Analysis
-
max time kernel
146s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 21:06
Behavioral task
behavioral1
Sample
JaffaCakes118_afcb9eca113e024882261c3f92504ef92f683793423af7bc22e9453d7a887dd2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_afcb9eca113e024882261c3f92504ef92f683793423af7bc22e9453d7a887dd2.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_afcb9eca113e024882261c3f92504ef92f683793423af7bc22e9453d7a887dd2.exe
-
Size
1.3MB
-
MD5
596fa7efb6978c8cb9463f1b9f362284
-
SHA1
2fdac4fb18abdb83cd16c1a6d4cf7d48050e5003
-
SHA256
afcb9eca113e024882261c3f92504ef92f683793423af7bc22e9453d7a887dd2
-
SHA512
68dffb7d32b027cd142dcdd88bd973fbb3b4fb5759e6faf2a72f6072da1a710da4874a0e0e6ca6facab3cdbbffa30aa10e2da4291cfe4ae1097021f0f651c567
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1224 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1424 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2304 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 576 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1084 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1184 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1136 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 580 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2156 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 404 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1120 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 692 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1368 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1408 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 540 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 276 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1352 2868 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 664 2868 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x000700000001925c-9.dat dcrat behavioral1/memory/2256-13-0x0000000000CA0000-0x0000000000DB0000-memory.dmp dcrat behavioral1/memory/2068-59-0x0000000000890000-0x00000000009A0000-memory.dmp dcrat behavioral1/memory/2144-181-0x0000000000F80000-0x0000000001090000-memory.dmp dcrat behavioral1/memory/2640-536-0x0000000000240000-0x0000000000350000-memory.dmp dcrat behavioral1/memory/1860-596-0x0000000000AC0000-0x0000000000BD0000-memory.dmp dcrat behavioral1/memory/3036-657-0x0000000000F10000-0x0000000001020000-memory.dmp dcrat behavioral1/memory/3004-717-0x0000000001090000-0x00000000011A0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2492 powershell.exe 1132 powershell.exe 3024 powershell.exe 2052 powershell.exe 2380 powershell.exe 1272 powershell.exe 1984 powershell.exe 1532 powershell.exe 812 powershell.exe 1796 powershell.exe 3036 powershell.exe 1472 powershell.exe 2392 powershell.exe 2496 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2256 DllCommonsvc.exe 2068 System.exe 2144 System.exe 444 System.exe 1964 System.exe 2160 System.exe 996 System.exe 2620 System.exe 2640 System.exe 1860 System.exe 3036 System.exe 3004 System.exe -
Loads dropped DLL 2 IoCs
pid Process 2884 cmd.exe 2884 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 9 raw.githubusercontent.com 25 raw.githubusercontent.com 28 raw.githubusercontent.com 31 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com 18 raw.githubusercontent.com 21 raw.githubusercontent.com 34 raw.githubusercontent.com -
Drops file in Program Files directory 9 IoCs
description ioc Process File created C:\Program Files (x86)\Internet Explorer\ja-JP\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\conhost.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\System.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\lsass.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\088424020bedd6 DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe DllCommonsvc.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\diagnostics\index\conhost.exe DllCommonsvc.exe File created C:\Windows\servicing\OSPPSVC.exe DllCommonsvc.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe DllCommonsvc.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\5940a34987c991 DllCommonsvc.exe File created C:\Windows\ehome\fr-FR\smss.exe DllCommonsvc.exe File created C:\Windows\ehome\fr-FR\69ddcba757bf72 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_afcb9eca113e024882261c3f92504ef92f683793423af7bc22e9453d7a887dd2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2504 schtasks.exe 2956 schtasks.exe 1184 schtasks.exe 1592 schtasks.exe 2024 schtasks.exe 1408 schtasks.exe 540 schtasks.exe 1224 schtasks.exe 1700 schtasks.exe 2180 schtasks.exe 2204 schtasks.exe 2152 schtasks.exe 2952 schtasks.exe 580 schtasks.exe 1920 schtasks.exe 2188 schtasks.exe 2944 schtasks.exe 1848 schtasks.exe 404 schtasks.exe 576 schtasks.exe 1136 schtasks.exe 1368 schtasks.exe 1424 schtasks.exe 2656 schtasks.exe 1084 schtasks.exe 2896 schtasks.exe 2292 schtasks.exe 2800 schtasks.exe 1120 schtasks.exe 1352 schtasks.exe 2748 schtasks.exe 2604 schtasks.exe 2304 schtasks.exe 1144 schtasks.exe 2156 schtasks.exe 1044 schtasks.exe 692 schtasks.exe 276 schtasks.exe 664 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2256 DllCommonsvc.exe 2256 DllCommonsvc.exe 2256 DllCommonsvc.exe 2256 DllCommonsvc.exe 2256 DllCommonsvc.exe 3036 powershell.exe 812 powershell.exe 1472 powershell.exe 2492 powershell.exe 2392 powershell.exe 2380 powershell.exe 2496 powershell.exe 2052 powershell.exe 1796 powershell.exe 1532 powershell.exe 3024 powershell.exe 1984 powershell.exe 1272 powershell.exe 1132 powershell.exe 2068 System.exe 2144 System.exe 444 System.exe 1964 System.exe 2160 System.exe 996 System.exe 2620 System.exe 2640 System.exe 1860 System.exe 3036 System.exe 3004 System.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 2256 DllCommonsvc.exe Token: SeDebugPrivilege 3036 powershell.exe Token: SeDebugPrivilege 812 powershell.exe Token: SeDebugPrivilege 1472 powershell.exe Token: SeDebugPrivilege 2492 powershell.exe Token: SeDebugPrivilege 2392 powershell.exe Token: SeDebugPrivilege 2380 powershell.exe Token: SeDebugPrivilege 2496 powershell.exe Token: SeDebugPrivilege 2052 powershell.exe Token: SeDebugPrivilege 1796 powershell.exe Token: SeDebugPrivilege 1532 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeDebugPrivilege 1984 powershell.exe Token: SeDebugPrivilege 1272 powershell.exe Token: SeDebugPrivilege 1132 powershell.exe Token: SeDebugPrivilege 2068 System.exe Token: SeDebugPrivilege 2144 System.exe Token: SeDebugPrivilege 444 System.exe Token: SeDebugPrivilege 1964 System.exe Token: SeDebugPrivilege 2160 System.exe Token: SeDebugPrivilege 996 System.exe Token: SeDebugPrivilege 2620 System.exe Token: SeDebugPrivilege 2640 System.exe Token: SeDebugPrivilege 1860 System.exe Token: SeDebugPrivilege 3036 System.exe Token: SeDebugPrivilege 3004 System.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2556 wrote to memory of 2388 2556 JaffaCakes118_afcb9eca113e024882261c3f92504ef92f683793423af7bc22e9453d7a887dd2.exe 30 PID 2556 wrote to memory of 2388 2556 JaffaCakes118_afcb9eca113e024882261c3f92504ef92f683793423af7bc22e9453d7a887dd2.exe 30 PID 2556 wrote to memory of 2388 2556 JaffaCakes118_afcb9eca113e024882261c3f92504ef92f683793423af7bc22e9453d7a887dd2.exe 30 PID 2556 wrote to memory of 2388 2556 JaffaCakes118_afcb9eca113e024882261c3f92504ef92f683793423af7bc22e9453d7a887dd2.exe 30 PID 2388 wrote to memory of 2884 2388 WScript.exe 31 PID 2388 wrote to memory of 2884 2388 WScript.exe 31 PID 2388 wrote to memory of 2884 2388 WScript.exe 31 PID 2388 wrote to memory of 2884 2388 WScript.exe 31 PID 2884 wrote to memory of 2256 2884 cmd.exe 33 PID 2884 wrote to memory of 2256 2884 cmd.exe 33 PID 2884 wrote to memory of 2256 2884 cmd.exe 33 PID 2884 wrote to memory of 2256 2884 cmd.exe 33 PID 2256 wrote to memory of 812 2256 DllCommonsvc.exe 74 PID 2256 wrote to memory of 812 2256 DllCommonsvc.exe 74 PID 2256 wrote to memory of 812 2256 DllCommonsvc.exe 74 PID 2256 wrote to memory of 2492 2256 DllCommonsvc.exe 75 PID 2256 wrote to memory of 2492 2256 DllCommonsvc.exe 75 PID 2256 wrote to memory of 2492 2256 DllCommonsvc.exe 75 PID 2256 wrote to memory of 2496 2256 DllCommonsvc.exe 77 PID 2256 wrote to memory of 2496 2256 DllCommonsvc.exe 77 PID 2256 wrote to memory of 2496 2256 DllCommonsvc.exe 77 PID 2256 wrote to memory of 1532 2256 DllCommonsvc.exe 78 PID 2256 wrote to memory of 1532 2256 DllCommonsvc.exe 78 PID 2256 wrote to memory of 1532 2256 DllCommonsvc.exe 78 PID 2256 wrote to memory of 2392 2256 DllCommonsvc.exe 79 PID 2256 wrote to memory of 2392 2256 DllCommonsvc.exe 79 PID 2256 wrote to memory of 2392 2256 DllCommonsvc.exe 79 PID 2256 wrote to memory of 2052 2256 DllCommonsvc.exe 80 PID 2256 wrote to memory of 2052 2256 DllCommonsvc.exe 80 PID 2256 wrote to memory of 2052 2256 DllCommonsvc.exe 80 PID 2256 wrote to memory of 3036 2256 DllCommonsvc.exe 81 PID 2256 wrote to memory of 3036 2256 DllCommonsvc.exe 81 PID 2256 wrote to memory of 3036 2256 DllCommonsvc.exe 81 PID 2256 wrote to memory of 1984 2256 DllCommonsvc.exe 82 PID 2256 wrote to memory of 1984 2256 DllCommonsvc.exe 82 PID 2256 wrote to memory of 1984 2256 DllCommonsvc.exe 82 PID 2256 wrote to memory of 3024 2256 DllCommonsvc.exe 83 PID 2256 wrote to memory of 3024 2256 DllCommonsvc.exe 83 PID 2256 wrote to memory of 3024 2256 DllCommonsvc.exe 83 PID 2256 wrote to memory of 1796 2256 DllCommonsvc.exe 84 PID 2256 wrote to memory of 1796 2256 DllCommonsvc.exe 84 PID 2256 wrote to memory of 1796 2256 DllCommonsvc.exe 84 PID 2256 wrote to memory of 1132 2256 DllCommonsvc.exe 85 PID 2256 wrote to memory of 1132 2256 DllCommonsvc.exe 85 PID 2256 wrote to memory of 1132 2256 DllCommonsvc.exe 85 PID 2256 wrote to memory of 1472 2256 DllCommonsvc.exe 86 PID 2256 wrote to memory of 1472 2256 DllCommonsvc.exe 86 PID 2256 wrote to memory of 1472 2256 DllCommonsvc.exe 86 PID 2256 wrote to memory of 1272 2256 DllCommonsvc.exe 87 PID 2256 wrote to memory of 1272 2256 DllCommonsvc.exe 87 PID 2256 wrote to memory of 1272 2256 DllCommonsvc.exe 87 PID 2256 wrote to memory of 2380 2256 DllCommonsvc.exe 88 PID 2256 wrote to memory of 2380 2256 DllCommonsvc.exe 88 PID 2256 wrote to memory of 2380 2256 DllCommonsvc.exe 88 PID 2256 wrote to memory of 2068 2256 DllCommonsvc.exe 102 PID 2256 wrote to memory of 2068 2256 DllCommonsvc.exe 102 PID 2256 wrote to memory of 2068 2256 DllCommonsvc.exe 102 PID 2068 wrote to memory of 2644 2068 System.exe 104 PID 2068 wrote to memory of 2644 2068 System.exe 104 PID 2068 wrote to memory of 2644 2068 System.exe 104 PID 2644 wrote to memory of 2336 2644 cmd.exe 106 PID 2644 wrote to memory of 2336 2644 cmd.exe 106 PID 2644 wrote to memory of 2336 2644 cmd.exe 106 PID 2644 wrote to memory of 2144 2644 cmd.exe 107 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afcb9eca113e024882261c3f92504ef92f683793423af7bc22e9453d7a887dd2.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afcb9eca113e024882261c3f92504ef92f683793423af7bc22e9453d7a887dd2.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\fr-FR\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
-
C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2336
-
-
C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat"8⤵PID:1244
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1644
-
-
C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:444 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat"10⤵PID:2424
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1252
-
-
C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"12⤵PID:2328
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2964
-
-
C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kz6bOuYaab.bat"14⤵PID:2280
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1368
-
-
C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:996 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat"16⤵PID:2660
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:608
-
-
C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat"18⤵PID:1800
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1432
-
-
C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat"20⤵PID:1864
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2780
-
-
C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p8yPRkR6MR.bat"22⤵PID:1588
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2108
-
-
C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat"24⤵PID:984
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1304
-
-
C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\ehome\fr-FR\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ehome\fr-FR\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\ehome\fr-FR\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55033f7d17739554ccc7fe6d10d8e1522
SHA188b8522731354f6c8706dc8ba2f71a760238227a
SHA256f81a786fdf3ca8931a526a4cccb162ebb86cdfa8fa5e665eb1626c5544148cb1
SHA512bc8ec9ce9de21092d24da50edc5b5bae00f403bb17263615346a1fdb4cde75b00e20486560a5383f54083bf01a13240e75167cf82a0810bf4b56ae09c8df68a3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5de341cb98d73583337a57b2638387f55
SHA1d421b32f86a99415c34f88f18125f00127423e37
SHA25697314d7b04016c762b59f40525476f9f802f3cb4d2f04dfa5f92372fb62c04ee
SHA512e97bd7329c2e9676381a608cf5b47b6b8bcf64304e8ea504b69a11422ae9ec4869655da7ba3e6792b8c68664f09e4fe637f0e8d9d30fb0988b8d1497ff4665ec
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD576306e9de3c7efc582764ca5b0fa1a79
SHA11822bbd5297a776cd7dc8837a35a3a03be2ed16d
SHA25656a61c41920e54d181b375f4053b2271ac4d72329f05629bfc0ab88b9ae08b82
SHA5125d0b567c11776f63a35db54f871f2a2e2497e86dc0e06b6f50d5bbf1b0fefba7f7b6e0dbb1dec59b3a5ce4f70d600d5e7b94b07b7ba9c30126a782bbd811df96
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5585c544134b37196e63186c9d1f89cb5
SHA11c428ba1be9bff865ec71a7c42efd0792116e484
SHA2561ade3038705f7a715c1829a8a099268a779193abc38eb3f4a8f73e4198b267b2
SHA51207630bab8d43b8f67ac01c8bdcc4f9208e3dfd7c222a65285c0736c5ead9db412f31f0a2313bf2085b374cc7904720184b6f5a50615c8f323e24c4e3dd3063dd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD590eb950e04086a41694df6a98a9d8adf
SHA175498f5bdcdc0ccaf7b92097ea72eb58b38b59b7
SHA256df5d453edd75bd137017ac4203f08356f6cc77bca765c90955d371c896d98214
SHA512adecbfe969512f022f424142305e96638b2ada61732d3a8e512f55cc8cf53984b94d4792808f990aabcb34800f95f90e8ea81aa0671b055191f8d2d56791b62c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD523b7a868ed4706f7f3e6350c83b9a021
SHA1bde37f171c0f43f442fedd2b0673da0afda86fd8
SHA256e1c93ade746ad46275fa90f7a0d2da92c283d3b05b0981b49ac213f566084886
SHA512950b76b01ef4c43f8d487dde4eff22cc12d637c724546f9b91fafc7397830c9756db273351629a3e1b4b95fbca4362d230c53cb44b6e577f7fdb7a88712c1fc0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD593509cbf33d7419c66d75ee11d36be8f
SHA196fe2f39981984dcfcafefd8f63d4aa8b0f19ce6
SHA25645c12461acd0ffc17ee7c3c8434bf3f10a6898caf1977baed521c78784b336e1
SHA512492ff64a1fdcb967bc209facf0f3212f7d7573fac080d9867608f462ca2b082adacc3fbd47ef10e7b2bbcfcbf4b02e7264a7fa6ed3cf8b6c58deead8da9dd40f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ed24f956883451a1b00a1471227ebe62
SHA1bb1c452227d89ef5bdfdc49f59c660d1d60ec884
SHA256ca9de125c21eac6448529fd1af86243bafffcbbc5bd3da364b9590341e2c8cef
SHA512c645ed080a5f8ac200b8e051d099b575e1774dc49431862b35d57f47e8e0b71a15030480c9701cddcacc0ebb0195c4e777f4bfdcf7a64bf8fdb4143edec8d537
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58053be96de24a13c10c5ad20b14e74ff
SHA104c93e1664040212520020c1dcb5f7ae1137f734
SHA256c85eccfb74e8e491396766da9d7ae2013ad346fe578651e8732ad9d91534ca6a
SHA512d7622a7d54a1a49234e1ebced8f7d95ea0946ea2d8d0c72f457322d8b0ef3cabc009de90173895606804360e14457d206dd27ddb2a6c492aa18ed10a2f17ba48
-
Filesize
222B
MD574c9c01b3ea87c58e0cea6877ffc2a5c
SHA15e4df5dcb166081ed1fe59775596bbe0c8f025cb
SHA256363eca8bd40d638ad482e6e890301e7657c3dc692fc790006015cfd22bbb1e92
SHA512c3a6602ad7ce8b98a0d13101257f79359cf0c751e1435bfa3c8612da702c3c7cc95496e4cc5ecaccea9bb74c46bd5299c934bc492facc395dc7efe5d6cfc7dae
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
222B
MD524bda648d92e8c10a25c5aca4802d326
SHA1dbc8f56371f4bab691732531f45c807c083aab06
SHA256f1ebee473a497b70ed03b65396c66df226abd49c86d19d4e81d35baab3c88ca4
SHA51287486a6b5289fe9297522e1c7ed38820bc4dbd4ec0afe8fd5fd2eb6a3d2e9f740586e74054ead28343d2e5a1b8d5eb3c99f06ab04815377608d801b3b8f83c60
-
Filesize
222B
MD5efe86b5376653454b1986c5e547906a9
SHA1836763e537d9b06435c68f6b861a05d20aac83c0
SHA25643029484c2467c691b4364ff87ebe1d6c1cb1c1fe7a0c41421f948c5bc4cb29e
SHA512ba2dd2bf40245bc1ee2c485612055147093917985b11f00883f1b156c502702176526366248087bf043fb240c2f8f553fa179715b30358c1e837289a03eb8fc7
-
Filesize
222B
MD5fc6f0a81dd0d60ff4838fb4bc44f4d39
SHA13ebfeec450ce2538062851d5a54a4cbdfc96744d
SHA25665c46ca8cf7a28998a31622a4332ca59dae6d9431077df74c89a03e729b52e97
SHA5127d1d66cd6ca4a2008aaef05db1cbffdc3b4764def074ad5923168439434b2f5ac46f45d2c151d754a18208fc67ff40e2d77a9126242717d6270c89bb2fd6a9b6
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
222B
MD50b0fd7f682514dc1e2b50f51d16035df
SHA12b41b8d69514e866bc13968b7bf5b2fc9d3b0602
SHA25610a2b05afe0720aeaa808afd5ed0af4372d2f1b2867fbf1cf5886cdc3ea90ccc
SHA51223db7384e1f84adae20e73f26086f933907fea1ae4e1deb8505b4dd8811242ea487757e32d31ced570846ab139746feb7e36cfbfe99fcd20b87a163d101f9d9a
-
Filesize
222B
MD576300f269201654d2e78888cb7f41a44
SHA11b4b82b35cb13956d39e31202ac72e0773792611
SHA256a0f3d51301a2c3f4d0df6eb4de7165c51942bd7435f785e80e75262ff4c2dbf6
SHA5124c1d0a089dba3e09f3958f949aff2c84ddf8e44086df85ebbd99d65fe4b15c933cbddd0ef1f16123bf338355288c637609a6eafa35da66ecf3e2b580bb0cc8f5
-
Filesize
222B
MD56c08e08da3e168192fd79ed1a8f8e63a
SHA1f432709493c19f148cfc4ad1c2dfa26dbef9fc4a
SHA256fb77c64cb7f26cbb8df31d4dc74e578b9962410ce26b6eaf590cc886e9f28a92
SHA512482a17f48fe7993add04729b5b834e9a7f3bc992a330ab96dbda7b058795f9e23cfbc2af724710e8e4f5ba797474a156c66f52a118c91c6ca44d2d366bc0d7d4
-
Filesize
222B
MD5e34a7839cc966eb65e44adc4e3b7f3e8
SHA14611405a7e0ddcdf9ba65083b1b5ec7870ef0ae3
SHA25670a4ac0e3e8d966bd1c1a195aac1a26e18b996de08f906c523dcec0ae53967b9
SHA51277560bb708c198cd01988cc8cbf227cb4ae1eaab9c6e530b6138b1adc43dec202223cf7ef7e7ea7a731cae368c9d9b90f8f605c683df31ad4773eb2a0917560a
-
Filesize
222B
MD5283bd27ff0943f63353e1fee6ad4bf82
SHA175de928a2c89c6a7879c0028a25c4754da6d79c7
SHA256a5871563779fab64c4e95e49b2f9e7e0abe8afa0df3f700e61f0519a7e5a1b12
SHA51236b5e94fdb03db3cd9e23df60a6ab72756d894618f336353ea9428055d55536e8a0cd77ec936f2458658fd541794ab76a315b1780395014f912c68669ceb5732
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD54c1265fdebe552b6d756eec197e8a484
SHA1963aac49d3ed3d8e6a300a09662991524712190a
SHA2568668304fdcad53fac0b58de0616236eb5abbb1e72a309fee2e96a85e011f17ae
SHA5121d8f438862f048e67d3c02bd8a5e850548c15c66f02e82e04b6870de4309664f93b580351682591c4eeaf5537d0bd38ac20cee8f942158570d1f887d1bc88132
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394