Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 00:28
Behavioral task
behavioral1
Sample
JaffaCakes118_72bfa5b5d6eca3e0eff61f3aba597749c3ea4fa180d6d6de14b92b8d505cfe1a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_72bfa5b5d6eca3e0eff61f3aba597749c3ea4fa180d6d6de14b92b8d505cfe1a.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_72bfa5b5d6eca3e0eff61f3aba597749c3ea4fa180d6d6de14b92b8d505cfe1a.exe
-
Size
1.3MB
-
MD5
22abe89f8f3ac704829c29e7197e0fd2
-
SHA1
2913dbf57df2a0c2ab5040e2563daa07026a9b68
-
SHA256
72bfa5b5d6eca3e0eff61f3aba597749c3ea4fa180d6d6de14b92b8d505cfe1a
-
SHA512
58013ec6b158dc0d403e04e790d17093b48361108e2652f74749dcadab86f3f6f92e63443797dc6918019dcde594e98f36eb346dba449d195fd0b5edcfd5fcb9
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1396 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2220 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1124 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 668 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1432 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1252 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 948 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1272 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 592 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 2572 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 2572 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x000800000001748f-12.dat dcrat behavioral1/memory/2716-13-0x0000000000310000-0x0000000000420000-memory.dmp dcrat behavioral1/memory/1724-50-0x0000000000CC0000-0x0000000000DD0000-memory.dmp dcrat behavioral1/memory/2024-237-0x00000000002A0000-0x00000000003B0000-memory.dmp dcrat behavioral1/memory/1044-297-0x0000000000100000-0x0000000000210000-memory.dmp dcrat behavioral1/memory/2840-357-0x0000000001020000-0x0000000001130000-memory.dmp dcrat behavioral1/memory/1756-418-0x0000000000230000-0x0000000000340000-memory.dmp dcrat behavioral1/memory/2716-478-0x00000000000A0000-0x00000000001B0000-memory.dmp dcrat behavioral1/memory/752-538-0x0000000000A00000-0x0000000000B10000-memory.dmp dcrat behavioral1/memory/2660-598-0x0000000000CA0000-0x0000000000DB0000-memory.dmp dcrat behavioral1/memory/1592-718-0x0000000001280000-0x0000000001390000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1792 powershell.exe 2460 powershell.exe 1736 powershell.exe 2636 powershell.exe 2968 powershell.exe 2268 powershell.exe 792 powershell.exe 1164 powershell.exe 1524 powershell.exe 288 powershell.exe 572 powershell.exe 1664 powershell.exe 2332 powershell.exe 844 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2716 DllCommonsvc.exe 1724 conhost.exe 908 conhost.exe 2024 conhost.exe 1044 conhost.exe 2840 conhost.exe 1756 conhost.exe 2716 conhost.exe 752 conhost.exe 2660 conhost.exe 2992 conhost.exe 1592 conhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2840 cmd.exe 2840 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 9 raw.githubusercontent.com 15 raw.githubusercontent.com 22 raw.githubusercontent.com 28 raw.githubusercontent.com 31 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 25 raw.githubusercontent.com 35 raw.githubusercontent.com 12 raw.githubusercontent.com 18 raw.githubusercontent.com -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Reader 9.0\Esl\cmd.exe DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Esl\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\dwm.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\en-US\lsm.exe DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\en-US\101b941d020240 DllCommonsvc.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\lsass.exe DllCommonsvc.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\6203df4a6bafc7 DllCommonsvc.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\ServiceProfiles\NetworkService\Downloads\winlogon.exe DllCommonsvc.exe File created C:\Windows\ServiceProfiles\NetworkService\Downloads\cc11b995f2a76d DllCommonsvc.exe File created C:\Windows\Speech\Engines\Lexicon\de-DE\winlogon.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_72bfa5b5d6eca3e0eff61f3aba597749c3ea4fa180d6d6de14b92b8d505cfe1a.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2428 schtasks.exe 1860 schtasks.exe 592 schtasks.exe 1780 schtasks.exe 2848 schtasks.exe 1028 schtasks.exe 2532 schtasks.exe 2408 schtasks.exe 2500 schtasks.exe 2480 schtasks.exe 448 schtasks.exe 1544 schtasks.exe 2468 schtasks.exe 1996 schtasks.exe 1124 schtasks.exe 2872 schtasks.exe 2868 schtasks.exe 2960 schtasks.exe 1252 schtasks.exe 2200 schtasks.exe 1272 schtasks.exe 1396 schtasks.exe 2244 schtasks.exe 1596 schtasks.exe 2232 schtasks.exe 2436 schtasks.exe 2412 schtasks.exe 948 schtasks.exe 2220 schtasks.exe 2448 schtasks.exe 2948 schtasks.exe 668 schtasks.exe 1984 schtasks.exe 1432 schtasks.exe 2240 schtasks.exe 2060 schtasks.exe 2396 schtasks.exe 2744 schtasks.exe 2276 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 2716 DllCommonsvc.exe 2716 DllCommonsvc.exe 2716 DllCommonsvc.exe 2716 DllCommonsvc.exe 2716 DllCommonsvc.exe 2716 DllCommonsvc.exe 2716 DllCommonsvc.exe 2716 DllCommonsvc.exe 2716 DllCommonsvc.exe 2716 DllCommonsvc.exe 2716 DllCommonsvc.exe 2716 DllCommonsvc.exe 2716 DllCommonsvc.exe 844 powershell.exe 2268 powershell.exe 1724 conhost.exe 2332 powershell.exe 2460 powershell.exe 1792 powershell.exe 2636 powershell.exe 572 powershell.exe 2968 powershell.exe 288 powershell.exe 1524 powershell.exe 1664 powershell.exe 1164 powershell.exe 1736 powershell.exe 792 powershell.exe 908 conhost.exe 2024 conhost.exe 1044 conhost.exe 2840 conhost.exe 1756 conhost.exe 2716 conhost.exe 752 conhost.exe 2660 conhost.exe 2992 conhost.exe 1592 conhost.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 2716 DllCommonsvc.exe Token: SeDebugPrivilege 844 powershell.exe Token: SeDebugPrivilege 2268 powershell.exe Token: SeDebugPrivilege 1724 conhost.exe Token: SeDebugPrivilege 2332 powershell.exe Token: SeDebugPrivilege 2460 powershell.exe Token: SeDebugPrivilege 1792 powershell.exe Token: SeDebugPrivilege 2636 powershell.exe Token: SeDebugPrivilege 572 powershell.exe Token: SeDebugPrivilege 2968 powershell.exe Token: SeDebugPrivilege 288 powershell.exe Token: SeDebugPrivilege 1524 powershell.exe Token: SeDebugPrivilege 1664 powershell.exe Token: SeDebugPrivilege 1164 powershell.exe Token: SeDebugPrivilege 1736 powershell.exe Token: SeDebugPrivilege 792 powershell.exe Token: SeDebugPrivilege 908 conhost.exe Token: SeDebugPrivilege 2024 conhost.exe Token: SeDebugPrivilege 1044 conhost.exe Token: SeDebugPrivilege 2840 conhost.exe Token: SeDebugPrivilege 1756 conhost.exe Token: SeDebugPrivilege 2716 conhost.exe Token: SeDebugPrivilege 752 conhost.exe Token: SeDebugPrivilege 2660 conhost.exe Token: SeDebugPrivilege 2992 conhost.exe Token: SeDebugPrivilege 1592 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2816 2648 JaffaCakes118_72bfa5b5d6eca3e0eff61f3aba597749c3ea4fa180d6d6de14b92b8d505cfe1a.exe 30 PID 2648 wrote to memory of 2816 2648 JaffaCakes118_72bfa5b5d6eca3e0eff61f3aba597749c3ea4fa180d6d6de14b92b8d505cfe1a.exe 30 PID 2648 wrote to memory of 2816 2648 JaffaCakes118_72bfa5b5d6eca3e0eff61f3aba597749c3ea4fa180d6d6de14b92b8d505cfe1a.exe 30 PID 2648 wrote to memory of 2816 2648 JaffaCakes118_72bfa5b5d6eca3e0eff61f3aba597749c3ea4fa180d6d6de14b92b8d505cfe1a.exe 30 PID 2816 wrote to memory of 2840 2816 WScript.exe 31 PID 2816 wrote to memory of 2840 2816 WScript.exe 31 PID 2816 wrote to memory of 2840 2816 WScript.exe 31 PID 2816 wrote to memory of 2840 2816 WScript.exe 31 PID 2840 wrote to memory of 2716 2840 cmd.exe 33 PID 2840 wrote to memory of 2716 2840 cmd.exe 33 PID 2840 wrote to memory of 2716 2840 cmd.exe 33 PID 2840 wrote to memory of 2716 2840 cmd.exe 33 PID 2716 wrote to memory of 2636 2716 DllCommonsvc.exe 74 PID 2716 wrote to memory of 2636 2716 DllCommonsvc.exe 74 PID 2716 wrote to memory of 2636 2716 DllCommonsvc.exe 74 PID 2716 wrote to memory of 844 2716 DllCommonsvc.exe 75 PID 2716 wrote to memory of 844 2716 DllCommonsvc.exe 75 PID 2716 wrote to memory of 844 2716 DllCommonsvc.exe 75 PID 2716 wrote to memory of 1792 2716 DllCommonsvc.exe 76 PID 2716 wrote to memory of 1792 2716 DllCommonsvc.exe 76 PID 2716 wrote to memory of 1792 2716 DllCommonsvc.exe 76 PID 2716 wrote to memory of 1524 2716 DllCommonsvc.exe 78 PID 2716 wrote to memory of 1524 2716 DllCommonsvc.exe 78 PID 2716 wrote to memory of 1524 2716 DllCommonsvc.exe 78 PID 2716 wrote to memory of 2268 2716 DllCommonsvc.exe 79 PID 2716 wrote to memory of 2268 2716 DllCommonsvc.exe 79 PID 2716 wrote to memory of 2268 2716 DllCommonsvc.exe 79 PID 2716 wrote to memory of 288 2716 DllCommonsvc.exe 80 PID 2716 wrote to memory of 288 2716 DllCommonsvc.exe 80 PID 2716 wrote to memory of 288 2716 DllCommonsvc.exe 80 PID 2716 wrote to memory of 792 2716 DllCommonsvc.exe 81 PID 2716 wrote to memory of 792 2716 DllCommonsvc.exe 81 PID 2716 wrote to memory of 792 2716 DllCommonsvc.exe 81 PID 2716 wrote to memory of 2460 2716 DllCommonsvc.exe 82 PID 2716 wrote to memory of 2460 2716 DllCommonsvc.exe 82 PID 2716 wrote to memory of 2460 2716 DllCommonsvc.exe 82 PID 2716 wrote to memory of 1736 2716 DllCommonsvc.exe 83 PID 2716 wrote to memory of 1736 2716 DllCommonsvc.exe 83 PID 2716 wrote to memory of 1736 2716 DllCommonsvc.exe 83 PID 2716 wrote to memory of 572 2716 DllCommonsvc.exe 84 PID 2716 wrote to memory of 572 2716 DllCommonsvc.exe 84 PID 2716 wrote to memory of 572 2716 DllCommonsvc.exe 84 PID 2716 wrote to memory of 1164 2716 DllCommonsvc.exe 85 PID 2716 wrote to memory of 1164 2716 DllCommonsvc.exe 85 PID 2716 wrote to memory of 1164 2716 DllCommonsvc.exe 85 PID 2716 wrote to memory of 2968 2716 DllCommonsvc.exe 86 PID 2716 wrote to memory of 2968 2716 DllCommonsvc.exe 86 PID 2716 wrote to memory of 2968 2716 DllCommonsvc.exe 86 PID 2716 wrote to memory of 1664 2716 DllCommonsvc.exe 87 PID 2716 wrote to memory of 1664 2716 DllCommonsvc.exe 87 PID 2716 wrote to memory of 1664 2716 DllCommonsvc.exe 87 PID 2716 wrote to memory of 2332 2716 DllCommonsvc.exe 88 PID 2716 wrote to memory of 2332 2716 DllCommonsvc.exe 88 PID 2716 wrote to memory of 2332 2716 DllCommonsvc.exe 88 PID 2716 wrote to memory of 1724 2716 DllCommonsvc.exe 102 PID 2716 wrote to memory of 1724 2716 DllCommonsvc.exe 102 PID 2716 wrote to memory of 1724 2716 DllCommonsvc.exe 102 PID 1724 wrote to memory of 2948 1724 conhost.exe 103 PID 1724 wrote to memory of 2948 1724 conhost.exe 103 PID 1724 wrote to memory of 2948 1724 conhost.exe 103 PID 2948 wrote to memory of 2252 2948 cmd.exe 105 PID 2948 wrote to memory of 2252 2948 cmd.exe 105 PID 2948 wrote to memory of 2252 2948 cmd.exe 105 PID 2948 wrote to memory of 908 2948 cmd.exe 106 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72bfa5b5d6eca3e0eff61f3aba597749c3ea4fa180d6d6de14b92b8d505cfe1a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72bfa5b5d6eca3e0eff61f3aba597749c3ea4fa180d6d6de14b92b8d505cfe1a.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\bin\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\NetworkService\Downloads\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\en-US\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
C:\Users\Default\Saved Games\conhost.exe"C:\Users\Default\Saved Games\conhost.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GRgsn2v6O3.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2252
-
-
C:\Users\Default\Saved Games\conhost.exe"C:\Users\Default\Saved Games\conhost.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rcE1qBYVKA.bat"8⤵PID:2828
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2272
-
-
C:\Users\Default\Saved Games\conhost.exe"C:\Users\Default\Saved Games\conhost.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat"10⤵PID:2340
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2320
-
-
C:\Users\Default\Saved Games\conhost.exe"C:\Users\Default\Saved Games\conhost.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1044 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat"12⤵PID:1256
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2588
-
-
C:\Users\Default\Saved Games\conhost.exe"C:\Users\Default\Saved Games\conhost.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat"14⤵PID:408
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2036
-
-
C:\Users\Default\Saved Games\conhost.exe"C:\Users\Default\Saved Games\conhost.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pi2dGiCBJ7.bat"16⤵PID:1040
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2320
-
-
C:\Users\Default\Saved Games\conhost.exe"C:\Users\Default\Saved Games\conhost.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat"18⤵PID:2696
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1652
-
-
C:\Users\Default\Saved Games\conhost.exe"C:\Users\Default\Saved Games\conhost.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:752 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WzmeI2KvQx.bat"20⤵PID:2360
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1144
-
-
C:\Users\Default\Saved Games\conhost.exe"C:\Users\Default\Saved Games\conhost.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat"22⤵PID:2636
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1276
-
-
C:\Users\Default\Saved Games\conhost.exe"C:\Users\Default\Saved Games\conhost.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat"24⤵PID:2928
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2632
-
-
C:\Users\Default\Saved Games\conhost.exe"C:\Users\Default\Saved Games\conhost.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\providercommon\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\NetworkService\Downloads\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\Downloads\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\NetworkService\Downloads\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\providercommon\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Downloads\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Downloads\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Saved Games\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Saved Games\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\en-US\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\en-US\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50cc7722359c220f6733ffdc41ee507b5
SHA1a27f987347a1a9dbc4c5fec45f064d32bb4de80f
SHA2567a5459f345ef32362fca8c8ad678bdd22b88210c7f9eec4406771ab366ba1811
SHA5124afaf69626d9c27ee606252a706080a42bd1dd39eec511c5e0ba09f73b99107ae1845df19c4e6578d12d367366d926066fbe23ca4d0c49efb3ed630b9bf45986
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5262785f2d0cdd33d60a11dc1c0e90aaa
SHA180b7a57281564062bda428fe0040055fb0c2bfda
SHA25608c6994c9756e8d69a22a0436e0f79bafbd95b61ea2212a4dc8e8c957b41088f
SHA512dbc507e3f2500c02ffdbbf19c1282d66d1e3ea3e751b53e8b3b8d7db0d2d37f8f55f9bb49bea4fa5d52a8a013e1485f949b1d76700494653683d0337aff105d9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD565758a7c9ac9ccac02b480d919ea19cb
SHA1351f411c2290857e38fc478bb44f321ca04c4040
SHA256ae12e7e578b4862ffae06bcce92dcd252b041374bfe3c15013b4be84a0322ea9
SHA512a03210af44ade5f387cc6b0a53f281ba3c9a706594a66a35d7a5735d4afcc3d0be2e27de54923f8b1735376c0d2cc5824a13246de580711d736dfd9cd1859d5f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f8c7b7711e97af0623b5e7c42a85fad9
SHA16bb56e099c017489757d6cac0b4038ca15d3746d
SHA25657f3ddde002c579774517a9295b072b1051c064a026eb0c2a00c5159c4f1b6af
SHA512680b4997c0179204d53b0568e6ecc88b4b182afdf5be51de1e863cd2344e3a58366b9f398a8f593587fe8807c79e0ab54bbc8d4b2ad4ab10b361030c036b87fa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52eb100d33fea0b57496d2ac8215ae94e
SHA156edcd6bf36cc72e18de0ec2359f59d1284317ff
SHA25657f6a8341e8836c2f27cfa64fe64a67c120837834ef94646a225c3001622d5f1
SHA512c8f4940359b0f7046f86e7106966b8e6252d969acce3de928e4c8401afad69318908f9d395576335b3b63c7f9a01e4d057550513c31d3ab3c2e2ec7292b24716
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bb0ac56c695745d1e8316136d1af8a9c
SHA1938e5a911651d368cf92ca81948bae1a7c4a4e19
SHA256457e12104acb78b3622b4f4b6e8bd6cb99ba1cbf4efe76a04080ed0809f05765
SHA51270db47d588c257d664a79ec861883fb33523c7c3b0373167de33401a6fc0a44c34f7ec4c4253b9522921f884afd28cf528731f5d047dfd5510b3fefd3bc508c2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD574fbf33e46e9bea841fe15bd44a9ae3e
SHA124dc248933a4aca855b8d253949368d082b7e9d7
SHA2567100fb3907168f055cc38177a6d025db0c96600453783b386e8e8d7b2c34054a
SHA512ff4c438e40e07d71d09daf665d224c5595bf5b6c5a8f9c74cf3a5927413460bf560fc9a7357b813237b8f6b4a963ce6a2c471cd7c0f4d3867b7bd2ccd513678d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ab51c4aa6bf74fa55289158f1f5e1474
SHA1e2e4bbd3892440852d269aee02b20d7ee286f1ec
SHA256eb21112313b2cb0ffa6b64b229fb2c2c989a3ca6eea23a6819a5a0bd1a4226cd
SHA512ce1584c835eb478070042b037a334ec16a2f769d2a5bd17f67703fe464f51849dcf33a81fb857d495e4dd87acd3a718d043e426a959de7f3afd4604ca7d87194
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5835e5f25f98073c8173d03c2acb2e2a4
SHA1497e813d1cc4002bb426c3a73931ffee86dbae43
SHA256755d976cdbaf0f06aff8be02b6c85c7d2db4f3340cca97aa797a7b5d7e6871e6
SHA51202cec903c693a0e49eaff5867bffd7b4886798ce357e418a6f23ec80fd9197b1e9713b1685f1aeb5ce35593d22458711b97281d5cf8ae85107f4ab51252ad02d
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
205B
MD552ca382ff1f169edc97e1e8e8684943b
SHA1a2ef5232be405c068bebaf083fbe8f0a1479a1df
SHA25606a0aac5ede47f5a147548517e72f0f80836290d5510e4296f84ba5a49557b14
SHA5128369212523f41573f3d61232e6ec3cf48c7d46f19bf87127fff274a071351491dc22ad3624c9e9a62449faf53a2ecf6851b2f10044ccaf01ae43058f0fc9e5ec
-
Filesize
205B
MD5beb01a124006986c593a2533e739f031
SHA132a3e9ea2044266b753166b239382099aabac9f6
SHA256a0cad74a77d0e10a920059c396753fe7fb6f852d072d730e8053ec0e73e44d12
SHA5127825f9d5ddf89600409cdf111dc0fc7464cbb53a123373a9609e930631fe13b14e5d3f80e87269dd1dc5d0e73565470a2605d3030e3fc80b1521a2af717ab3c4
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
205B
MD592483724a8f38330100bfb4184abaee9
SHA1116f04752790414af8b8184afa722e408114ca7b
SHA25604b3ae414838919ae361e589e2561d1cec1ed3edb4103a3af4db6a77883636d7
SHA5121e14f764441fa1d7a2ec17f1d2001ec6500f44c229f3030f4954c405446a30f25802a8fa7d3226b34f1300aa7693dfcf8c762ef7ece98b4231ef93c0cdceadf3
-
Filesize
205B
MD54716ada92e78ca55066f9dec6ebc2182
SHA1ec7e953471308595d3722209c9daf3c9558b87b6
SHA256b5b1bcf52883db1913f78bfdf73e665869492a16c668266a613a8310c0e4fec5
SHA512a24d3274c9e1e30698656a2d7d12e8f58efeb897b9737bce1cd3d2b23baee5404b8e4cf577cc85349334a27f5a1e5a0ad4922f930c672be1e1fb28494fc4c258
-
Filesize
205B
MD5a3144049b3320458263b463770f75b1e
SHA113b5127699ec39a1f779b4994ad9864b6614abe9
SHA25655ad7c6cd7436963e870ea636d08d51d696f4b713b72650ee0ce990a6222485e
SHA5120be97abf839b7229c672aad4f159c84bfab2d7868439354f8d86ea5dd9b9e8feafd20f5f52d88bb5e59cd9f6fb7ea3292a4cf0cecdd6b3e24424f3cf2ee3a61c
-
Filesize
205B
MD52a8d2e94c89589cd8861b0d03fd3fae2
SHA1d0f4204a16343320360a347b2bd6bbbc473e165a
SHA2564ce4e90ef58890c8860a28ea61c3887321550c5b5b5e77c64aab27f7e28a4ede
SHA51291657c2925fa8717ea33ca56085e7fafb16cf5ffc3d9c1fd81bcdb7ee32dc8976a5c1d4a619d3496092eeaef5f733c1c4f1cc0a72a939b8b1dbf4c50d4315293
-
Filesize
205B
MD591c1784fd000423a0aa5a8b9562098c3
SHA1fdad4bd4494d74f31efc315f6406b0ccbfc035fa
SHA256c23967695cad4846b4d3a657cab17a82d233ed3f3ac33c0ba8fb846b1e58b4ed
SHA512aeaaa73369fffa1314bc4daaf0d441ab6bbd1a8c8d9e1aebae8848afe1e4b030bc4f326b139adc1e51e7570e1929217b4e7765231d0da799338ce940a0e148a8
-
Filesize
205B
MD58a58978ec08432ed15df1bb9f7c98a76
SHA17e4c8b984981b1aa034c9c32be501592339b11c0
SHA25644fead1d56bcfec669cc97a7043007c3851c5806f2f59c5c2591a5bfc9fde2ae
SHA5120f6fae46177c015b610d42d836277ba08e68a76ae277b5c965da5c37164194eb4b8ca3c121158dfb9bdfb9ac2af3746e35ebcfbc9fb0cca8b04f8243c7433a4c
-
Filesize
205B
MD5e9210e8f0cac0b5dd47674c7f17822ef
SHA14966232ae763f15dab17f5ab683b997deba0252e
SHA2565e5989e2389c905e9a235840c818b3dc425e463c8bc74c261fb683a6265952fe
SHA5128c852391e208023c81dfc4c28737fc633d15e7d8e22f9a1701f0b734b353f266b028cba49a8593946f22ac6d9110805ba468d0bcc47b7fd1a56461fe1c335ae7
-
Filesize
205B
MD53655158360690a6e2193037721e2f5ce
SHA1b1a0b4f08162318bc9760b40de4ad7547c5118a8
SHA25604552445126d82e2d8a4c46d5140892b1eb536a6aaf011857ca3c1773081003e
SHA5120a2531f24ee83ad2c9ee86260abf8aad509780f96a250453b540b12a740c3e1ce80d95b1e65056dc8bdbdf076e4b05fa8a3f95a2a859773444e758a508fcb619
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD515763f6aef065933d29759e9eeb1d3b1
SHA1d9684723873c4a3d370cf6874454c9f307c753cc
SHA256379715990abf5ffd885806afee4e270b057568ef28bba1b8d354f633136f55c5
SHA512b1a49c8c4b48325cd8c46d841173f99a761c7261da204f9c3bab30c1623d42a1fddb1d16f9bbc092614b21a99ee7cfa3f077dbd1e3588fed3953fa4fb9c96722
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478