Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 20:53
Behavioral task
behavioral1
Sample
JaffaCakes118_ef0b5331182f0ef12275d536d5a16f61f2ab77aa7a9df7e4fde1de247884a218.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_ef0b5331182f0ef12275d536d5a16f61f2ab77aa7a9df7e4fde1de247884a218.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_ef0b5331182f0ef12275d536d5a16f61f2ab77aa7a9df7e4fde1de247884a218.exe
-
Size
1.3MB
-
MD5
5b1573fb9f71a41b9399e10eebc73cf1
-
SHA1
ae3caf1f1a3173807f818bfdeedf131986793d67
-
SHA256
ef0b5331182f0ef12275d536d5a16f61f2ab77aa7a9df7e4fde1de247884a218
-
SHA512
6943124bf3ee815c861e2bcdc190f2e8e8afe26dcd29723e65a1d17e5749a66f9f1ef3e0b1384ffcde5f7ff91aafbca21d1fa9eca2b86690050b9361309e519e
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1800 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 604 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1448 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 912 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1020 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1008 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1140 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1088 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 680 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1576 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 824 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1284 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 788 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1464 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 2540 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2540 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x000800000001747b-9.dat dcrat behavioral1/memory/2092-13-0x0000000000080000-0x0000000000190000-memory.dmp dcrat behavioral1/memory/2768-129-0x0000000000CA0000-0x0000000000DB0000-memory.dmp dcrat behavioral1/memory/1844-188-0x00000000000E0000-0x00000000001F0000-memory.dmp dcrat behavioral1/memory/2716-248-0x0000000000FF0000-0x0000000001100000-memory.dmp dcrat behavioral1/memory/1588-308-0x00000000011E0000-0x00000000012F0000-memory.dmp dcrat behavioral1/memory/2316-486-0x00000000003E0000-0x00000000004F0000-memory.dmp dcrat behavioral1/memory/2356-546-0x00000000000F0000-0x0000000000200000-memory.dmp dcrat behavioral1/memory/2136-606-0x00000000000D0000-0x00000000001E0000-memory.dmp dcrat behavioral1/memory/2436-667-0x0000000000860000-0x0000000000970000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1716 powershell.exe 1188 powershell.exe 896 powershell.exe 988 powershell.exe 880 powershell.exe 2152 powershell.exe 1360 powershell.exe 2184 powershell.exe 1260 powershell.exe 1580 powershell.exe 1584 powershell.exe 1436 powershell.exe 1596 powershell.exe 1488 powershell.exe 3060 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2092 DllCommonsvc.exe 2768 explorer.exe 1844 explorer.exe 2716 explorer.exe 1588 explorer.exe 2420 explorer.exe 3000 explorer.exe 2316 explorer.exe 2356 explorer.exe 2136 explorer.exe 2436 explorer.exe 1628 explorer.exe -
Loads dropped DLL 2 IoCs
pid Process 1776 cmd.exe 1776 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 22 raw.githubusercontent.com 26 raw.githubusercontent.com 29 raw.githubusercontent.com 32 raw.githubusercontent.com 4 raw.githubusercontent.com 15 raw.githubusercontent.com 19 raw.githubusercontent.com 36 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files\Windows Mail\es-ES\cmd.exe DllCommonsvc.exe File created C:\Program Files\Windows Mail\es-ES\ebf1f9fa8afd6d DllCommonsvc.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework64\1040\services.exe DllCommonsvc.exe File created C:\Windows\Microsoft.NET\Framework64\1040\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Windows\addins\cmd.exe DllCommonsvc.exe File created C:\Windows\addins\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Windows\PCHEALTH\wininit.exe DllCommonsvc.exe File created C:\Windows\PCHEALTH\56085415360792 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_ef0b5331182f0ef12275d536d5a16f61f2ab77aa7a9df7e4fde1de247884a218.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1916 schtasks.exe 1576 schtasks.exe 2604 schtasks.exe 2520 schtasks.exe 2852 schtasks.exe 2084 schtasks.exe 2532 schtasks.exe 1760 schtasks.exe 1284 schtasks.exe 2864 schtasks.exe 2936 schtasks.exe 1088 schtasks.exe 824 schtasks.exe 2356 schtasks.exe 788 schtasks.exe 2552 schtasks.exe 1668 schtasks.exe 1008 schtasks.exe 2360 schtasks.exe 1752 schtasks.exe 1844 schtasks.exe 1852 schtasks.exe 2060 schtasks.exe 2860 schtasks.exe 2828 schtasks.exe 2056 schtasks.exe 1944 schtasks.exe 2572 schtasks.exe 680 schtasks.exe 1464 schtasks.exe 1796 schtasks.exe 1448 schtasks.exe 1956 schtasks.exe 912 schtasks.exe 2496 schtasks.exe 1020 schtasks.exe 2820 schtasks.exe 1140 schtasks.exe 1800 schtasks.exe 2704 schtasks.exe 604 schtasks.exe 1720 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2092 DllCommonsvc.exe 2092 DllCommonsvc.exe 2092 DllCommonsvc.exe 2092 DllCommonsvc.exe 2092 DllCommonsvc.exe 2184 powershell.exe 988 powershell.exe 1596 powershell.exe 1580 powershell.exe 2152 powershell.exe 896 powershell.exe 1436 powershell.exe 1260 powershell.exe 1188 powershell.exe 3060 powershell.exe 1488 powershell.exe 1716 powershell.exe 880 powershell.exe 1584 powershell.exe 1360 powershell.exe 2768 explorer.exe 1844 explorer.exe 2716 explorer.exe 1588 explorer.exe 2420 explorer.exe 3000 explorer.exe 2316 explorer.exe 2356 explorer.exe 2136 explorer.exe 2436 explorer.exe 1628 explorer.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 2092 DllCommonsvc.exe Token: SeDebugPrivilege 2184 powershell.exe Token: SeDebugPrivilege 988 powershell.exe Token: SeDebugPrivilege 1596 powershell.exe Token: SeDebugPrivilege 1580 powershell.exe Token: SeDebugPrivilege 2152 powershell.exe Token: SeDebugPrivilege 896 powershell.exe Token: SeDebugPrivilege 1436 powershell.exe Token: SeDebugPrivilege 1260 powershell.exe Token: SeDebugPrivilege 1188 powershell.exe Token: SeDebugPrivilege 3060 powershell.exe Token: SeDebugPrivilege 1488 powershell.exe Token: SeDebugPrivilege 1716 powershell.exe Token: SeDebugPrivilege 880 powershell.exe Token: SeDebugPrivilege 1584 powershell.exe Token: SeDebugPrivilege 1360 powershell.exe Token: SeDebugPrivilege 2768 explorer.exe Token: SeDebugPrivilege 1844 explorer.exe Token: SeDebugPrivilege 2716 explorer.exe Token: SeDebugPrivilege 1588 explorer.exe Token: SeDebugPrivilege 2420 explorer.exe Token: SeDebugPrivilege 3000 explorer.exe Token: SeDebugPrivilege 2316 explorer.exe Token: SeDebugPrivilege 2356 explorer.exe Token: SeDebugPrivilege 2136 explorer.exe Token: SeDebugPrivilege 2436 explorer.exe Token: SeDebugPrivilege 1628 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2948 wrote to memory of 2960 2948 JaffaCakes118_ef0b5331182f0ef12275d536d5a16f61f2ab77aa7a9df7e4fde1de247884a218.exe 31 PID 2948 wrote to memory of 2960 2948 JaffaCakes118_ef0b5331182f0ef12275d536d5a16f61f2ab77aa7a9df7e4fde1de247884a218.exe 31 PID 2948 wrote to memory of 2960 2948 JaffaCakes118_ef0b5331182f0ef12275d536d5a16f61f2ab77aa7a9df7e4fde1de247884a218.exe 31 PID 2948 wrote to memory of 2960 2948 JaffaCakes118_ef0b5331182f0ef12275d536d5a16f61f2ab77aa7a9df7e4fde1de247884a218.exe 31 PID 2960 wrote to memory of 1776 2960 WScript.exe 32 PID 2960 wrote to memory of 1776 2960 WScript.exe 32 PID 2960 wrote to memory of 1776 2960 WScript.exe 32 PID 2960 wrote to memory of 1776 2960 WScript.exe 32 PID 1776 wrote to memory of 2092 1776 cmd.exe 34 PID 1776 wrote to memory of 2092 1776 cmd.exe 34 PID 1776 wrote to memory of 2092 1776 cmd.exe 34 PID 1776 wrote to memory of 2092 1776 cmd.exe 34 PID 2092 wrote to memory of 988 2092 DllCommonsvc.exe 78 PID 2092 wrote to memory of 988 2092 DllCommonsvc.exe 78 PID 2092 wrote to memory of 988 2092 DllCommonsvc.exe 78 PID 2092 wrote to memory of 2184 2092 DllCommonsvc.exe 79 PID 2092 wrote to memory of 2184 2092 DllCommonsvc.exe 79 PID 2092 wrote to memory of 2184 2092 DllCommonsvc.exe 79 PID 2092 wrote to memory of 3060 2092 DllCommonsvc.exe 80 PID 2092 wrote to memory of 3060 2092 DllCommonsvc.exe 80 PID 2092 wrote to memory of 3060 2092 DllCommonsvc.exe 80 PID 2092 wrote to memory of 1716 2092 DllCommonsvc.exe 82 PID 2092 wrote to memory of 1716 2092 DllCommonsvc.exe 82 PID 2092 wrote to memory of 1716 2092 DllCommonsvc.exe 82 PID 2092 wrote to memory of 1360 2092 DllCommonsvc.exe 84 PID 2092 wrote to memory of 1360 2092 DllCommonsvc.exe 84 PID 2092 wrote to memory of 1360 2092 DllCommonsvc.exe 84 PID 2092 wrote to memory of 1488 2092 DllCommonsvc.exe 85 PID 2092 wrote to memory of 1488 2092 DllCommonsvc.exe 85 PID 2092 wrote to memory of 1488 2092 DllCommonsvc.exe 85 PID 2092 wrote to memory of 1596 2092 DllCommonsvc.exe 86 PID 2092 wrote to memory of 1596 2092 DllCommonsvc.exe 86 PID 2092 wrote to memory of 1596 2092 DllCommonsvc.exe 86 PID 2092 wrote to memory of 1188 2092 DllCommonsvc.exe 87 PID 2092 wrote to memory of 1188 2092 DllCommonsvc.exe 87 PID 2092 wrote to memory of 1188 2092 DllCommonsvc.exe 87 PID 2092 wrote to memory of 1584 2092 DllCommonsvc.exe 88 PID 2092 wrote to memory of 1584 2092 DllCommonsvc.exe 88 PID 2092 wrote to memory of 1584 2092 DllCommonsvc.exe 88 PID 2092 wrote to memory of 1580 2092 DllCommonsvc.exe 89 PID 2092 wrote to memory of 1580 2092 DllCommonsvc.exe 89 PID 2092 wrote to memory of 1580 2092 DllCommonsvc.exe 89 PID 2092 wrote to memory of 1436 2092 DllCommonsvc.exe 90 PID 2092 wrote to memory of 1436 2092 DllCommonsvc.exe 90 PID 2092 wrote to memory of 1436 2092 DllCommonsvc.exe 90 PID 2092 wrote to memory of 2152 2092 DllCommonsvc.exe 91 PID 2092 wrote to memory of 2152 2092 DllCommonsvc.exe 91 PID 2092 wrote to memory of 2152 2092 DllCommonsvc.exe 91 PID 2092 wrote to memory of 896 2092 DllCommonsvc.exe 92 PID 2092 wrote to memory of 896 2092 DllCommonsvc.exe 92 PID 2092 wrote to memory of 896 2092 DllCommonsvc.exe 92 PID 2092 wrote to memory of 880 2092 DllCommonsvc.exe 93 PID 2092 wrote to memory of 880 2092 DllCommonsvc.exe 93 PID 2092 wrote to memory of 880 2092 DllCommonsvc.exe 93 PID 2092 wrote to memory of 1260 2092 DllCommonsvc.exe 94 PID 2092 wrote to memory of 1260 2092 DllCommonsvc.exe 94 PID 2092 wrote to memory of 1260 2092 DllCommonsvc.exe 94 PID 2092 wrote to memory of 2200 2092 DllCommonsvc.exe 106 PID 2092 wrote to memory of 2200 2092 DllCommonsvc.exe 106 PID 2092 wrote to memory of 2200 2092 DllCommonsvc.exe 106 PID 2200 wrote to memory of 1432 2200 cmd.exe 110 PID 2200 wrote to memory of 1432 2200 cmd.exe 110 PID 2200 wrote to memory of 1432 2200 cmd.exe 110 PID 2200 wrote to memory of 2768 2200 cmd.exe 111 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ef0b5331182f0ef12275d536d5a16f61f2ab77aa7a9df7e4fde1de247884a218.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ef0b5331182f0ef12275d536d5a16f61f2ab77aa7a9df7e4fde1de247884a218.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\es-ES\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Videos\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1436
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework64\1040\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\noFB8H0MwD.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1432
-
-
C:\Users\Public\Pictures\Sample Pictures\explorer.exe"C:\Users\Public\Pictures\Sample Pictures\explorer.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"7⤵PID:2860
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:3068
-
-
C:\Users\Public\Pictures\Sample Pictures\explorer.exe"C:\Users\Public\Pictures\Sample Pictures\explorer.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat"9⤵PID:1712
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:912
-
-
C:\Users\Public\Pictures\Sample Pictures\explorer.exe"C:\Users\Public\Pictures\Sample Pictures\explorer.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat"11⤵PID:2920
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2764
-
-
C:\Users\Public\Pictures\Sample Pictures\explorer.exe"C:\Users\Public\Pictures\Sample Pictures\explorer.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K3fI8Bd254.bat"13⤵PID:2164
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1704
-
-
C:\Users\Public\Pictures\Sample Pictures\explorer.exe"C:\Users\Public\Pictures\Sample Pictures\explorer.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gJVLZ7RDs3.bat"15⤵PID:2916
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2976
-
-
C:\Users\Public\Pictures\Sample Pictures\explorer.exe"C:\Users\Public\Pictures\Sample Pictures\explorer.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1F0LTC0kP2.bat"17⤵PID:1556
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2872
-
-
C:\Users\Public\Pictures\Sample Pictures\explorer.exe"C:\Users\Public\Pictures\Sample Pictures\explorer.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kvUluF99a5.bat"19⤵PID:1476
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2452
-
-
C:\Users\Public\Pictures\Sample Pictures\explorer.exe"C:\Users\Public\Pictures\Sample Pictures\explorer.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6SU00hIhBO.bat"21⤵PID:1976
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:316
-
-
C:\Users\Public\Pictures\Sample Pictures\explorer.exe"C:\Users\Public\Pictures\Sample Pictures\explorer.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhzsSyDvNE.bat"23⤵PID:1760
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2740
-
-
C:\Users\Public\Pictures\Sample Pictures\explorer.exe"C:\Users\Public\Pictures\Sample Pictures\explorer.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat"25⤵PID:680
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:660
-
-
C:\Users\Public\Pictures\Sample Pictures\explorer.exe"C:\Users\Public\Pictures\Sample Pictures\explorer.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\addins\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\providercommon\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\es-ES\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\es-ES\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Application Data\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Videos\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Videos\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Videos\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\PCHEALTH\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\PCHEALTH\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Microsoft.NET\Framework64\1040\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework64\1040\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\Framework64\1040\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58e536fce05ac99dd8d503c87502ceecf
SHA168a5c91c7cf920f794bf632cd8b2830697caa253
SHA2565308b264ff9754bc8ac5a7b210c75e0a24b426d7aa2820fa0772b39efc9081f1
SHA51293f1a690fa67b8d90f79d305cd674c9fdd69a702c90db9007de1708f3d0fb1e5d5e16216bf7b5f44adc7c69fe6f6109360e44e0869814da36139ba504554aa20
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5894c280a748998b60073d1e683e2defa
SHA1d694fb8294c85686669ce083019a1a51f6919b2e
SHA25664d11188a1879716749cbf3b0365c877f6f009d12161ee452585807da7b65325
SHA512b56c579a7bf3ae05ca6a651cefc2cacdeb003a3bef20ddf311ae38044d65b1b1487448f364262d5e125c1155edd2ee1ccb6b0b2e3b88f2ac2c7bcf3a2b18f6ca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59269ab2644a252297c428a09dd6da188
SHA1fc106449154458cb28011ad65705ba08d74caae1
SHA25630d6c09d83ec7b494ece3dbd0e2e4b036d8c0f8e79ceb71e46f7086e33d272e3
SHA512ba6f787ef57085146fea58eb54081af871b7f6e829eed304f4e61b4a33750aeb85906cda0fb92cf26c880f2c79dc8a4a8e609d2f65a58e0b7b645fda01664245
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58d9ae956391b212017678448cf27367a
SHA1ffc6fccd461b13b16f5ccec5f6b7092e6c1603a2
SHA256123bc6d1cb42cc36b01097330095bf38c6a9dff0437bbb1e00136d1fb757bf27
SHA5124c546af85da54434a3757d9b6cedf1d7353c04ad99c2f901cefd5f2f146e0a497ea2f22a72f5fcb4c6a136442057874455b899fdaf43cc93c86e3dfb3df95819
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d746344a2aa1a34c8e565906751ddaa8
SHA1a67f3d8571f23ab0230549a50e185f13c46fe789
SHA2566ed775cc028622bc2bb1e3ddce68136f9a4a52bea4df82605f6d8b2080394915
SHA5120ece1a87389c645cb1c6f61555d1868f037f4282bbef7b67a6f7dc126d86df4bb0858175bf326e68eeaff6bfbc379d0dcea3540c9f0ffc65c4823ae07bf6de35
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57aa5a667afe732ba61d4e989a5da0572
SHA10fd62776bd23d741efb7b002e0d967cd7d88ef9e
SHA256788b918ddd8d90f2dde2b91b3700dc622d8ea98fafea13231ccaa2b00d24e9ac
SHA5124d56186c1898d7d054eed1d9600eac01f67f9cb8cc8414f537c87ef4ccf60fe853c67ec279fb50293281e6188cf8fce3845d752a54ddcb1ec7cca173a9ebe5d0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b5375a6134000b7166a7ef44c58a45d7
SHA165bc03cf5dce4b2e102723548e63004097c52b91
SHA256a4c842881fc9c49a8b7a5dbba31080fe6a501df1b15a9b626fa5ae20fa3f1f1f
SHA5129c9883a0a349ff69fa17326ceeccb57c065cecc4095c12fc64e7b61e16ae122dac388d5f3f7337de86d005a01f83391ca238ddb5b44d601ccf475aab23e1faf1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53b21f9d4c06dc2745e9ea99dc200963b
SHA1cdd7a1820cf1b9a34d3147a15e5cc65123834883
SHA256bd000d6558e45d0ce7e22dfbf6aa8f26cfa252c38f1b6a8ca3a2c56313ae9030
SHA5128f533cd9528e8373359cda294621755646ef9a8c65238bdf7feb876a641cd7e89d2d49bae63f36d8a4358770ad9833f260bf03868c0902df2d13a366c1d9bcc8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d2ffa2e77845cabc34ac6147ea954c6d
SHA1581e61ca1ded3975f9d604d5df7ce93c5922c1de
SHA2563e349737566f816c4947254200f78e5dd6999c4f0e25f3b9d7a183a2bc6cdfba
SHA5127a3856fb36b4b6035c78a859386e72490c92bbc524e98116d03007fada60c4d0ddbc2e51cdcdd1ecbf16f3646c895e12ce393db8be57ee851f4aaa4f3688129c
-
Filesize
218B
MD510d4c0b840b691f6dd75225db63d46bc
SHA1b53aef2746a23c9e2042f7b55487a789d8fe5b23
SHA2561a9a55e4f6206f249bdf3b056200f14ea068d8ff958bf7876ae6beb319708e37
SHA512d20462f04af04fdc856de37c2837da0a8b9e7b80f6d3e45a65150b5ad4002dbc124f90a3b92944da4c371735701faf493565c23032e4f9a38923afb98e4c4b35
-
Filesize
218B
MD5deb4267de8b2ec5038f5f78f61faee8b
SHA1a15a4d67672982a55e53bd54afbb5c5bd442684e
SHA2569ab9fa47b1f793ac3e46471397c6ce3195702e629d196495054d3eaea704b06b
SHA51268efb3a44842babec86c40e8477e42769f121f78530066d263bc76e50bc8d558344eecb6a03ef9d622d4b8309d054fbf0a2c6438db8c27cd9d15a9fa4a3989ad
-
Filesize
218B
MD55529fcf5b1eacb9715fed8a23db5c91f
SHA1b21b8b3fe683b34c37661ab9af4dd9c0bbe1d3ca
SHA256c82846e903afef4757a5244cca8fc149a8b0bad398dbcfdf33dd76021e2fbabb
SHA512515a072dc2753a9e1b098ac9cafe509ad562f90b1eb75309ff66353663671c0d135b9b7d57834792ad107c38ab90946a4881cca3c676a52c6dc040ba461a2fcc
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
218B
MD531966be8edcfd7d162ade2177b34d6de
SHA19e17011edfee2c3c199f1685887c39ffe13257bc
SHA256ea72f4f732b7b083ac160cf2632ed51310173668585d79ab8eedc21004d7b6ed
SHA5121928eda748919f939a06b81865b680df19fe5eea933bbffd7630e94cf68995d19d1e83b671348a4012298405ff6b4c5291ce84aa9c69e4335f4b414728d2faa5
-
Filesize
218B
MD59a33112422770657a7059687233c1e81
SHA17df34b3a08fff9edf4ab498edfffd206c1e206aa
SHA25624bc31a02ac261d0261bbd5d141a4a627f647f8bce116be1875084302b31493e
SHA512cec6055266f6edf4be852c6893ef946a5e5f6a62d58e259541cb09b80bf6b7942951668f65f478898c1e59fa3bb51c31472085293d25f520e9984e801a9c787f
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
218B
MD57f3482f4b0acd929a159a43ac5b4f972
SHA1cd771a21afa2a804e028e83772f791f748037654
SHA2569be43e65ba1e44d091f67e887cfb859246756d032b33a96eeb409a26171cfb89
SHA5128a08f4cc1b0905e246f282a032ca4009afb4d045b15c8851d0de8aa09165d37b4e0a78913fc1146bd7d8bfcdf485113c6ba22a60f92e927f17c0247c82af6b9e
-
Filesize
218B
MD53edb6328f4066c0e569a56f546ad6cd1
SHA1186778ce9a137f51e8efe7b715b06cb734cee7e7
SHA256be2205006178d19360557dd4b3d7ff6e736cbbeb89bc391fe51a98a01d039a7b
SHA5125aebd6b4c26985571c7e954349b4b082cc832364cd4bb0777b20a0b14a6c1f57eb8dbfba8fbaab3bdeaa2f26f839a3cd70de08f82dd5ec7c25d169b51b99ec1b
-
Filesize
218B
MD52c9309a24c1a64f2372f56dce40fa6b4
SHA14c9af22fbeb2033b313cd498d5668ae9d9c925dd
SHA256c4b3f5bad3df1a173e70a7ac30cc9bc3983cfdb7a6faad63e012287c1a245cf6
SHA51273b13574b548e7dd8857a29c39318cf88738160bf071bd50799e397a3f2fa303e683d299cefc66cf2be8a007c8aec560c8b4b5ac53ec495c197ee55d2afb1f81
-
Filesize
218B
MD55366570eaecf9c1d79cf971b69874c48
SHA19be264ee28d80579ad1ae46e3e74de6463bf9eaa
SHA2569849b66ecdeae3461d297f04ef4c392e7e2da6b7e84d1eb07e0cc773361659d9
SHA512b0e2a50ae19754144b21f87694ad3246b40c8035f4919fb9ad2d57011bd7b719a38f238baea2334c2401ed25e8d77acb522ee55c4c39504612ed7a0b8157b475
-
Filesize
218B
MD5a6cdaeb65a82de850ff22573759c445c
SHA12dda6f648ced3f78733e85cf47822ffb264e7192
SHA256732aefefac9a2cae260da9357d175ab2c79442145d6771e618e2e76f7dadc707
SHA512880e87f94cd9be80fb32f932125d80a882fcc31ed9d0507c4fa703286ce77d498f72741dfa3c5295f6543a6deda4798d2173f52f509a1dabd2f793fcaf72352a
-
Filesize
218B
MD536eae726f6e06f2294d1991da18de634
SHA1c48dca8ebc4a522a2f40fcb2a9c8a58f9612ef2e
SHA256e1059bac8d85cfbca0934129ba30637d0fdd60cbca42bf21d6ea78cb7061d3a2
SHA512871e0750a3ccad9a9e12fbc06fefd878dccf8213cc10a348a7f309d036f89d75122daa17e22c3d377fe8df73d7b7e23166ec0d594763970ba46a4362fc033e88
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD568bfbc5833cd764d5c7e6040024f1f24
SHA1a84a77eae2e26008a4fdc50abb7fde7342f1b58d
SHA256e860957043bb1d1d7768758fdf41fdf070086e389256b8add7ec6b3ff0693ac6
SHA512c12a87fbf36c2e16cd3891e0c00c790bd35fcb3ef12b42125379cd309c6626bd9a2665bc609e6898f68e049c459398441cb413fd6026c65379048dc85a8471c7
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394