCommonsvc.exe 77 PID 2784 wrote to memory of 2540 2784 DllCommonsvc.exe 78 PID 2784 wrote to memory of 2540 2784 DllCommonsvc.exe 78 PID 2784 wrote to memory of 2540 2784 DllCommonsvc.exe 78 PID 2784 wrote to memory of 2120 2784 DllCommonsvc.exe 79 PID 2784 wrote to memory of 2120 2784 DllCommonsvc.exe 79 PID 2784 wrote to memory of 2120 2784 DllCommonsvc.exe 79 PID 2784 wrote to memory of 1464 2784 DllCommonsvc.exe 80 PID 2784 wrote to memory of 1464 2784 DllCommonsvc.exe 80 PID 2784 wrote to memory of 1464 2784 DllCommonsvc.exe 80 PID 2784 wrote to memory of 1460 2784 DllCommonsvc.exe 81 PID 2784 wrote to memory of 1460 2784 DllCommonsvc.exe 81 PID 2784 wrote to memory of 1460 2784 DllCommonsvc.exe 81 PID 2784 wrote to memory of 908 2784 DllCommonsvc.exe 84 PID 2784 wrote to memory of 908 2784 DllCommonsvc.exe 84 PID 2784 wrote to memory of 908 2784 DllCommonsvc.exe 84 PID 2784 wrote to memory of 928 2784 DllCommonsvc.exe 85 PID 2784 wrote to memory of 928 2784 DllCommonsvc.exe 85 PID 2784 wrote to memory of 928 2784 DllCommonsvc.exe 85 PID 2784 wrote to memory of 1668 2784 DllCommonsvc.exe 86 PID 2784 wrote to memory of 1668 2784 DllCommonsvc.exe 86 PID 2784 wrote to memory of 1668 2784 DllCommonsvc.exe 86 PID 2784 wrote to memory of 860 2784 DllCommonsvc.exe 87 PID 2784 wrote to memory of 860 2784 DllCommonsvc.exe 87 PID 2784 wrote to memory of 860 2784 DllCommonsvc.exe 87 PID 2784 wrote to memory of 1672 2784 DllCommonsvc.exe 88 PID 2784 wrote to memory of 1672 2784 DllCommonsvc.exe 88 PID 2784 wrote to memory of 1672 2784 DllCommonsvc.exe 88 PID 2784 wrote to memory of 852 2784 DllCommonsvc.exe 89 PID 2784 wrote to memory of 852 2784 DllCommonsvc.exe 89 PID 2784 wrote to memory of 852 2784 DllCommonsvc.exe 89 PID 2784 wrote to memory of 2276 2784 DllCommonsvc.exe 90 PID 2784 wrote to memory of 2276 2784 DllCommonsvc.exe 90 PID 2784 wrote to memory of 2276 2784 DllCommonsvc.exe 90 PID 2784 wrote to memory of 1900 2784 DllCommonsvc.exe 91 PID 2784 wrote to memory of 1900 2784 DllCommonsvc.exe 91 PID 2784 wrote to memory of 1900 2784 DllCommonsvc.exe 91 PID 2784 wrote to memory of 1328 2784 DllCommonsvc.exe 92 PID 2784 wrote to memory of 1328 2784 DllCommonsvc.exe 92 PID 2784 wrote to memory of 1328 2784 DllCommonsvc.exe 92 PID 2784 wrote to memory of 2292 2784 DllCommonsvc.exe 93 PID 2784 wrote to memory of 2292 2784 DllCommonsvc.exe 93 PID 2784 wrote to memory of 2292 2784 DllCommonsvc.exe 93 PID 2784 wrote to memory of 2852 2784 DllCommonsvc.exe 107 PID 2784 wrote to memory of 2852 2784 DllCommonsvc.exe 107 PID 2784 wrote to memory of 2852 2784 DllCommonsvc.exe 107 PID 2852 wrote to memory of 1848 2852 cmd.exe 109 PID 2852 wrote to memory of 1848 2852 cmd.exe 109 PID 2852 wrote to memory of 1848 2852 cmd.exe 109 PID 2852 wrote to memory of 2012 2852 cmd.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d94196b6e505115ee655effe75994d4a249a9dccf70eb2b35f050dbdea61b8f2.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d94196b6e505115ee655effe75994d4a249a9dccf70eb2b35f050dbdea61b8f2.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\en-US\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FShK27bb29.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1848
-
-
C:\Program Files (x86)\Windows Defender\cmd.exe"C:\Program Files (x86)\Windows Defender\cmd.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat"7⤵PID:2236
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1748
-
-
C:\Program Files (x86)\Windows Defender\cmd.exe"C:\Program Files (x86)\Windows Defender\cmd.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat"9⤵PID:2696
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:952
-
-
C:\Program Files (x86)\Windows Defender\cmd.exe"C:\Program Files (x86)\Windows Defender\cmd.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat"11⤵PID:2076
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2452
-
-
C:\Program Files (x86)\Windows Defender\cmd.exe"C:\Program Files (x86)\Windows Defender\cmd.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat"13⤵PID:1856
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:992
-
-
C:\Program Files (x86)\Windows Defender\cmd.exe"C:\Program Files (x86)\Windows Defender\cmd.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat"15⤵PID:2628
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1328
-
-
C:\Program Files (x86)\Windows Defender\cmd.exe"C:\Program Files (x86)\Windows Defender\cmd.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CWxqMEPA9M.bat"17⤵PID:2272
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:936
-
-
C:\Program Files (x86)\Windows Defender\cmd.exe"C:\Program Files (x86)\Windows Defender\cmd.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kz4ReWEb5Y.bat"19⤵PID:3048
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1504
-
-
C:\Program Files (x86)\Windows Defender\cmd.exe"C:\Program Files (x86)\Windows Defender\cmd.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Recent\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Recent\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Recent\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\providercommon\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Cookies\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Cookies\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Cookies\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\providercommon\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53f0bec0e2764b536ae1f07d170eb50e7
SHA17a502cddf69c3be2889c103665ee956ed1c3b435
SHA2564e95680d3ec5a8101cee4eb308d73425fee24b7ed47e62f1aa7ae94487340e13
SHA512a9d1b2796023826d8afc297e20d69aa70a8a5040915412db3eb143b103b4952f06667186998ad024e3b268a3b4c08b3f1aa3e7a034bba072113ff5ad72ab0532
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD593a12216d37e0398ce9af0a9013cd4f1
SHA1bcfd8b0e0974e730fd4100ab15a6debcf80c5c7d
SHA256a90106ceea0c446e7cf33661fec254322c0b14d5c6bc7bae81d7f5ca4b2eb7e9
SHA51259c25b571d403b3dfe9e46e4616639409fd8525dc29e3f815996d5751eccf8712760f0c792948b7b656e0542547f7e8202a6e81ea9c32b945d75d0ac98ea1b19
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50b6b06e7426f31017676bfadf6df9d2e
SHA19c9521f9d3af05d21e2782d58d2cd12a423b2a81
SHA256a9b25e47445ad3064b750a1d62dbc41c509010e2ec0769972c90be42bf39dd9b
SHA512392c67bd0665cf1f5a5a7643daf6184e442464f2765ceccd83761f4a24f5d13fff3291d62b6c863398dedaa30eb9e9f33b8e70df05c1829fafda0ecefb71e865
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53ff0095ebd0365f02bd710e4b5b59cf9
SHA1bfd4aa1e0169abaeeea7713babbcf5916b7bd526
SHA256bfd436a462ad7a6edf239eeaad734a4b03363aa5739964630efa27e9be7060b9
SHA5126c7cd5280a110bd3a17aab17897a70de871f0d06a54020ad6561355153716dda5d6a797195673608306c31d0d90fbba590189f074771f7b5286921e8c432372e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5944acef8328c621523011fbc5205409f
SHA14a2c46896e3f5d08f21114110c3cc7a61eab438c
SHA256bae52abc3b274f5442a9e76d2c66f0f81533710fa06096c2fec671f2c51afbe6
SHA512e3ada222e6065e615be2de5a299a9a162b94071ac7891c45951aafc64cb5b973f8bcdd5835b003ddded9c13a978b2faea4a44304a75e7c1f4d02fe76fc5267a5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5960fe980d5328d506d6cb7e86fc92a90
SHA1c6b77be6c10b66461b922fca098c6d805f98c662
SHA256b53914e24e0f42ef11577c4ad51e15ec2bca08aaaa05860622b2a132e689b637
SHA51242173b3a272e18dad79fde213a7b95200a0595565b1c76055c032174b98786bd95cd78571c46e69512104ee3b6b0d1075aa1f3d317b6723fb103c70d869c7914
-
Filesize
212B
MD5e3af4974f7818b0e217e700f4c1b8d2d
SHA1f39008c3e60272e69116c1beaae029e79c552a24
SHA256b6f9621ad7cf9b5f5362bad0bc37f77de1fe7093d262631b374be75592c80151
SHA5128d56b8682a3560f7b822f7a2b2aca4f0ddac1c7789edff6cf06d17d2f015fdadc64441cfe2e2a6f1eb04115db22087ae6cff7f482f6acedb2228d17f6cb8d029
-
Filesize
212B
MD55365239030e476e60d55686e3003bba0
SHA1529a726f5b7d4f03fdea78465468800dab502063
SHA25673fb342f61814912b434a4b6bdd5fc9b1c5c49e3585407638d16e06eaa104990
SHA512e863954a04a97fd61e84200bfda8286312ce6b32a6c3b920a6cb0071f3870b8146b89c0dd811b49f5fb26c092353d3527292d1479b8e61e8d1bbb4c9cf97c1e2
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
212B
MD5a759f6dce4bcab5ae044348e7fdd8365
SHA146b8c9eda21ef6e85f5438b38864b0f88a6df4f7
SHA2567c47da8befac8f4fe0c020576eb948bbff4204b3e43356893caddb1a22d05966
SHA5120aa0c1323095c2230d9f6c5caf418332a83fb6f3e3ef023bd438a8ed55852d1f80fb7bec728f0fb7aeb9c89f8011c6f9098c99f6fa392772c5742b0ba7869800
-
Filesize
212B
MD59fb22bd0ac4122f1bf6c747f7164c34d
SHA1c174114c2fea481cbcdaa848772795c33282204a
SHA256787480bb5460633af5fb8f8884ba362269fafe40c12f86afbfbef636e4067c24
SHA512bdc720359bdeb22981048112d6d89d44cabaacf95a3aec730179c6d5c32dcbc6401c1df4cfced0f683ed188aa434600f77d06cf1d3d8654c8b4943513cb80bed
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
212B
MD575753dc2d04d5173bcbc1bfba05ceb45
SHA1da9b0ba7f3d1248e88fe4c9d9a0df20ded057b20
SHA256a1cd968bb88338e55aa3c371fcb0419ffff1d1d0a8a8ba6d1df71f9ae2ffb4aa
SHA51294b53aae4e58b9002e965ab8255c2d75c47d0f6aaa2f1d18a34a20de1c4c1ec135a022bf3ecf86fe73acabd85b1d6f80fb2ee1901157953b59b53884b000cebc
-
Filesize
212B
MD508d17398c7a263c8ff6e99099223da2e
SHA1321fa52e782f144945de38680757dba9ef510d2d
SHA2566dffe1618499bc20b41681dd288b78ddda0a1e89ff5e247f43e6a4e639cc0c7a
SHA512427d8602608fb80a0630ee32fc2b0a1acc83c38e1e639bf3eb31c5a00a1ae3b4e26a901ec193bf5f0d76472fd3659a8bd55e85d5456691f024af3297bfef10c7
-
Filesize
212B
MD5432ca339e4c9e1c6cf861e565310c582
SHA1c266f9a96ad4f3b943fd76867147ff9de150d06a
SHA256fb17da412c97714f8a70a2605c49469da6e6b0d4c390e71108a64a810ba7dc75
SHA5126d056d3d9d38cf94dfd951d340a76f7980e3b72356c54d7a45a3763e9e6c33d82aeba81b9739832e61ea3fc8cfcb02400257dbc18aa2b50ee403bd0e39d1f553
-
Filesize
212B
MD591f4f726fba2fa4901991725b255e08e
SHA10fca474f07376ba7136ebad422eb8efa4f32a444
SHA2569c216c8b3ceb49c7310043676df55349e08cd5dfaa67967148d75ba811335bc8
SHA512153714b78cd791ec6c8391cce8d5e42a06a0d80c35a8a6c2c800d2d78c139e20b452162264c0b6b87549d00e5101249c1300454200b65163a2a02f76a48eff01
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD59efc894bfda8d5dcc6a23408db304071
SHA181d714c00af9a70d43d5768762f843f269ccfa1b
SHA25637b0fa096e9bb7c0c0bd50fe164e71b7bec117570d6fb54fa129129a94e6b9eb
SHA512e7c76a7ef3bb9488f24fa464d9e834514a8e53ac76feadb484e38675a96e81b7e444f439ab4ab5fe40b5c0053882d118b9a96153de742189f94d2f8f75fff159
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478