Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 00:54
Behavioral task
behavioral1
Sample
JaffaCakes118_38ae6b2fe64b2c97e5c186f77ed23ce08925be29f2e0867daa21791666a4a9f7.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_38ae6b2fe64b2c97e5c186f77ed23ce08925be29f2e0867daa21791666a4a9f7.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_38ae6b2fe64b2c97e5c186f77ed23ce08925be29f2e0867daa21791666a4a9f7.exe
-
Size
1.3MB
-
MD5
d5603ed0e199733eca5dd23f9d4bcfd6
-
SHA1
b6be4313c838be71cf85571f313811e1db13677b
-
SHA256
38ae6b2fe64b2c97e5c186f77ed23ce08925be29f2e0867daa21791666a4a9f7
-
SHA512
feecbf9e51cd524934e0475e631fae5e95ed431124947ccc1d756f710a90dcaaa9d2b0ac6add90c0264a6e62182c0fa59521f53dcd6249d4714c319ea94aaa87
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2156 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 952 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 584 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1216 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1312 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1204 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 976 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1016 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1532 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1056 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 820 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1368 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 700 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 560 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 2800 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2800 schtasks.exe 33 -
resource yara_rule behavioral1/files/0x0008000000019326-10.dat dcrat behavioral1/memory/2812-13-0x0000000001380000-0x0000000001490000-memory.dmp dcrat behavioral1/memory/2300-50-0x0000000000B20000-0x0000000000C30000-memory.dmp dcrat behavioral1/memory/2212-180-0x0000000000E40000-0x0000000000F50000-memory.dmp dcrat behavioral1/memory/1008-301-0x0000000000E70000-0x0000000000F80000-memory.dmp dcrat behavioral1/memory/2760-361-0x00000000011C0000-0x00000000012D0000-memory.dmp dcrat behavioral1/memory/2120-421-0x00000000013C0000-0x00000000014D0000-memory.dmp dcrat behavioral1/memory/3064-600-0x0000000000020000-0x0000000000130000-memory.dmp dcrat behavioral1/memory/2404-660-0x0000000000E50000-0x0000000000F60000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2416 powershell.exe 2028 powershell.exe 1712 powershell.exe 1072 powershell.exe 2488 powershell.exe 920 powershell.exe 1568 powershell.exe 2240 powershell.exe 332 powershell.exe 2916 powershell.exe 1748 powershell.exe 2012 powershell.exe 2320 powershell.exe 1844 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2812 DllCommonsvc.exe 2300 lsass.exe 2212 lsass.exe 2396 lsass.exe 1008 lsass.exe 2760 lsass.exe 2120 lsass.exe 928 lsass.exe 2844 lsass.exe 3064 lsass.exe 2404 lsass.exe -
Loads dropped DLL 2 IoCs
pid Process 2936 cmd.exe 2936 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 16 raw.githubusercontent.com 29 raw.githubusercontent.com 32 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 25 raw.githubusercontent.com 36 raw.githubusercontent.com 4 raw.githubusercontent.com 19 raw.githubusercontent.com 22 raw.githubusercontent.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\DllCommonsvc.exe DllCommonsvc.exe File created C:\Windows\System32\a76d7bf15d8370 DllCommonsvc.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\56085415360792 DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\taskhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\b75386f1303e64 DllCommonsvc.exe File created C:\Program Files\VideoLAN\OSPPSVC.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Program Files\Google\Chrome\wininit.exe DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\SchCache\cmd.exe DllCommonsvc.exe File created C:\Windows\SchCache\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Windows\debug\WIA\smss.exe DllCommonsvc.exe File created C:\Windows\debug\WIA\69ddcba757bf72 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_38ae6b2fe64b2c97e5c186f77ed23ce08925be29f2e0867daa21791666a4a9f7.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2440 schtasks.exe 2412 schtasks.exe 560 schtasks.exe 1780 schtasks.exe 1628 schtasks.exe 2976 schtasks.exe 976 schtasks.exe 1016 schtasks.exe 2100 schtasks.exe 2364 schtasks.exe 2204 schtasks.exe 2032 schtasks.exe 1312 schtasks.exe 820 schtasks.exe 2720 schtasks.exe 584 schtasks.exe 2956 schtasks.exe 1204 schtasks.exe 2064 schtasks.exe 2676 schtasks.exe 2156 schtasks.exe 952 schtasks.exe 1368 schtasks.exe 700 schtasks.exe 2948 schtasks.exe 3024 schtasks.exe 1216 schtasks.exe 2432 schtasks.exe 2752 schtasks.exe 2572 schtasks.exe 2128 schtasks.exe 2508 schtasks.exe 1532 schtasks.exe 1056 schtasks.exe 1724 schtasks.exe 2728 schtasks.exe 2428 schtasks.exe 1732 schtasks.exe 1752 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 2812 DllCommonsvc.exe 2028 powershell.exe 2488 powershell.exe 1568 powershell.exe 1748 powershell.exe 2416 powershell.exe 2300 lsass.exe 2320 powershell.exe 1844 powershell.exe 332 powershell.exe 1072 powershell.exe 920 powershell.exe 2240 powershell.exe 2916 powershell.exe 1712 powershell.exe 2012 powershell.exe 2212 lsass.exe 2396 lsass.exe 1008 lsass.exe 2760 lsass.exe 2120 lsass.exe 928 lsass.exe 2844 lsass.exe 3064 lsass.exe 2404 lsass.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 2812 DllCommonsvc.exe Token: SeDebugPrivilege 2300 lsass.exe Token: SeDebugPrivilege 2028 powershell.exe Token: SeDebugPrivilege 2488 powershell.exe Token: SeDebugPrivilege 1568 powershell.exe Token: SeDebugPrivilege 1748 powershell.exe Token: SeDebugPrivilege 2416 powershell.exe Token: SeDebugPrivilege 2320 powershell.exe Token: SeDebugPrivilege 1844 powershell.exe Token: SeDebugPrivilege 332 powershell.exe Token: SeDebugPrivilege 1072 powershell.exe Token: SeDebugPrivilege 920 powershell.exe Token: SeDebugPrivilege 2240 powershell.exe Token: SeDebugPrivilege 2916 powershell.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeDebugPrivilege 2012 powershell.exe Token: SeDebugPrivilege 2212 lsass.exe Token: SeDebugPrivilege 2396 lsass.exe Token: SeDebugPrivilege 1008 lsass.exe Token: SeDebugPrivilege 2760 lsass.exe Token: SeDebugPrivilege 2120 lsass.exe Token: SeDebugPrivilege 928 lsass.exe Token: SeDebugPrivilege 2844 lsass.exe Token: SeDebugPrivilege 3064 lsass.exe Token: SeDebugPrivilege 2404 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1656 wrote to memory of 2484 1656 JaffaCakes118_38ae6b2fe64b2c97e5c186f77ed23ce08925be29f2e0867daa21791666a4a9f7.exe 29 PID 1656 wrote to memory of 2484 1656 JaffaCakes118_38ae6b2fe64b2c97e5c186f77ed23ce08925be29f2e0867daa21791666a4a9f7.exe 29 PID 1656 wrote to memory of 2484 1656 JaffaCakes118_38ae6b2fe64b2c97e5c186f77ed23ce08925be29f2e0867daa21791666a4a9f7.exe 29 PID 1656 wrote to memory of 2484 1656 JaffaCakes118_38ae6b2fe64b2c97e5c186f77ed23ce08925be29f2e0867daa21791666a4a9f7.exe 29 PID 2484 wrote to memory of 2936 2484 WScript.exe 30 PID 2484 wrote to memory of 2936 2484 WScript.exe 30 PID 2484 wrote to memory of 2936 2484 WScript.exe 30 PID 2484 wrote to memory of 2936 2484 WScript.exe 30 PID 2936 wrote to memory of 2812 2936 cmd.exe 32 PID 2936 wrote to memory of 2812 2936 cmd.exe 32 PID 2936 wrote to memory of 2812 2936 cmd.exe 32 PID 2936 wrote to memory of 2812 2936 cmd.exe 32 PID 2812 wrote to memory of 2916 2812 DllCommonsvc.exe 73 PID 2812 wrote to memory of 2916 2812 DllCommonsvc.exe 73 PID 2812 wrote to memory of 2916 2812 DllCommonsvc.exe 73 PID 2812 wrote to memory of 1748 2812 DllCommonsvc.exe 74 PID 2812 wrote to memory of 1748 2812 DllCommonsvc.exe 74 PID 2812 wrote to memory of 1748 2812 DllCommonsvc.exe 74 PID 2812 wrote to memory of 1712 2812 DllCommonsvc.exe 76 PID 2812 wrote to memory of 1712 2812 DllCommonsvc.exe 76 PID 2812 wrote to memory of 1712 2812 DllCommonsvc.exe 76 PID 2812 wrote to memory of 920 2812 DllCommonsvc.exe 77 PID 2812 wrote to memory of 920 2812 DllCommonsvc.exe 77 PID 2812 wrote to memory of 920 2812 DllCommonsvc.exe 77 PID 2812 wrote to memory of 2012 2812 DllCommonsvc.exe 79 PID 2812 wrote to memory of 2012 2812 DllCommonsvc.exe 79 PID 2812 wrote to memory of 2012 2812 DllCommonsvc.exe 79 PID 2812 wrote to memory of 2028 2812 DllCommonsvc.exe 81 PID 2812 wrote to memory of 2028 2812 DllCommonsvc.exe 81 PID 2812 wrote to memory of 2028 2812 DllCommonsvc.exe 81 PID 2812 wrote to memory of 1072 2812 DllCommonsvc.exe 84 PID 2812 wrote to memory of 1072 2812 DllCommonsvc.exe 84 PID 2812 wrote to memory of 1072 2812 DllCommonsvc.exe 84 PID 2812 wrote to memory of 1568 2812 DllCommonsvc.exe 85 PID 2812 wrote to memory of 1568 2812 DllCommonsvc.exe 85 PID 2812 wrote to memory of 1568 2812 DllCommonsvc.exe 85 PID 2812 wrote to memory of 2320 2812 DllCommonsvc.exe 86 PID 2812 wrote to memory of 2320 2812 DllCommonsvc.exe 86 PID 2812 wrote to memory of 2320 2812 DllCommonsvc.exe 86 PID 2812 wrote to memory of 2240 2812 DllCommonsvc.exe 87 PID 2812 wrote to memory of 2240 2812 DllCommonsvc.exe 87 PID 2812 wrote to memory of 2240 2812 DllCommonsvc.exe 87 PID 2812 wrote to memory of 1844 2812 DllCommonsvc.exe 89 PID 2812 wrote to memory of 1844 2812 DllCommonsvc.exe 89 PID 2812 wrote to memory of 1844 2812 DllCommonsvc.exe 89 PID 2812 wrote to memory of 2488 2812 DllCommonsvc.exe 91 PID 2812 wrote to memory of 2488 2812 DllCommonsvc.exe 91 PID 2812 wrote to memory of 2488 2812 DllCommonsvc.exe 91 PID 2812 wrote to memory of 332 2812 DllCommonsvc.exe 93 PID 2812 wrote to memory of 332 2812 DllCommonsvc.exe 93 PID 2812 wrote to memory of 332 2812 DllCommonsvc.exe 93 PID 2812 wrote to memory of 2416 2812 DllCommonsvc.exe 96 PID 2812 wrote to memory of 2416 2812 DllCommonsvc.exe 96 PID 2812 wrote to memory of 2416 2812 DllCommonsvc.exe 96 PID 2812 wrote to memory of 2300 2812 DllCommonsvc.exe 101 PID 2812 wrote to memory of 2300 2812 DllCommonsvc.exe 101 PID 2812 wrote to memory of 2300 2812 DllCommonsvc.exe 101 PID 2300 wrote to memory of 2984 2300 lsass.exe 102 PID 2300 wrote to memory of 2984 2300 lsass.exe 102 PID 2300 wrote to memory of 2984 2300 lsass.exe 102 PID 2984 wrote to memory of 3024 2984 cmd.exe 104 PID 2984 wrote to memory of 3024 2984 cmd.exe 104 PID 2984 wrote to memory of 3024 2984 cmd.exe 104 PID 2984 wrote to memory of 2212 2984 cmd.exe 105 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_38ae6b2fe64b2c97e5c186f77ed23ce08925be29f2e0867daa21791666a4a9f7.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_38ae6b2fe64b2c97e5c186f77ed23ce08925be29f2e0867daa21791666a4a9f7.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\Local\Microsoft\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\WIA\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Myoa8e0eVV.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:3024
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UZ6jdsJyxg.bat"8⤵PID:2920
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1992
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat"10⤵PID:1368
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1488
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x5nMQhEI33.bat"12⤵PID:1504
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2544
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0MFyH7TMVd.bat"14⤵PID:2032
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1976
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat"16⤵PID:612
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1740
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:928 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\61cJPf1Vjg.bat"18⤵PID:2236
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2496
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat"20⤵PID:1064
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2500
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat"22⤵PID:2408
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2060
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jlvf1Vq2YP.bat"24⤵PID:1260
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2936
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default\AppData\Local\Microsoft\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\AppData\Local\Microsoft\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Default\AppData\Local\Microsoft\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Recent\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Recent\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Recent\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\debug\WIA\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\debug\WIA\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\WIA\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Windows\SchCache\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SchCache\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Windows\SchCache\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\System32\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Windows\System32\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50bcf5ceee88e67048a58ca56033af68c
SHA14e3a202e61cd767f5642001eeac1fb6b30d0bf41
SHA256b2f291bf5d8ff870cb7acb632d89dab159dfd3e2558092ddaf29ff1031a70eae
SHA51260fb31ea751c8f522439ae98ab427d9c19c7af9c96461d764f62bcea3f463568ebd4d5e24b36a1af1694213eb16ad2b7262d28c08e31d71e07d9a70bb78b4e1a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5216113c7bfd9d3e23878b1b37287d0ab
SHA16f4320674cda9e64b2ec125504dd7f4d22a025f0
SHA256d62b0ec408193052b997c41b4f138614eeacb2e4b43e17a93b4ce7934c3e39b2
SHA5129391084a1cc6115a2dfa79cc042f3578d14c85face9b5550816e2c4b9106fe1ac0e21b196d6962f3983469d1b448c89a9f31cd1e29a0f9571c397fe3c0783e73
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5009e834494ccf422ddad2870d69db6a7
SHA1217cd92980f41855a5a8dcd1c6754075f40cb1a9
SHA256c7f7c1aeb3eea7e7775eeeeb9772a40d13e64e9403d87b1d02229a9827431dd8
SHA512b4ff2007cef5696ffdcd8b2dbb2dfd36cc8abcb0f19ab8ae0eb553a795d23d740cfa4a8722820daffa0f801d9016b53e9a592731eaac05cb420ed5fd5c878d1f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dcc8ef9b89d7b954d3187c4c75de0809
SHA10d19d6f5301436c253619a5e3798516594acab97
SHA256d9ecc69aba627b98b9ef5f39fce596567e187eaed708541bc5e01c301532b674
SHA512c690364b34959c5618ca9ffeb9280809f32bd61d4e61659a9402c89896f3bd687d5d280d69b4f4eb2f10474f623f5835c4e86a02db5f38aa249ce84f5c90e2a2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5407dd237dd3ba938ddd4256211771618
SHA15ca1fce2dcbcff0a316d295abc9735fc4c9769a1
SHA256ef84a887f6d93b5a4290cdc7515ce612dfae6551bd8c4dcce2a60801abfc9190
SHA512adf2eb1733a53a5dbc502dd348610007370345e772bfc062c2b82f73b45e8ac65be39a3639cb79caf9f9fd77f70ea8c2ec11b1c6720f58efde4dfc842f2ac486
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50c276f15abeab7843ae9b2a1d3337e55
SHA1f8dbf6ba8329d641947b88530cb89088be563561
SHA256e2a71bd129e56b90e49795db22b65f7dc7b2eea66ca416a91b141d7c5f75b2eb
SHA51246c6eb063c2324a09d837b05f5c4d3debc2800ea642541e85e4340f0948ac9962e025c496d051eea9f1fa094b9c2b912b9cbbd9778f5dba75ebf628e968dbfc2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e5b61d1f0ed7c53839d629de1320aef1
SHA1348e153199ab3fcb9bc00280e1bc9da1b658430b
SHA256dd0a0328f68cd8c732444e83fa0c2a0a8f178bd6d1d4f9c4885e4b60a297eafb
SHA5122b03a568dd9aba5d2a380f8e87b4e8edb1537830bb7fe02aa9587940283d2d6904ec0d44ea2fba15243eaf75f07aa7ac71be5db14e77ccda00740fe8927e333f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD549ec25fb2dd99afb311ec145de2a49af
SHA1dc2d026f18935a7f06cba1d48cfc50cf7ad6803f
SHA256e141fa114f9b29609cf6b88621ebf1cb5b30cc200fed13e41c05e69cf2f8a9a4
SHA5126982faf7ae91a731a0e414e24fa1c83c0756cc3617e86c3abfd42c70685aeb8e3a8b8da01d20048b1a5c4b2422a669b1630fb1990de7fd6d9671f3cd69198b67
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55a5cc09a8238628d6512ce26bd385ce6
SHA1939b403bb362f866ec288cb0662128edc01542cd
SHA2567b0271a04d0f33b4adb56d6ecdb560d6f280d72e1fc8ac50cbd639cb39827f0f
SHA512c9c215320199e917b0b226491f64d4eb36c358bc4dcf76f8164d81cd3ca82afff24cc356ebf3d4431ab7cf3dc2c29ace9c3d7258d1b6b35389d54a787573cdb7
-
Filesize
223B
MD51929974adc56a5d5bc344f5b0286f9b6
SHA181d7d17b67f9e65e4f59edec3d8aa675e8ab3281
SHA256151d5d900442739f95c2f7f34dc4328c92cede703ed5faaf0b23765a35bdedc9
SHA512eb6d9bc4bee684050baa48b9670ce812ca940c44f58cabe5d5eb44f05afde4002e4ae60c9164f6378b612cef415780d91bc42ba87e810b6fe3db5aea08838880
-
Filesize
223B
MD54c3c5584a11bcb8d5e590bbb3d768e8c
SHA12da38980af27c01561ca351b48405f533af557d6
SHA256531cf49a24008c82203c196ee229a60267a5faa03fb3e47186165002969d0671
SHA512ac19f8e7faab2cab2502d36d0793f43523d39ea6b37d3e25c26664e79921e382cabfd702972ac8349510565071ef69640537566832c9dcca6793f4e20b8f18f7
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
223B
MD5971d6a8c49c5c0b1148a4d5b3f12a8bf
SHA19d32e51d4f193c0369f8991c05960103fddbe498
SHA25657d4dfbdc1f05baf519019a5ab37c446765c17ebe955e7601edb9c1099a77794
SHA5128446be80ed229df78756df03eabe5ae1ba0b0b3e96efcacdac31e81af262b5f9d9f913aa892e15aedb65056260f96d1c2c9fbd96fa4c576aa89d89e7228d7f21
-
Filesize
223B
MD5f8bc95ab949eff7024a33d649933c18d
SHA18bd31ca150ea90fc5e25fce153100d0abaa0a1cc
SHA25647d62cbbc30ea93dfe58e5d12fafa8cf3ce46e105507fea6bddfed9859e58b43
SHA512b812ea733e3ee733e7e6a29261033b10996ef02bac552431b209551b2fb8c581b9c564d4afc2165ffae36486a81a14a0848bf11db9fcdf589df5e6966e404c3c
-
Filesize
223B
MD554283c8e9a3459aae4c6a4b95294b2b2
SHA13292aa9bcdf28fd73f9072ba8ec01c84c438493d
SHA256f81d640cd958b7e2fd615756d42d4520bcc0303223e879fa5845396c44a41960
SHA512408d055b64bd68bc0c786964dd663d063d7658591be45467a2a78386cb0e6427c2ae74867c6586e136dee54eab3178823558763bbd3cc6c5343bc2a0fde14342
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
223B
MD549250bb334f311efa1ad3a7568168570
SHA172a4cb31fab93b99dbdffa580820de4888dcd2ed
SHA25659c29e2aacc3c1f19980503c416933463b773b8ff72640f4a263ba9b32895deb
SHA5121791d938746b99b4fa24149e9a5fbacf0d488b5b09e170814d86d3de61b930844e07fac780b4a170af1a552ef25a9735dd5e2d99418aabc59e193730cdb3a21c
-
Filesize
223B
MD53bea9861c47f1742d24a240fc54ce41e
SHA195115f2442c9d8393e522976dd8346cbb7f80bfe
SHA2566a5c56b4cb99d5d5c6489360cab4e9477abb2e5a51a3550deecb1fcfaaa54b2f
SHA512f3aad945b8ed4eaff5076c1e1de209422d182cc00571c2e2ed448aa1d62277aa57ac81a329779e47d711fa710a529bb56735291751effa947e3f3cfed315c675
-
Filesize
223B
MD55e57512b82b025111a0b6ea2a0323152
SHA1dd36839a524be27b72fbe20738595cf588b0b57e
SHA256458780b858738b0f1c4904f44f72c44e1469c821948c38cd84b2a0e9a8f6c579
SHA512562b73f6ecd7b54011d33a5a4ca36caf21313aa7b77dcd0d1ba3676e65a0a79e3f708b5e8d8ed73f6ede81e60f3922c036f16da988e2da75bc0c6f1069ee8259
-
Filesize
223B
MD5df868dd5eec6438730d89e1e50791963
SHA1070b834fb6fc83b570efeaf76f6e72a820fdb5a7
SHA256997052008b156aea30b80e9e5d2d5d62e1884b7b4745aa41c69a5c98d22ad90c
SHA512b1cc2f54eabb470d48d8b1f5bd2dc0fd846332d2117cfbbc85b666cf323a909a16b24e0b4d97f0dd3d261692a7c5dc4766397bf06b0d717f30d37e9d8618590c
-
Filesize
223B
MD57e5dbd8c2fcf5f8ae2e58fbbc6c711c7
SHA1a12e40a87a4e714fbde4d693e4e43b7779698645
SHA2561e530d3a70600392daacc0b42f78a1bfc5fa4a96396ca9faf6aeba20b2f071b9
SHA5123de39cc7b2efdcc41cb251c9af5b3a48f8b79f6498b1d9e4a341a77514948bb091fba2aae22233c681542a7a776970bba88e243cd281dac6842aecd4d7ca450b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD50ab01ebeaa61deeceda46a2e5f8578dc
SHA15090cb6f4d49b56daaaefe66fc9348305c480ea1
SHA25678387e6d556c05d1fca2f03a224145064374d51a3ac0c825947e92aa5b3bdf27
SHA512d8b64f1c84b580fef216b136804d68ecb00c21f65e3d05decf2269e376ba97399637701108b696fe93ef2c2d97ba7ac151bc7ecfbf6d4e6b69eaf10931fe5c9b
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478