Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 00:40
Behavioral task
behavioral1
Sample
JaffaCakes118_c2c415dede2a0358921b59bce8c7e0b0b00a58a62753dd4a432104b44f7eb7a8.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c2c415dede2a0358921b59bce8c7e0b0b00a58a62753dd4a432104b44f7eb7a8.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_c2c415dede2a0358921b59bce8c7e0b0b00a58a62753dd4a432104b44f7eb7a8.exe
-
Size
1.3MB
-
MD5
85b4c5a022e22b245a7fb98fa9975522
-
SHA1
182af5ee0090daa84c683bbd9ebbeb43bbc24f9e
-
SHA256
c2c415dede2a0358921b59bce8c7e0b0b00a58a62753dd4a432104b44f7eb7a8
-
SHA512
325586b1bf7a1f337e7a1379a700763d4fbc6023b278bba0e7477c580cae4e6c16e5e30f43db3d617cd6db1115b89b9eebcefc4e8e2ef25d48f48a888bfcdf02
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 284 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 376 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 476 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 764 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1880 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 648 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1388 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 592 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1248 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1284 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1084 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1864 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 608 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1200 2892 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016c51-12.dat dcrat behavioral1/memory/2760-13-0x0000000000830000-0x0000000000940000-memory.dmp dcrat behavioral1/memory/2044-115-0x00000000011C0000-0x00000000012D0000-memory.dmp dcrat behavioral1/memory/2056-174-0x0000000000270000-0x0000000000380000-memory.dmp dcrat behavioral1/memory/1956-234-0x0000000000F50000-0x0000000001060000-memory.dmp dcrat behavioral1/memory/1008-294-0x0000000000070000-0x0000000000180000-memory.dmp dcrat behavioral1/memory/1272-355-0x0000000000B50000-0x0000000000C60000-memory.dmp dcrat behavioral1/memory/2352-415-0x0000000001390000-0x00000000014A0000-memory.dmp dcrat behavioral1/memory/2156-595-0x0000000000300000-0x0000000000410000-memory.dmp dcrat behavioral1/memory/824-655-0x0000000000010000-0x0000000000120000-memory.dmp dcrat behavioral1/memory/1624-715-0x0000000000D60000-0x0000000000E70000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1612 powershell.exe 1828 powershell.exe 920 powershell.exe 2572 powershell.exe 2412 powershell.exe 292 powershell.exe 1592 powershell.exe 1580 powershell.exe 572 powershell.exe 468 powershell.exe 556 powershell.exe 3016 powershell.exe 2276 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2760 DllCommonsvc.exe 2044 OSPPSVC.exe 2056 OSPPSVC.exe 1956 OSPPSVC.exe 1008 OSPPSVC.exe 1272 OSPPSVC.exe 2352 OSPPSVC.exe 1044 OSPPSVC.exe 1680 OSPPSVC.exe 2156 OSPPSVC.exe 824 OSPPSVC.exe 1624 OSPPSVC.exe -
Loads dropped DLL 2 IoCs
pid Process 2472 cmd.exe 2472 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 26 raw.githubusercontent.com 30 raw.githubusercontent.com 33 raw.githubusercontent.com 40 raw.githubusercontent.com 20 raw.githubusercontent.com 23 raw.githubusercontent.com 37 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 13 raw.githubusercontent.com 16 raw.githubusercontent.com -
Drops file in Program Files directory 9 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\smss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\wininit.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\56085415360792 DllCommonsvc.exe File created C:\Program Files\Windows Journal\Templates\conhost.exe DllCommonsvc.exe File created C:\Program Files\Windows Journal\Templates\088424020bedd6 DllCommonsvc.exe File created C:\Program Files\DVD Maker\en-US\b75386f1303e64 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\smss.exe DllCommonsvc.exe File created C:\Program Files\DVD Maker\en-US\taskhost.exe DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\assembly\GAC_64\winlogon.exe DllCommonsvc.exe File created C:\Windows\assembly\GAC_64\cc11b995f2a76d DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c2c415dede2a0358921b59bce8c7e0b0b00a58a62753dd4a432104b44f7eb7a8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 476 schtasks.exe 764 schtasks.exe 1880 schtasks.exe 1668 schtasks.exe 1084 schtasks.exe 2776 schtasks.exe 2660 schtasks.exe 1388 schtasks.exe 592 schtasks.exe 2668 schtasks.exe 2556 schtasks.exe 1284 schtasks.exe 832 schtasks.exe 2856 schtasks.exe 2036 schtasks.exe 1864 schtasks.exe 2296 schtasks.exe 2976 schtasks.exe 1524 schtasks.exe 1992 schtasks.exe 1704 schtasks.exe 284 schtasks.exe 1248 schtasks.exe 2040 schtasks.exe 1200 schtasks.exe 2780 schtasks.exe 376 schtasks.exe 1544 schtasks.exe 2512 schtasks.exe 2564 schtasks.exe 2908 schtasks.exe 3012 schtasks.exe 1664 schtasks.exe 1636 schtasks.exe 648 schtasks.exe 608 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 2760 DllCommonsvc.exe 556 powershell.exe 1612 powershell.exe 2572 powershell.exe 920 powershell.exe 1580 powershell.exe 292 powershell.exe 1592 powershell.exe 2276 powershell.exe 572 powershell.exe 2412 powershell.exe 3016 powershell.exe 1828 powershell.exe 468 powershell.exe 2044 OSPPSVC.exe 2056 OSPPSVC.exe 1956 OSPPSVC.exe 1008 OSPPSVC.exe 1272 OSPPSVC.exe 2352 OSPPSVC.exe 1044 OSPPSVC.exe 1680 OSPPSVC.exe 2156 OSPPSVC.exe 824 OSPPSVC.exe 1624 OSPPSVC.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 2760 DllCommonsvc.exe Token: SeDebugPrivilege 556 powershell.exe Token: SeDebugPrivilege 1612 powershell.exe Token: SeDebugPrivilege 2572 powershell.exe Token: SeDebugPrivilege 920 powershell.exe Token: SeDebugPrivilege 1580 powershell.exe Token: SeDebugPrivilege 292 powershell.exe Token: SeDebugPrivilege 1592 powershell.exe Token: SeDebugPrivilege 2276 powershell.exe Token: SeDebugPrivilege 572 powershell.exe Token: SeDebugPrivilege 2412 powershell.exe Token: SeDebugPrivilege 3016 powershell.exe Token: SeDebugPrivilege 1828 powershell.exe Token: SeDebugPrivilege 468 powershell.exe Token: SeDebugPrivilege 2044 OSPPSVC.exe Token: SeDebugPrivilege 2056 OSPPSVC.exe Token: SeDebugPrivilege 1956 OSPPSVC.exe Token: SeDebugPrivilege 1008 OSPPSVC.exe Token: SeDebugPrivilege 1272 OSPPSVC.exe Token: SeDebugPrivilege 2352 OSPPSVC.exe Token: SeDebugPrivilege 1044 OSPPSVC.exe Token: SeDebugPrivilege 1680 OSPPSVC.exe Token: SeDebugPrivilege 2156 OSPPSVC.exe Token: SeDebugPrivilege 824 OSPPSVC.exe Token: SeDebugPrivilege 1624 OSPPSVC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2272 wrote to memory of 2104 2272 JaffaCakes118_c2c415dede2a0358921b59bce8c7e0b0b00a58a62753dd4a432104b44f7eb7a8.exe 30 PID 2272 wrote to memory of 2104 2272 JaffaCakes118_c2c415dede2a0358921b59bce8c7e0b0b00a58a62753dd4a432104b44f7eb7a8.exe 30 PID 2272 wrote to memory of 2104 2272 JaffaCakes118_c2c415dede2a0358921b59bce8c7e0b0b00a58a62753dd4a432104b44f7eb7a8.exe 30 PID 2272 wrote to memory of 2104 2272 JaffaCakes118_c2c415dede2a0358921b59bce8c7e0b0b00a58a62753dd4a432104b44f7eb7a8.exe 30 PID 2104 wrote to memory of 2472 2104 WScript.exe 31 PID 2104 wrote to memory of 2472 2104 WScript.exe 31 PID 2104 wrote to memory of 2472 2104 WScript.exe 31 PID 2104 wrote to memory of 2472 2104 WScript.exe 31 PID 2472 wrote to memory of 2760 2472 cmd.exe 33 PID 2472 wrote to memory of 2760 2472 cmd.exe 33 PID 2472 wrote to memory of 2760 2472 cmd.exe 33 PID 2472 wrote to memory of 2760 2472 cmd.exe 33 PID 2760 wrote to memory of 292 2760 DllCommonsvc.exe 71 PID 2760 wrote to memory of 292 2760 DllCommonsvc.exe 71 PID 2760 wrote to memory of 292 2760 DllCommonsvc.exe 71 PID 2760 wrote to memory of 1592 2760 DllCommonsvc.exe 72 PID 2760 wrote to memory of 1592 2760 DllCommonsvc.exe 72 PID 2760 wrote to memory of 1592 2760 DllCommonsvc.exe 72 PID 2760 wrote to memory of 1828 2760 DllCommonsvc.exe 73 PID 2760 wrote to memory of 1828 2760 DllCommonsvc.exe 73 PID 2760 wrote to memory of 1828 2760 DllCommonsvc.exe 73 PID 2760 wrote to memory of 1612 2760 DllCommonsvc.exe 74 PID 2760 wrote to memory of 1612 2760 DllCommonsvc.exe 74 PID 2760 wrote to memory of 1612 2760 DllCommonsvc.exe 74 PID 2760 wrote to memory of 1580 2760 DllCommonsvc.exe 76 PID 2760 wrote to memory of 1580 2760 DllCommonsvc.exe 76 PID 2760 wrote to memory of 1580 2760 DllCommonsvc.exe 76 PID 2760 wrote to memory of 572 2760 DllCommonsvc.exe 78 PID 2760 wrote to memory of 572 2760 DllCommonsvc.exe 78 PID 2760 wrote to memory of 572 2760 DllCommonsvc.exe 78 PID 2760 wrote to memory of 468 2760 DllCommonsvc.exe 79 PID 2760 wrote to memory of 468 2760 DllCommonsvc.exe 79 PID 2760 wrote to memory of 468 2760 DllCommonsvc.exe 79 PID 2760 wrote to memory of 920 2760 DllCommonsvc.exe 80 PID 2760 wrote to memory of 920 2760 DllCommonsvc.exe 80 PID 2760 wrote to memory of 920 2760 DllCommonsvc.exe 80 PID 2760 wrote to memory of 556 2760 DllCommonsvc.exe 81 PID 2760 wrote to memory of 556 2760 DllCommonsvc.exe 81 PID 2760 wrote to memory of 556 2760 DllCommonsvc.exe 81 PID 2760 wrote to memory of 3016 2760 DllCommonsvc.exe 82 PID 2760 wrote to memory of 3016 2760 DllCommonsvc.exe 82 PID 2760 wrote to memory of 3016 2760 DllCommonsvc.exe 82 PID 2760 wrote to memory of 2572 2760 DllCommonsvc.exe 83 PID 2760 wrote to memory of 2572 2760 DllCommonsvc.exe 83 PID 2760 wrote to memory of 2572 2760 DllCommonsvc.exe 83 PID 2760 wrote to memory of 2412 2760 DllCommonsvc.exe 84 PID 2760 wrote to memory of 2412 2760 DllCommonsvc.exe 84 PID 2760 wrote to memory of 2412 2760 DllCommonsvc.exe 84 PID 2760 wrote to memory of 2276 2760 DllCommonsvc.exe 85 PID 2760 wrote to memory of 2276 2760 DllCommonsvc.exe 85 PID 2760 wrote to memory of 2276 2760 DllCommonsvc.exe 85 PID 2760 wrote to memory of 1632 2760 DllCommonsvc.exe 97 PID 2760 wrote to memory of 1632 2760 DllCommonsvc.exe 97 PID 2760 wrote to memory of 1632 2760 DllCommonsvc.exe 97 PID 1632 wrote to memory of 1716 1632 cmd.exe 99 PID 1632 wrote to memory of 1716 1632 cmd.exe 99 PID 1632 wrote to memory of 1716 1632 cmd.exe 99 PID 1632 wrote to memory of 2044 1632 cmd.exe 101 PID 1632 wrote to memory of 2044 1632 cmd.exe 101 PID 1632 wrote to memory of 2044 1632 cmd.exe 101 PID 2044 wrote to memory of 2736 2044 OSPPSVC.exe 102 PID 2044 wrote to memory of 2736 2044 OSPPSVC.exe 102 PID 2044 wrote to memory of 2736 2044 OSPPSVC.exe 102 PID 2736 wrote to memory of 2720 2736 cmd.exe 104 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c2c415dede2a0358921b59bce8c7e0b0b00a58a62753dd4a432104b44f7eb7a8.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c2c415dede2a0358921b59bce8c7e0b0b00a58a62753dd4a432104b44f7eb7a8.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:468
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\GAC_64\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\Templates\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\en-US\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRhF7PcXPa.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1716
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8wkcP7O697.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2720
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A1nTHBcTHH.bat"9⤵PID:2596
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:688
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9EVEWoB6gn.bat"11⤵PID:2800
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1772
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat"13⤵PID:2388
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1456
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1272 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat"15⤵PID:1592
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:800
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat"17⤵PID:468
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2576
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1044 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OrAhl4fNEA.bat"19⤵PID:3052
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:300
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CooinIVsng.bat"21⤵PID:2584
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2244
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zcjutnjrcv.bat"23⤵PID:848
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:980
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Yw7RONjUI.bat"25⤵PID:2876
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2952
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7hZg3igX7v.bat"27⤵PID:2948
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:2416
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\GAC_64\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_64\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\assembly\GAC_64\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\Templates\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\Templates\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\en-US\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\en-US\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a20e22bd938fffcf8bc697234027219a
SHA1be2c1126d907c20715749e013654fcefb151d143
SHA256a86519432e20c7d41009e14ebce4b288b99cc634dd93b81510e208c02fc897d2
SHA51237cc3bb190ec9e51726ea02fd18e092896bd9cad5477031fdfef0de0ff4633f3f91fe34463a3e78d1a6cb51bba6b0a745be073164d44c778b57ae0150b4aab2d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e8c12aa0ddfc0b979f6b20af415f5a38
SHA11bfb42265ac6547520b0b6ea008bd4066e163b77
SHA256448923b341f0011bbf7596172c246f3a4c9c11b6759875c2e84382dd2b8e376f
SHA512fb14e6b4487ff296e02561e8972dfd495100b69d6af5c9a8ff8e83ab0c0666e4c874c86a970ad22ff17a16624e27a6f89dbb54e15ea00065b1d0c50d14457a3e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ec0d572d210930ced2fc0db243ed3a92
SHA1ce6fd2e5768c00a49d2cc15fa9734298f4e565ab
SHA25606f6220360f300843efcbcdc9f4f71442533abc621c155e60727c4ea03107d20
SHA512ba9b28b638ea1c57b816ed36ee41da7703de2f2547f1fa6f462cfdb85d245d41fb863daf16ac3f7346d04d8c750126d63783d999771769dee1d736ed1f6cf1ed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53f0fee668ab9a0152244dc9d180d3a80
SHA1ec054f9103f8f0865604b1e21c82bf51a1aba52d
SHA2567bb075d235a428bbce66c91bd316d4a36c8ee81ce1d1b62de23017b5635eead7
SHA512be26e84d48b8bdd5bca6950005332dd128664fc306cd9eade5980c727c140f7beb8866eec7e47a9e76644fc8ea1c86a64cada23bad15f1c4177acb8ef154af62
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5eb5ddd8308487511074cadc85779b6f3
SHA10c62e3724ff4aa6755902d90c2d68c37dd70dd6e
SHA25680b5344addc49e251cde9ddfc09366f023a54011058dd6e27c0e088f119c7da3
SHA51249d48a679b06b585fd7bf2d5e02612e603f9a31e557a842173f216021c08c5ee1d4aeed451cc69a85047fd71afde1e2db6d91af776d3bc7563ed18d29119a96d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58d3f4f575c8b6983ba4150fd5d30f89c
SHA1cf883a90e2843d886a27dc32e47a1401bf41ffaf
SHA25680fd27430a2ffde9e52c7b57cbdf4a6acac4bd97eddf34eac9732f64eca69c02
SHA512fa61a697a8c5bf4bb9129bb979fcfd28db9ca7657d9fb974d7b40509b9a9cbf93c8e8e24b65e472f7132532fa3f8ddaf3321081df68a31c349d286fc3ca5fada
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5904f1b360144a0823887c3039671c6a4
SHA12d67090f1b98bba992ad2a5b66d1208a8ad0af10
SHA256246bdb87188c4a0786c1b074e22417bda329b84a4eaad823fc5498923cb4e2fa
SHA5127d9bc2140df158debc6972c59c9ef5825bf8bfb2cb7feaca10c33415fb4f7aab98efbf3042a33b726d39195fb063d616b130657d19e5cce51a3c29071be03cd9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59587b1f3516b122a5ab729098b538a8d
SHA18f837076a074c5a21060410ee148c83c2bc4244f
SHA2569223d9eea71e22d3a4a0acb0e2d9e9348a0948a76d76e0c6a79cf7a961d878ed
SHA512e5b4e11bc86581500b51c1484225eeda49730c8f2c398d19a3a25cfde576db363cc5b21a8f329fccd03303c215ce322a18084f83b85dfb2ae911f9e05ddf68d1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f69127e2c6c13fefe099cac48ae6fda6
SHA1c73ea0d164b3732c53c76d59aa6abc19e6c445c3
SHA256c2978cae245b32452b544524adc868e5fc09fce839c20f38bd16890791cd6322
SHA5120385955ebbe60973394e021735c9e6c12f8a982be85d6601c63a403c00f4aa24aced11f7e718cc5a040a8bae8453d833361c67f26ccb408ebe36b0feb6f3d93b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD565df7ac816cb878eb10003fd6df2e74c
SHA18aaa63b03c517164fcc0d053fbff02942fd66945
SHA25633b69636d147bfe6a1a2f45f2986d33a72491fb72b9f4c7786a2af7d27e60fdc
SHA512b441346632fdc21f311eebb6760ff3b33219df483e1111b784b00efb548dddf5624847e2d91c96f350a70b0ca5f683d37415895d69400ba2983a475b018c2786
-
Filesize
239B
MD557755f6a2720ed97d363f4b9f985661b
SHA1aed0c21870ec03b52127e5238d1db2a7e8a8cb01
SHA2567dba9bc5fe3a1c9e774908c6cebc7a33597001a97ccc8a7ee1a1a43bce664812
SHA51215e22e2cdb14a84d18f0cddf976ccf665240f68c94d746a4c3b4d5b80078f9211fdb40fb7728eaa6ed782445bae3f608d4571b117bc6d9ec062f131f1aedc265
-
Filesize
239B
MD5e423725bfb519ba9d0d055bbf6e5ec17
SHA1f474fa7c3b5a5018600cb159cac17dc9a4562b0b
SHA2563b85e36001a7a92246025c29fcd3c794720ac3d3d6c96a3ddcf6b932f381fd25
SHA51257574cb3fe4ca7fa7f7fd278610b2371425bb1494a091b155ba7c31ca9fe0265322dc634f51d7ab041c76f1a8940ac7c7dc073ce0fefadca9da5d84f1c586d53
-
Filesize
239B
MD53c95991be2c0901a649ce1cc40b35a09
SHA14761a44de94729f309ad42b2d92740ece50f2dee
SHA25655d0db5adf285e9843fd955418045181f05a0f9cec187b833c003ff2948ab2c2
SHA5124eac758c88599d2d595107a19955693916e0ab45fec14b2330c9d60ac9f695baed29a9dd5e1c509c6dfe45203440c2dfd89e7005729506a02d7e536e432a3b95
-
Filesize
239B
MD5cd75626aedc3a71186112d818d8ea145
SHA18ac78846243c68d6ba54550327f5ebd51d182ff6
SHA2568223ff2259a9ac5f5c51ad4ba3e4cd92287d7c5b6cf36e92afb7b1c0eab5b736
SHA51226222704d03cb268867d778d2f3194c78e0d55e7ed4aefb10404fe2b4eb4539e3a8a1ae6fcd665affd2ad93d8b9a6add3d298a317ea3f285cdc185613cbdebf1
-
Filesize
239B
MD575daffa7070b43e066aff8d5dbb5d1ec
SHA1dda564608413d45ecc944bbb72991edca2eb0654
SHA2567a9336f82f298a0e9d6b047227ccae1050905cb8ae7bfb41e96bba6785ce2078
SHA512a66fbbf2f9b5a7ee7fb53b57cab6c8e0241ddbf5904a4a4ad18043a6ed2e72d0ddf776b04a723eedc6664f94505c0b55f3e7366a884bb53b1a855bb37dd079c2
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
239B
MD53886a4ea7c564461ffaced64f1d23b53
SHA1206e6521dcdfebb76b90ebd6fc798861f1d11c1e
SHA256d7c12097e7e23106d569ddec47aeec375bbf0c42c5e40bce41397b6dae1159dd
SHA5126ffded3374a3f67c911dc79a638fe50e76ba07624a965bdeeabe9a02ad9ec07583ecb887de6e879b104b17a65b6c5a34977a6d362c9a69dd231ad0bc5dd18a5a
-
Filesize
239B
MD539f54e6ae46e5db34e7a3eb06836f0bb
SHA1085f8d1a71068e3b7a35463f50d389a7fffe81df
SHA2563d7ebc2fcc70909a60094e8ca6851eacb2fde534c01496c64e79893d2c1b44c8
SHA5126c4fe74de8502e8f2d2af7461a779c2052bbd39c35d5e6c62a8cf95fb2135ab2a79405cfb2395614d35091e337659c372315dfa1bb79b5b6b12bd2de1a416382
-
Filesize
239B
MD5c9c982649f4518d62b141ab32d962c4e
SHA1688a71064dd0befdc8b282d0f5ac0191ff6f1bfa
SHA256bd5132ea562ad80e02d77838037f7e4e3da09c607362f9b9d849fa73c66fbac8
SHA512f52a0a408599bdf5efb34f5aaa8a09a0550c1198e5f42525ff0cbc79f8ca5fabe7240a2a6d62b0209a6fd2c569fc6c5dbf5a88a87ce6f97b795e8184bb93fe5e
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
239B
MD58a54aa73c41dfc71a2b90af5a39a8954
SHA166d6fc07abf03b94564afee24e15a5878de5ff7a
SHA25643e0b13717cccb47514a28fe819b28e31b53c16271909eb4296a461273b949bc
SHA5124e14b40ffc737dfeba181dd9ee1fb70c7f929e00c5e489143bdca9419d54aae93a18a47fc878028195fc5783dc4747b6f6aab192f0735f7c9eb6a097e0c80a61
-
Filesize
239B
MD52a57b80c21282eb11be9669ee7427d91
SHA17dd0f7ec5f5ff73480ea5522c91fc02806bd2686
SHA256b1d3057e59f2eb5ac4340e4f744b7dc0b8b5b940be0df473daf2a9a532980ec0
SHA512e1c9a354e9f2bf4ed15d78096878231a857c5af9916d5dc6bcd5f1da09a35a71dbe58dc60a2e4d9a1bdf1643ca6f8f20d285d18af38cd190fba20966ec13b80f
-
Filesize
239B
MD557c3b47d228a5a8606389f90755358f4
SHA1746646c1aa0cb0f6cafad964dd4d6936f198c8cf
SHA256cae17be391de02ec921c4607af0a1495c9712053ace85d8c3184bab16efb7250
SHA512a8cfb362cedba6df8384b34495b9285a9be898a609061766613056256373ad1a0c6a11019f7985303ed9c305b82ce954cf399ae69c5fa06fc4df57fab4dc74e4
-
Filesize
239B
MD55b6e11ee97974e61d6661407757e6d1c
SHA17b961b4107cf080cd2cf307327522480d582c761
SHA256ee2926c98c6e312a5463e63ca7f621d8d3bcbd8542e21256aaa1cdc19ff9eb66
SHA51203197a2b43ced009b394e36bc9f9df8ff2c423d54a62a47f2398f25b302412911e4007b3fd391770a7e447a5a3c6d32954614e892b5f849642f7e67e38ae6a58
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD534bb004f3fd99e9bd485d92873b724dd
SHA1e2f6f596eab5f5e08fd101f91b38f008e40fb373
SHA256bde2560209582e990fc1ea60c1745dae12ce8a288ddd0de9a4e4fdc2ecbaf38e
SHA5127e2c36efb8854f30682dadaa5fb68afc55cdc1cccfefd917542041b07446107838837c2a3f190d604224a06cd0ce24afb474c879a77caac3861b374d13173829
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478