Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 00:25
Behavioral task
behavioral1
Sample
JaffaCakes118_230aae467f83c1ae425b2fdb0784cd37a30f132b795c392264349259c542dfde.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_230aae467f83c1ae425b2fdb0784cd37a30f132b795c392264349259c542dfde.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_230aae467f83c1ae425b2fdb0784cd37a30f132b795c392264349259c542dfde.exe
-
Size
1.3MB
-
MD5
8c6e53853dc49576ea358ba4f80a9de8
-
SHA1
0a75ca262f3ba2fb18f8917a9eb7f09b3c381fb2
-
SHA256
230aae467f83c1ae425b2fdb0784cd37a30f132b795c392264349259c542dfde
-
SHA512
efbf7eab849266bd571c190bb092a44e4a7b9fbfcb8c47920267de5cd867c6d73461da7328571680933cb1b9107de3f38ee41cdad6e9d4f0916c02142111b054
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 560 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1304 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 844 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1432 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 320 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 632 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1256 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 408 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 2892 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x00080000000162b2-12.dat dcrat behavioral1/memory/1852-13-0x00000000009C0000-0x0000000000AD0000-memory.dmp dcrat behavioral1/memory/1680-55-0x0000000001250000-0x0000000001360000-memory.dmp dcrat behavioral1/memory/1508-344-0x00000000000D0000-0x00000000001E0000-memory.dmp dcrat behavioral1/memory/3040-405-0x00000000001C0000-0x00000000002D0000-memory.dmp dcrat behavioral1/memory/344-465-0x00000000001F0000-0x0000000000300000-memory.dmp dcrat behavioral1/memory/604-526-0x00000000003D0000-0x00000000004E0000-memory.dmp dcrat behavioral1/memory/1436-586-0x0000000000BD0000-0x0000000000CE0000-memory.dmp dcrat behavioral1/memory/2852-705-0x0000000001150000-0x0000000001260000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 672 powershell.exe 1528 powershell.exe 1784 powershell.exe 2460 powershell.exe 1136 powershell.exe 2148 powershell.exe 2468 powershell.exe 1684 powershell.exe 1364 powershell.exe 1372 powershell.exe 1664 powershell.exe 956 powershell.exe -
Executes dropped EXE 13 IoCs
pid Process 1852 DllCommonsvc.exe 1680 csrss.exe 2156 csrss.exe 2952 csrss.exe 1264 csrss.exe 1508 csrss.exe 3040 csrss.exe 344 csrss.exe 604 csrss.exe 1436 csrss.exe 2068 csrss.exe 2852 csrss.exe 1672 csrss.exe -
Loads dropped DLL 2 IoCs
pid Process 1832 cmd.exe 1832 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 5 raw.githubusercontent.com 9 raw.githubusercontent.com 16 raw.githubusercontent.com 23 raw.githubusercontent.com 26 raw.githubusercontent.com 29 raw.githubusercontent.com 32 raw.githubusercontent.com 40 raw.githubusercontent.com 4 raw.githubusercontent.com 12 raw.githubusercontent.com 20 raw.githubusercontent.com 36 raw.githubusercontent.com 43 raw.githubusercontent.com -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\it-IT\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files\Google\Chrome\Application\lsm.exe DllCommonsvc.exe File created C:\Program Files\Google\Chrome\Application\101b941d020240 DllCommonsvc.exe File created C:\Program Files\Uninstall Information\OSPPSVC.exe DllCommonsvc.exe File created C:\Program Files\Uninstall Information\1610b97d3ab4a7 DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\audiodg.exe DllCommonsvc.exe File created C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\42af1c969fbb7b DllCommonsvc.exe File created C:\Windows\Installer\DllCommonsvc.exe DllCommonsvc.exe File created C:\Windows\Installer\a76d7bf15d8370 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_230aae467f83c1ae425b2fdb0784cd37a30f132b795c392264349259c542dfde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2012 schtasks.exe 3040 schtasks.exe 2032 schtasks.exe 2816 schtasks.exe 1744 schtasks.exe 1432 schtasks.exe 2072 schtasks.exe 1256 schtasks.exe 2884 schtasks.exe 2596 schtasks.exe 2528 schtasks.exe 2452 schtasks.exe 844 schtasks.exe 320 schtasks.exe 2920 schtasks.exe 1304 schtasks.exe 2676 schtasks.exe 2432 schtasks.exe 2776 schtasks.exe 632 schtasks.exe 1524 schtasks.exe 2624 schtasks.exe 2628 schtasks.exe 408 schtasks.exe 2968 schtasks.exe 1740 schtasks.exe 560 schtasks.exe 1500 schtasks.exe 2000 schtasks.exe 2052 schtasks.exe 2132 schtasks.exe 2632 schtasks.exe 1940 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 1852 DllCommonsvc.exe 1852 DllCommonsvc.exe 1852 DllCommonsvc.exe 956 powershell.exe 672 powershell.exe 1528 powershell.exe 1364 powershell.exe 1784 powershell.exe 2468 powershell.exe 1136 powershell.exe 2460 powershell.exe 1684 powershell.exe 1664 powershell.exe 1372 powershell.exe 2148 powershell.exe 1680 csrss.exe 2156 csrss.exe 2952 csrss.exe 1264 csrss.exe 1508 csrss.exe 3040 csrss.exe 344 csrss.exe 604 csrss.exe 1436 csrss.exe 2068 csrss.exe 2852 csrss.exe 1672 csrss.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 1852 DllCommonsvc.exe Token: SeDebugPrivilege 956 powershell.exe Token: SeDebugPrivilege 672 powershell.exe Token: SeDebugPrivilege 1528 powershell.exe Token: SeDebugPrivilege 1364 powershell.exe Token: SeDebugPrivilege 1784 powershell.exe Token: SeDebugPrivilege 2468 powershell.exe Token: SeDebugPrivilege 1136 powershell.exe Token: SeDebugPrivilege 2460 powershell.exe Token: SeDebugPrivilege 1684 powershell.exe Token: SeDebugPrivilege 1664 powershell.exe Token: SeDebugPrivilege 1372 powershell.exe Token: SeDebugPrivilege 2148 powershell.exe Token: SeDebugPrivilege 1680 csrss.exe Token: SeDebugPrivilege 2156 csrss.exe Token: SeDebugPrivilege 2952 csrss.exe Token: SeDebugPrivilege 1264 csrss.exe Token: SeDebugPrivilege 1508 csrss.exe Token: SeDebugPrivilege 3040 csrss.exe Token: SeDebugPrivilege 344 csrss.exe Token: SeDebugPrivilege 604 csrss.exe Token: SeDebugPrivilege 1436 csrss.exe Token: SeDebugPrivilege 2068 csrss.exe Token: SeDebugPrivilege 2852 csrss.exe Token: SeDebugPrivilege 1672 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2508 wrote to memory of 2408 2508 JaffaCakes118_230aae467f83c1ae425b2fdb0784cd37a30f132b795c392264349259c542dfde.exe 30 PID 2508 wrote to memory of 2408 2508 JaffaCakes118_230aae467f83c1ae425b2fdb0784cd37a30f132b795c392264349259c542dfde.exe 30 PID 2508 wrote to memory of 2408 2508 JaffaCakes118_230aae467f83c1ae425b2fdb0784cd37a30f132b795c392264349259c542dfde.exe 30 PID 2508 wrote to memory of 2408 2508 JaffaCakes118_230aae467f83c1ae425b2fdb0784cd37a30f132b795c392264349259c542dfde.exe 30 PID 2408 wrote to memory of 1832 2408 WScript.exe 31 PID 2408 wrote to memory of 1832 2408 WScript.exe 31 PID 2408 wrote to memory of 1832 2408 WScript.exe 31 PID 2408 wrote to memory of 1832 2408 WScript.exe 31 PID 1832 wrote to memory of 1852 1832 cmd.exe 33 PID 1832 wrote to memory of 1852 1832 cmd.exe 33 PID 1832 wrote to memory of 1852 1832 cmd.exe 33 PID 1832 wrote to memory of 1852 1832 cmd.exe 33 PID 1852 wrote to memory of 1664 1852 DllCommonsvc.exe 68 PID 1852 wrote to memory of 1664 1852 DllCommonsvc.exe 68 PID 1852 wrote to memory of 1664 1852 DllCommonsvc.exe 68 PID 1852 wrote to memory of 956 1852 DllCommonsvc.exe 69 PID 1852 wrote to memory of 956 1852 DllCommonsvc.exe 69 PID 1852 wrote to memory of 956 1852 DllCommonsvc.exe 69 PID 1852 wrote to memory of 1372 1852 DllCommonsvc.exe 70 PID 1852 wrote to memory of 1372 1852 DllCommonsvc.exe 70 PID 1852 wrote to memory of 1372 1852 DllCommonsvc.exe 70 PID 1852 wrote to memory of 672 1852 DllCommonsvc.exe 71 PID 1852 wrote to memory of 672 1852 DllCommonsvc.exe 71 PID 1852 wrote to memory of 672 1852 DllCommonsvc.exe 71 PID 1852 wrote to memory of 2148 1852 DllCommonsvc.exe 72 PID 1852 wrote to memory of 2148 1852 DllCommonsvc.exe 72 PID 1852 wrote to memory of 2148 1852 DllCommonsvc.exe 72 PID 1852 wrote to memory of 1136 1852 DllCommonsvc.exe 73 PID 1852 wrote to memory of 1136 1852 DllCommonsvc.exe 73 PID 1852 wrote to memory of 1136 1852 DllCommonsvc.exe 73 PID 1852 wrote to memory of 2468 1852 DllCommonsvc.exe 74 PID 1852 wrote to memory of 2468 1852 DllCommonsvc.exe 74 PID 1852 wrote to memory of 2468 1852 DllCommonsvc.exe 74 PID 1852 wrote to memory of 1684 1852 DllCommonsvc.exe 76 PID 1852 wrote to memory of 1684 1852 DllCommonsvc.exe 76 PID 1852 wrote to memory of 1684 1852 DllCommonsvc.exe 76 PID 1852 wrote to memory of 1364 1852 DllCommonsvc.exe 77 PID 1852 wrote to memory of 1364 1852 DllCommonsvc.exe 77 PID 1852 wrote to memory of 1364 1852 DllCommonsvc.exe 77 PID 1852 wrote to memory of 1528 1852 DllCommonsvc.exe 78 PID 1852 wrote to memory of 1528 1852 DllCommonsvc.exe 78 PID 1852 wrote to memory of 1528 1852 DllCommonsvc.exe 78 PID 1852 wrote to memory of 1784 1852 DllCommonsvc.exe 79 PID 1852 wrote to memory of 1784 1852 DllCommonsvc.exe 79 PID 1852 wrote to memory of 1784 1852 DllCommonsvc.exe 79 PID 1852 wrote to memory of 2460 1852 DllCommonsvc.exe 80 PID 1852 wrote to memory of 2460 1852 DllCommonsvc.exe 80 PID 1852 wrote to memory of 2460 1852 DllCommonsvc.exe 80 PID 1852 wrote to memory of 1680 1852 DllCommonsvc.exe 88 PID 1852 wrote to memory of 1680 1852 DllCommonsvc.exe 88 PID 1852 wrote to memory of 1680 1852 DllCommonsvc.exe 88 PID 1680 wrote to memory of 2284 1680 csrss.exe 94 PID 1680 wrote to memory of 2284 1680 csrss.exe 94 PID 1680 wrote to memory of 2284 1680 csrss.exe 94 PID 2284 wrote to memory of 1288 2284 cmd.exe 96 PID 2284 wrote to memory of 1288 2284 cmd.exe 96 PID 2284 wrote to memory of 1288 2284 cmd.exe 96 PID 2284 wrote to memory of 2156 2284 cmd.exe 97 PID 2284 wrote to memory of 2156 2284 cmd.exe 97 PID 2284 wrote to memory of 2156 2284 cmd.exe 97 PID 2156 wrote to memory of 1816 2156 csrss.exe 98 PID 2156 wrote to memory of 1816 2156 csrss.exe 98 PID 2156 wrote to memory of 1816 2156 csrss.exe 98 PID 1816 wrote to memory of 2628 1816 cmd.exe 100 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_230aae467f83c1ae425b2fdb0784cd37a30f132b795c392264349259c542dfde.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_230aae467f83c1ae425b2fdb0784cd37a30f132b795c392264349259c542dfde.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1136
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eKh6VzgSrU.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1288
-
-
C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2628
-
-
C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CMv1BFFgLz.bat"10⤵PID:2996
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1760
-
-
C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat"12⤵PID:2972
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1564
-
-
C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ELd0wzhjGt.bat"14⤵PID:1940
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2624
-
-
C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vbXk1H8t4K.bat"16⤵PID:2884
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2188
-
-
C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:344 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GKRF07RVHS.bat"18⤵PID:1692
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1768
-
-
C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:604 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.bat"20⤵PID:2904
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2060
-
-
C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1436 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\38GCmEMl12.bat"22⤵PID:2816
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2728
-
-
C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wxi7FenmH.bat"24⤵PID:864
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:300
-
-
C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IxigaWiN4Z.bat"26⤵PID:1596
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:2596
-
-
C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat"28⤵PID:2624
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:2760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Documents\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Documents\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Documents\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Videos\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\Videos\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Videos\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Windows\Installer\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Installer\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Windows\Installer\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c85280afa2439c4ac2f0b3091e27a6a3
SHA11f2cb61db993c3006fd2feb92fcb5891eb3d08b8
SHA256304795494304972dede2c82c4314eca0d4ade4160d385200ab93111a81cebe89
SHA51234bfe5c81d9be52671911c4b746fa5f5bfe04e62763e65f59fc99d850a731dd3ff14ddcc168febd64c29816b293e6e1dcac3e9c1b29902051080a338fa7417c6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5532b42dfe51d94a98d4bb6a9cc4ceb7f
SHA1326b1ccadff15b745d67564065b2d10febf31298
SHA256abc0c530c4293c4cac2c5f941d433841d7267f2fc739a27251a15c1cc46a466e
SHA5122726402c06c4d5b25a4cb6fc64199324ecd20f3a24c8bee363b648a6aad482ee6df94a8a1dae8bf80c2a5de938e3b8f1440367ec44a888a4ef379f697d387445
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ec4f53953732085387e369279376d3b7
SHA129a4aa714ec1aa01bc46ff97e4229acf3c2e5040
SHA256153e858d911ae8af297d01bf14bb31ff3ac07b4f424bc4276ed7f6dfbb9cec7a
SHA51266cc1854989157f92000a0e4886a51e38a960059434efead190817869b59449899f2fe18527728f6a7fb483423f7043bd6a1959a27fe169b900294cfbabba3a8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5113efd5dcc7c2865ffa6c4eb8e40e7a0
SHA112042c2882aaa3cf67ff8a2b4b4bd66d961636dd
SHA2567130c5294cc9f709e0fb2e50e691adddb29470acc1099ae79e58f6fb86622ff8
SHA512469da0ed544ae87a1e17170160a7565f7e3834a483389f7faa618021ab2b1d29777ec5a1b02e47b7209313ee5d41c127ecfe85f6ec821b32aa4607121b512ba4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dd7828ffeaa6c043b95d2cb87d1cc6ba
SHA10716ea2346af5e758e56fdfe544644b8a0b7be2e
SHA256f1e15f70783190ce9f2bcfa54fb8dbe074f3ef6252379c04cdb5f6bb28f2af6d
SHA51200802b25f5d6853c8279342309f094a60fca76179d0fdf38f19daef6d738e4f29b30f744973bf8e331bdfeaf0dba480002ab8861800baab0dfa7f581cd5f4e03
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e2d231216b5375350331730c44e8572c
SHA19a7ae9df184a989ed5bb8e07e1439529ecf33611
SHA25681a20778db017f54f7364838d013d7c1c87e3da2bdca82ba5ef1c2bafee59c2d
SHA512def52a4b5b19ee5ded793be8b258d7a514f1abc3ec0501ee19f74be9930b8f4bdbe0afe4435d95b542d1d1771b1266c790d6afe7686be2335de309a82855820d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b823f50d69ff52377a9226cd89eda52e
SHA1b7c0bdc761ba50b19678b2d6f64ca2e48d178476
SHA25619b69e532eae165d60ad95588d2e71103af22393a9fb10fce3e7c489b9dfc396
SHA512469312db0707829946ab5404e8d4520bee2b0e966cf73dcf6e8bc90bb0cedb0634fcbe1d70a79f679555ac21abdeb5ff8cb577abc11b2a7e2930d562ac5550a9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD550530f7eb7938c867f39ae036cc1bc34
SHA177157b733eb338c25b366f90836338e728834ca0
SHA2564daebd0bc7524a85f30ea0e62387a82d8a529629eb1efcef5ae2469c8ec6a795
SHA512b6e30f223a5513a4b49d72c9605c88c8dd2ed77f57bafd0408d7bd96225c5c25b38e1ea4c4323603d0d3fba7d03581498f6dcc0cc6ea8f6266f81cd3c5f501e6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5247cd8502009c1481f54626484e06dd0
SHA16941ff9c1c54644be23f02f5167133b16016e66b
SHA256941a7f226074c19946032bb370884d0b55c8504f30096c90170cfb8103cddd99
SHA512ccec487eb4d4cf60453ede9786005aa8a50290204889f0408d32175054006c28677bbc21a189208300c9b3b29bf6849cee688781ea75d2abd857f664cbb55fe6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD527bc23ffe3a001e5d8e4ee60b5695b46
SHA1b48646faaf8b2752e3deca964723456213162ebe
SHA256de906ea6e86fafd489c788f1714bd05943c9e81a400cf0bcc4c84734ae75ba0b
SHA512ed4e31899945067df14486ad44c54b3030b4b0cbb09b92aa395178e3eb20630b8bc20fa901ea50f141c82266a33fc480ff5239c9814d1245fe95e4f273e515b5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD540f8a1ea1ace081e0f6b3f7bd3ae61ef
SHA18e85c7a71527741100c9995d053dcb0bb2c39957
SHA256ea38f453a4c878586b9287d5cc63bfeb939a3a4cdb80446a98a42472a36da900
SHA512d713a38b41294f9efc6da2f8cb212c7bdbbbdbb697ff0b7bc59ad03bb5ca579ed4d83b9d4964176c7e1688816820d388081ec978c36178dc9b80c17c91b3119c
-
Filesize
221B
MD543535c91f384cc0ed89f3bb9e3f9e3c7
SHA1c1700e3e57c1f0111357e78a898d3aa6dd8292ae
SHA256ac497dcd85a44a616f5860293d080cb569d8e943a1abbb95072f2f704e4828e9
SHA512acbe09d5e2d2edb93ef59c8734b626b7822e56477a844ac78ccfc9b65c043fc9cf60b116aa8acda9ee0e49794e781000ed10697a734a39dc15304be70285324f
-
Filesize
221B
MD5dae5af3b0b411d6ec59b502c39fe13c1
SHA16a6047715cd8d700e03ca9cd87784652f8f34369
SHA2560035470ea3760517571eb6b52abc0cb6c88575d2f76ca7979f7d778b1e130ca6
SHA512110a632a743ecbb5de3761db909fe080eec39c044c32ec6142dbc32f86387482cc84948292cc13ea94e274a5e65d80d3c2ec485d904b3d9ee9d2cffbd7b966ba
-
Filesize
221B
MD5b6d0bf90681ae0a1d7a2a96b7ee690c7
SHA14df1da39700ecc5ee84f4a7b203a8ae7fae84c07
SHA256c47b5e7fe70e7a5e026325d307042e5b592bae7b6016a3ae8980181674886577
SHA5124a840af78ac43e833c5ec352a37964b8da782d07c0e8692bd61c44249f9327e5f98bea4d36531bc7d387c60ca80e84fc2a39dee66cba8ad4a274c3827b10de97
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
221B
MD58032c1517f68d713b7d4706ceff8be25
SHA14c3e59c8faa2aa57bc25e7b9a31bfaa8a91ffcd4
SHA25694ce376d2e7092fdcdb48068c4dacc3b653bf16993269abc5489f10579aa157e
SHA5124250ec65b1b5e7b089d5781bc040d4027b08fb4d6485990380a47128c19dde8c490e422f6cf6e37a58ecbc89627892da40d8c95d8e13c3e2784e1f19ee29f4a1
-
Filesize
221B
MD55d1dc1ef6797bd1cf21b7913a0b77cec
SHA1e9368b210cda957ac234b94dfbd807f8e838582d
SHA25650728f1249977d8fb64d5e09d9953a684435555412958275782645244439ff2f
SHA5123dbf0cde2453b5843f0f4b30c02826cfad83761ed02b738d59519dc31fd57339bb01077f40613bf8693cc38967fcb76c16f3a8740c689400c9063cc9d4f33eb0
-
Filesize
221B
MD5b1e2674218470d647ea9025c5190452f
SHA1c4dc7f52f92f4d66568612f6ec81f7add747a2a3
SHA2568b90d00fd38411c1a94ac83019df5bcc19d927525a06ef7576b3e7547e776d38
SHA5128cb0afe87b24bfdcb5e238ada7522d2ae98d6978e57ff809504c494e1dfe36bdb22f07aae95a5995e0a19cfd1e4f9562a03983268ae9e294cec3c397b826fd2a
-
Filesize
221B
MD57854a8919fa1f3c80b18f59cdbed8baa
SHA15a2c81923987aa52f0cf8af0293fa08fa8d58e55
SHA25608edb1cd2ba88b1e953f843db99d3cc34aec053ae36dcb12e01dee699983fb19
SHA5122e04e81b1693f1dc7f37c0c8869206f117400e3ca1b21444ba7a5fa19147545a37dc04bf32c356e90fe6997af33be3fe1db18dbf406a26c1dc4294344fa8c84b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
221B
MD511b5e9aa7df81ccf4709c7c772291607
SHA1196882c0886826d7987f24e98c84d324405ab1d2
SHA25602b3203102f5304e2609d950d9377d034e1308e9b6ebad1f82d732dbc1ea0ea1
SHA51287a8091aa194b2e9e15d34bd9349523f2d8fd2b2dd14813c4880d7f87930cd2eafc49c20594731e64c467982b4e11691594022ff1c647904fcddc210bd8cf613
-
Filesize
221B
MD5e98e8b506b3a979c0c7f6d40313c078d
SHA145d6419601b94756285621ab4d12d1935d0aedeb
SHA256ddf16f61cde69b6f8da1f9d89ff3b5a090db8c4f3bf5065c4facab641f711253
SHA5127448f3e45cbc1156f77c68068356a61dcc2b080ba099e55c1c833e25025ef566dc4e7bff2f78b4e292e5517a48428baea714ef0bfc8d94ae89a2f87d4e674cf3
-
Filesize
221B
MD5eb4063b1cad028ddcf9538f266a2f5a6
SHA1f0a7ec852ddd03aad16a4daf36026e20828a4d6f
SHA256dd6c18ed6f6c8590c09dac26acb0dba324073835951a16774c79ceb6315a9a87
SHA51296ba45336a530571ba532c98e16def3e2fd707f0d00776c03b179afa3a19cf4f5d1e7eba339b2b05b0dc530b1530e050d838a502581866fac1fba2f087576e6a
-
Filesize
221B
MD51801d3c9923e204f7c9af38eb808d78a
SHA19cf255d3701d5a71f3cd74b4dc34c0583969d1a1
SHA256d0bca1db6bf644842de24a93182a2c1c4e998e01cf7a4e0563ea2b6bd95db88c
SHA5121aef6827cabbc804ae2b8d131f8e95c28a8b5bf1312801f603797945773a1572c0c9b7c17d240c30b1590f6efd5687bd1fcb06b48186faeb752b22f554eeef38
-
Filesize
221B
MD5c2b6aaf359124af172f016f6738be0f0
SHA1d4a37136aa904fdd07eb24171d0e00f72fa286d2
SHA2568f0892e0052ff7f81dd491acc2000fb1a9575afcca13417ccc24b7bc54b7b570
SHA5121cb7cef026afecf5feb9f018148c9cb6f26bb3a577fcd06934f8a260382fa061e561599a7626d5561b2801c0b05f25b077affd8b6fdd62deb1cfc92e36ba985f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD569d171ed95cd2c975b32b2ac89f7eec3
SHA115ea22836736e4d7ba38f1fb8f8b11327933bfae
SHA25645b49c811191608105dd11b0f84677403eff26bef149bc63841ce786a2683fe7
SHA5124443ea2b0ab8312d5e9132206f58a780f6960f8fc62f0d560174d472cd6dfe8a5373ec976ae75f499c653d25e8e5c849ab0403df12ff50d9db048bd4815ed45b
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478