Analysis
-
max time kernel
145s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 21:16
Behavioral task
behavioral1
Sample
JaffaCakes118_eb7aeab45fa38000ca3f056c4ab4f9591da273abcd7902961c69caab690e951a.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_eb7aeab45fa38000ca3f056c4ab4f9591da273abcd7902961c69caab690e951a.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_eb7aeab45fa38000ca3f056c4ab4f9591da273abcd7902961c69caab690e951a.exe
-
Size
1.3MB
-
MD5
1ad2438558c7e3cd8d056fc3e82fa5d9
-
SHA1
648af128b0c42514f6d8c3fefd26b40f709ce6ab
-
SHA256
eb7aeab45fa38000ca3f056c4ab4f9591da273abcd7902961c69caab690e951a
-
SHA512
0afb9ee48dcd38e5e88bea63ba4f82b55b323c9dd8ee65c9905b3f00765fdc7d08f4b64fee3e327a16de0b992226fda48a59821ab3ef22342c4efea82f40ef83
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1828 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 584 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 824 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1096 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1064 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1212 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2812 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2460 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1292 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1008 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1216 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1412 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2620 schtasks.exe 32 -
resource yara_rule behavioral1/files/0x0008000000016d46-9.dat dcrat behavioral1/memory/2696-13-0x0000000000F40000-0x0000000001050000-memory.dmp dcrat behavioral1/memory/1092-121-0x0000000000830000-0x0000000000940000-memory.dmp dcrat behavioral1/memory/2024-181-0x0000000000260000-0x0000000000370000-memory.dmp dcrat behavioral1/memory/1948-241-0x0000000001210000-0x0000000001320000-memory.dmp dcrat behavioral1/memory/872-420-0x0000000000360000-0x0000000000470000-memory.dmp dcrat behavioral1/memory/1640-481-0x0000000000340000-0x0000000000450000-memory.dmp dcrat behavioral1/memory/352-542-0x0000000001330000-0x0000000001440000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2156 powershell.exe 2344 powershell.exe 904 powershell.exe 1728 powershell.exe 1672 powershell.exe 1468 powershell.exe 3024 powershell.exe 916 powershell.exe 2276 powershell.exe 2256 powershell.exe 2484 powershell.exe 1548 powershell.exe 836 powershell.exe 1620 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2696 DllCommonsvc.exe 1092 dllhost.exe 2024 dllhost.exe 1948 dllhost.exe 1300 dllhost.exe 1536 dllhost.exe 872 dllhost.exe 1640 dllhost.exe 352 dllhost.exe 1824 dllhost.exe 2988 dllhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2896 cmd.exe 2896 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 19 raw.githubusercontent.com 23 raw.githubusercontent.com 26 raw.githubusercontent.com 30 raw.githubusercontent.com 37 raw.githubusercontent.com 4 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 5 raw.githubusercontent.com 16 raw.githubusercontent.com 33 raw.githubusercontent.com -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\audiodg.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\42af1c969fbb7b DllCommonsvc.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\system\lsm.exe DllCommonsvc.exe File created C:\Windows\system\101b941d020240 DllCommonsvc.exe File created C:\Windows\en-US\dllhost.exe DllCommonsvc.exe File created C:\Windows\en-US\5940a34987c991 DllCommonsvc.exe File created C:\Windows\AppPatch\es-ES\explorer.exe DllCommonsvc.exe File created C:\Windows\AppPatch\es-ES\7a0fd90576e088 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_eb7aeab45fa38000ca3f056c4ab4f9591da273abcd7902961c69caab690e951a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3008 schtasks.exe 1644 schtasks.exe 2312 schtasks.exe 1064 schtasks.exe 2992 schtasks.exe 2460 schtasks.exe 2124 schtasks.exe 1216 schtasks.exe 1412 schtasks.exe 1828 schtasks.exe 536 schtasks.exe 1956 schtasks.exe 1964 schtasks.exe 2448 schtasks.exe 1036 schtasks.exe 824 schtasks.exe 2672 schtasks.exe 2812 schtasks.exe 2104 schtasks.exe 1096 schtasks.exe 2348 schtasks.exe 2744 schtasks.exe 2012 schtasks.exe 2364 schtasks.exe 2856 schtasks.exe 1212 schtasks.exe 1636 schtasks.exe 2936 schtasks.exe 2636 schtasks.exe 584 schtasks.exe 2956 schtasks.exe 2116 schtasks.exe 1516 schtasks.exe 1008 schtasks.exe 2588 schtasks.exe 1152 schtasks.exe 2152 schtasks.exe 2180 schtasks.exe 1292 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2696 DllCommonsvc.exe 2696 DllCommonsvc.exe 2696 DllCommonsvc.exe 2696 DllCommonsvc.exe 2696 DllCommonsvc.exe 2696 DllCommonsvc.exe 2696 DllCommonsvc.exe 2696 DllCommonsvc.exe 2696 DllCommonsvc.exe 836 powershell.exe 1548 powershell.exe 1620 powershell.exe 1672 powershell.exe 2484 powershell.exe 2344 powershell.exe 1468 powershell.exe 3024 powershell.exe 904 powershell.exe 2276 powershell.exe 2256 powershell.exe 1728 powershell.exe 2156 powershell.exe 916 powershell.exe 1092 dllhost.exe 2024 dllhost.exe 1948 dllhost.exe 1300 dllhost.exe 1536 dllhost.exe 872 dllhost.exe 1640 dllhost.exe 352 dllhost.exe 1824 dllhost.exe 2988 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 2696 DllCommonsvc.exe Token: SeDebugPrivilege 836 powershell.exe Token: SeDebugPrivilege 1548 powershell.exe Token: SeDebugPrivilege 1620 powershell.exe Token: SeDebugPrivilege 1672 powershell.exe Token: SeDebugPrivilege 2484 powershell.exe Token: SeDebugPrivilege 2344 powershell.exe Token: SeDebugPrivilege 1468 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeDebugPrivilege 904 powershell.exe Token: SeDebugPrivilege 2276 powershell.exe Token: SeDebugPrivilege 2256 powershell.exe Token: SeDebugPrivilege 1728 powershell.exe Token: SeDebugPrivilege 2156 powershell.exe Token: SeDebugPrivilege 916 powershell.exe Token: SeDebugPrivilege 1092 dllhost.exe Token: SeDebugPrivilege 2024 dllhost.exe Token: SeDebugPrivilege 1948 dllhost.exe Token: SeDebugPrivilege 1300 dllhost.exe Token: SeDebugPrivilege 1536 dllhost.exe Token: SeDebugPrivilege 872 dllhost.exe Token: SeDebugPrivilege 1640 dllhost.exe Token: SeDebugPrivilege 352 dllhost.exe Token: SeDebugPrivilege 1824 dllhost.exe Token: SeDebugPrivilege 2988 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1700 wrote to memory of 2092 1700 JaffaCakes118_eb7aeab45fa38000ca3f056c4ab4f9591da273abcd7902961c69caab690e951a.exe 28 PID 1700 wrote to memory of 2092 1700 JaffaCakes118_eb7aeab45fa38000ca3f056c4ab4f9591da273abcd7902961c69caab690e951a.exe 28 PID 1700 wrote to memory of 2092 1700 JaffaCakes118_eb7aeab45fa38000ca3f056c4ab4f9591da273abcd7902961c69caab690e951a.exe 28 PID 1700 wrote to memory of 2092 1700 JaffaCakes118_eb7aeab45fa38000ca3f056c4ab4f9591da273abcd7902961c69caab690e951a.exe 28 PID 2092 wrote to memory of 2896 2092 WScript.exe 29 PID 2092 wrote to memory of 2896 2092 WScript.exe 29 PID 2092 wrote to memory of 2896 2092 WScript.exe 29 PID 2092 wrote to memory of 2896 2092 WScript.exe 29 PID 2896 wrote to memory of 2696 2896 cmd.exe 31 PID 2896 wrote to memory of 2696 2896 cmd.exe 31 PID 2896 wrote to memory of 2696 2896 cmd.exe 31 PID 2896 wrote to memory of 2696 2896 cmd.exe 31 PID 2696 wrote to memory of 836 2696 DllCommonsvc.exe 72 PID 2696 wrote to memory of 836 2696 DllCommonsvc.exe 72 PID 2696 wrote to memory of 836 2696 DllCommonsvc.exe 72 PID 2696 wrote to memory of 1548 2696 DllCommonsvc.exe 73 PID 2696 wrote to memory of 1548 2696 DllCommonsvc.exe 73 PID 2696 wrote to memory of 1548 2696 DllCommonsvc.exe 73 PID 2696 wrote to memory of 2484 2696 DllCommonsvc.exe 74 PID 2696 wrote to memory of 2484 2696 DllCommonsvc.exe 74 PID 2696 wrote to memory of 2484 2696 DllCommonsvc.exe 74 PID 2696 wrote to memory of 1672 2696 DllCommonsvc.exe 76 PID 2696 wrote to memory of 1672 2696 DllCommonsvc.exe 76 PID 2696 wrote to memory of 1672 2696 DllCommonsvc.exe 76 PID 2696 wrote to memory of 1728 2696 DllCommonsvc.exe 77 PID 2696 wrote to memory of 1728 2696 DllCommonsvc.exe 77 PID 2696 wrote to memory of 1728 2696 DllCommonsvc.exe 77 PID 2696 wrote to memory of 1620 2696 DllCommonsvc.exe 79 PID 2696 wrote to memory of 1620 2696 DllCommonsvc.exe 79 PID 2696 wrote to memory of 1620 2696 DllCommonsvc.exe 79 PID 2696 wrote to memory of 904 2696 DllCommonsvc.exe 82 PID 2696 wrote to memory of 904 2696 DllCommonsvc.exe 82 PID 2696 wrote to memory of 904 2696 DllCommonsvc.exe 82 PID 2696 wrote to memory of 916 2696 DllCommonsvc.exe 83 PID 2696 wrote to memory of 916 2696 DllCommonsvc.exe 83 PID 2696 wrote to memory of 916 2696 DllCommonsvc.exe 83 PID 2696 wrote to memory of 2156 2696 DllCommonsvc.exe 84 PID 2696 wrote to memory of 2156 2696 DllCommonsvc.exe 84 PID 2696 wrote to memory of 2156 2696 DllCommonsvc.exe 84 PID 2696 wrote to memory of 2256 2696 DllCommonsvc.exe 85 PID 2696 wrote to memory of 2256 2696 DllCommonsvc.exe 85 PID 2696 wrote to memory of 2256 2696 DllCommonsvc.exe 85 PID 2696 wrote to memory of 3024 2696 DllCommonsvc.exe 86 PID 2696 wrote to memory of 3024 2696 DllCommonsvc.exe 86 PID 2696 wrote to memory of 3024 2696 DllCommonsvc.exe 86 PID 2696 wrote to memory of 2344 2696 DllCommonsvc.exe 87 PID 2696 wrote to memory of 2344 2696 DllCommonsvc.exe 87 PID 2696 wrote to memory of 2344 2696 DllCommonsvc.exe 87 PID 2696 wrote to memory of 2276 2696 DllCommonsvc.exe 88 PID 2696 wrote to memory of 2276 2696 DllCommonsvc.exe 88 PID 2696 wrote to memory of 2276 2696 DllCommonsvc.exe 88 PID 2696 wrote to memory of 1468 2696 DllCommonsvc.exe 90 PID 2696 wrote to memory of 1468 2696 DllCommonsvc.exe 90 PID 2696 wrote to memory of 1468 2696 DllCommonsvc.exe 90 PID 2696 wrote to memory of 2204 2696 DllCommonsvc.exe 100 PID 2696 wrote to memory of 2204 2696 DllCommonsvc.exe 100 PID 2696 wrote to memory of 2204 2696 DllCommonsvc.exe 100 PID 2204 wrote to memory of 1056 2204 cmd.exe 102 PID 2204 wrote to memory of 1056 2204 cmd.exe 102 PID 2204 wrote to memory of 1056 2204 cmd.exe 102 PID 2204 wrote to memory of 1092 2204 cmd.exe 104 PID 2204 wrote to memory of 1092 2204 cmd.exe 104 PID 2204 wrote to memory of 1092 2204 cmd.exe 104 PID 1092 wrote to memory of 2588 1092 dllhost.exe 106 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eb7aeab45fa38000ca3f056c4ab4f9591da273abcd7902961c69caab690e951a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eb7aeab45fa38000ca3f056c4ab4f9591da273abcd7902961c69caab690e951a.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\es-ES\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jlaUygCJur.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1056
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzxbGmHcY3.bat"7⤵PID:2588
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1536
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8wkcP7O697.bat"9⤵PID:3052
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2624
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat"11⤵PID:2208
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1168
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Myoa8e0eVV.bat"13⤵PID:1244
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2652
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j8BV8simza.bat"15⤵PID:956
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:3060
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat"17⤵PID:2888
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1768
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9BpIS9nw5f.bat"19⤵PID:2804
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2760
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:352 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xHU7fKnwSZ.bat"21⤵PID:2500
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1684
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G2aNa3Lme8.bat"23⤵PID:1960
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2452
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat"25⤵PID:2992
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:1116
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\system\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\system\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\system\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Libraries\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Desktop\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\providercommon\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\en-US\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\en-US\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\AppPatch\es-ES\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\AppPatch\es-ES\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\AppPatch\es-ES\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a273a30aae1c32040c23990502d73c5b
SHA16b0e49a4875cc02f97084e9ae3b2989a9c3d7c03
SHA2568671fde64ada43c69f97547baeee66fc92bf7619f08fe7111248bf5e83cbbaad
SHA512d2da8aa19167857286ca0384f5d10e5b47c0c95fcec74054126686e25be4ecf2b9573cc36520f841b7bd6901a69727fdd2652f056f6e87799471a33fac3cdadb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5077cfaa8929366228ee68dcbbbd4f004
SHA1bb88e31b26772c2cef24a6b2bd78cd8e9a979d68
SHA256b3a3247a2293e1e970094e4732675d6995fc5bf8ac606864dba2cec5a81107e5
SHA512424f1ef7a7354d53197c97618734abfa89714b359da6129104ada530f18b7a1ca764e354850ebf970e0b15d0f29f2c23455e18012af03b42b4389421bae6a976
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c75cdd0e7f7de78fafbec12c42e22ba6
SHA1e9e368c3d899e245be378dc9483e5d341653056d
SHA2567836006bcd733e3c9542809d998416c83ea5ac3ff60ef1b487871ec112b71a34
SHA5124d82ea04a3eacacf89d536a826ba13521ded65fbf58e86b62340f080020a48e0ea6c2e0e427273bdca7d66ed3285fcba9c3088b0e1303b72073a0775c135110f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5acb9fc7243a6eb1f40164ca89d463065
SHA18a44d3ce8772c462d6ca7d63817184edc0611577
SHA2564541b0bafdb1af5585fd447c315776b72c947e3a1cf7902b7c8bc19d26323bc8
SHA51233fdab4ef1c4f54f43bc0766981bebcffa211bc0761e843dc1483de41e20fcf0f18695023a14c30a1a06202dbe3225f11850182b12f38627a7bcdc9de3958d85
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD523085f5ac63094c964f1709e0390ce84
SHA1a397ef1afe78ed75048c5c06057a5670ec60b8d3
SHA2567c15b680c278ecd078f6463fb9b8d33584f5bc251e48432f4711cc6b98911238
SHA5123b30dc6d8bf9431ce1c2bb91bac8a654ff2ab801f1f20d55330276fe66d88fb67fecaabf5cdbb1e963c24603629b09db33b459c6f1fef0efc518c352b3fb94ff
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD545aa52af1dd1ef1a89d2f1153fb11a9f
SHA10a5134fd168a6f67d2c85ca4775deb23bf70aecc
SHA256703405962080a3aaac271739fc32621a9117d8825b4dc3c47ad53379b3bff248
SHA51298201d5bca33d612ac8c7f79ae0331d583c97ff1fd953b0f178100053e13cf0458c02519014cccdf300dc922cbefc0a3697803c937407aaf7ff8226fc34a2f1b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d9828e2c5d33d8096d8e65378736fd91
SHA105886d0fd346c1be51830adad6f194582f26d585
SHA256d5218e03ad9b3fcb0021e80cea2db981f59bafe298daced0c2869d5da580e22e
SHA512d2edfbb8e8cdb43d05b310b57abb7f7bed70b35897694cda4c489a2bc00c559f3abc53e92268daed136ac6d48029b5d7573e1d2862b4be4b38a88fab9e3757cb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fd7efbf3052f12e42870f2542a85b964
SHA1a501948d78f0f65de587a2e5e68c80de669590af
SHA2560a47f32e3899e9854d5316ed7e1fdd73c9a3c755eb5ffca9169a230d0c18928c
SHA512ba7bba6060f263d43ac67d959de0e4e9ef79fa40b26d1ab19d0cef4e9f57d3cbbc389e66c7aeed8084f20e35177e6cd79986ba3986a2d5a66262d551ceaf1880
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51fe950336c59989e167e6c0a1f8c6df0
SHA12d3353ac94f8fbd5866a3cc3bc84011371332c66
SHA2569e7e55f38fa973567f1fdc12ad91d29050076fafc96ea41136fadcc9cc70903d
SHA512d326b73d9a31c077eb98dfd26c33059b12c27a6f8abe8b8122d9cbc1e7bbb0b418c05be8a4780fc9e9ba50ea7d4420c664ab32daf23d34af75b1b99ed8a5c0f7
-
Filesize
225B
MD58ba5a02e9a7e42550932578b19c25f91
SHA1fbda9c7d906b89d8aecf27dc63af66391deb60bc
SHA256b51b1858f5a9f67892ffa4ecea88fcacfbfa0fcf5b391c462cd80fb2a5315b97
SHA512feb71e0d07227ad30bafae8d6cec26298cda9cfc752dd1df4a413d472920b9515781a8b0d8f60b1f6ea4c829c8e19060d5536299494f38e1a223596bbf42dde8
-
Filesize
225B
MD5c6f5fd8852588e4b6bdf60c6b4e25746
SHA17c66d8fab6c88e9d380b276f7472797429ca4eab
SHA256de038e8ad142d68ea9b9dacd119139a8e0c476b7f8eae3cdc434a781cec2bf8b
SHA512cec71d487769931e52651b0b2b6e0ec60ccb6b1e68d58f196628c84d1771ea0e0fe92b88d5a6dd7aad852c20514997ade3c33e18908862a0504fdacae40294ea
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
225B
MD5ccb2b8eb01867318e7077b73ece00ee1
SHA18cd979abb11064ca1da5c28c1531e18710cdbd04
SHA2563956ec6df90af99fc0d88eb144def24c31347eda79e85b5a0fb483da0b843bc1
SHA5129663b912d38ef892876982cc788ea2e90f31320e6010b7814925ef2853115c1f4e8182b9e3727c9fcf934cb56d35c0f0a6d777e71c0c11ccde8e79b7883c1967
-
Filesize
225B
MD57f70ee78558507d417adef7995728712
SHA15f66d6990442b397c899e2278453aa7e8c9885b2
SHA256db7e28707291eac80fb911ebf09717580b84fb35db686254c59cc05b49c5a117
SHA512a74dad31011e67f2d8bdc4d13334d4f4d9ad9d94815972fb087f11880751e2bd0d5226977f76a9e58cc419d685ab585c62bed7a42dbd55b3c44107a1d0a6628e
-
Filesize
225B
MD5a72e929ed0142e7477adf7dfb0a3f20b
SHA1bc22b3da2249586dbba16debb8d3caefea9ae482
SHA256aab673a7e11f351d0235ba07aa6c0b81bd9773be2e02e519dba81fc4b552a520
SHA512ea8a4f06c3a1e299dc4de376630ef7280235260464943fa5f05f7298d0a371a00f0fa9771332f14d13a4ed7b3ebf2bfb7557f65a635072902ec7e0091c74c70f
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
225B
MD53b74dd3edea84a6a7a85300813606866
SHA11d7b61d50c2726bfbd420cbfd8b5cd59ff9f7b40
SHA2566d2e30eeb43748b89a90740acc30dc69c9885b951ab1f404aa4c67f380d46188
SHA5120216db846968561ade308bfd1f91caa12803d50d29a678d9306cc98583624c4172ea41860816a4eebcd858726c80a2879ac7ecf124fce0582b24c13177950ffb
-
Filesize
225B
MD5c535c7663a46aefd21b2155945e56e81
SHA17902e4d3d2b707c72a03845695692e466e30c8cf
SHA25629489b1df31a3fc01d5083dff124286c9ca9822cb231b9149525a9d1fe892868
SHA51234186cdd30c1a2baa26849265bedfd3c451846f63cef63a81694577e22931d2d7d0ad2b737d247d30f6625c8db1c90aaa8db2d14b923895f01b062e11118b37f
-
Filesize
225B
MD54aa0981898d9ac22f9f9e1d8a2251bc7
SHA164e275386ebc23b3bbfeb30cbf3538945b8b2e6d
SHA256f29db2fedc785a0e2b523a91a86ee43e833480524119c2267edac9e4435cbdf0
SHA512571549f34a19ab18e99fd374e4e02b18341e76dbe1155caf792c95a30a6069485dcc4d4b2e2df624d9c3012b796e375211545842cb6a3450274f344401108453
-
Filesize
225B
MD53e38139f7a6a550836bdf06507d9b81e
SHA1def23180c0baa224288f93812204d2ee6769340e
SHA256c58009aee1afda86913ff0943409d7d1363855ddbc7856d53caefa09e88707b1
SHA5120a1d5f416223a0f0aeae099cf343f8140f7a9e426f285b0bc0b3decde5a6ba8aa87dcbb1a0cf197c9c8e3c170728a61239ae08ef21f0c7006b2a8ac523d75dd7
-
Filesize
225B
MD5c4a7372cfe78abae7a9b0b08e7e75a59
SHA1d60b2eb827623df96ecaa73d535eb15b87538974
SHA256c34a324c7e8964d0feaa939625553f54e0fe06426ec534497fb30c4948168945
SHA5122334093e99d5b1897f6ea12b43d4af940ae4d6928af3c50d53516491086ca20cfc3e7beca2615671206b5124c7fed9bf5bec3b04a88312243cbebdd995455898
-
Filesize
225B
MD51fa80e36ed056bf9892059a7201e8fbd
SHA160f633a1c12fa64b8168db1798512617350458a5
SHA2567425fc07afbf7d9dbae1ce791b87b48fc47b12628a1cbc1dacfbb3e95bb4b4c1
SHA512dc366c18f71a29e50bf9fd0bc6fb5b4d023978bbffb7481a5a302b79e7afb4f8756d2bac9b07849cecd8e22e61a84eb79dfd7a17949e2a1e6bfad07366070b1f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c36b6269af848432de0998f095448a82
SHA18565bd86c0be3b21132d9fc4b6ce651cdad9b93b
SHA2567cd22a63047b23515d2a29da683a5714cac0e2c9a0d0715652c0c856767bb9cf
SHA51256d6f0e32a62218b3aebe442dbc2037b3f3113d81dd78abd05e045dea926304902d794647d78203dfd71e30566b70bb49882766a330f5e9887e7ec30b073793c
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394