Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 00:38
Behavioral task
behavioral1
Sample
JaffaCakes118_79b1493352e30f733c560b0137bad63e4daa67a69b66c5654831dfe94634e138.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_79b1493352e30f733c560b0137bad63e4daa67a69b66c5654831dfe94634e138.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_79b1493352e30f733c560b0137bad63e4daa67a69b66c5654831dfe94634e138.exe
-
Size
1.3MB
-
MD5
d9468ae2c998694c7d94edbdbe9e2e26
-
SHA1
ed6b929cb36c3992dbd526c70977c067f2a54966
-
SHA256
79b1493352e30f733c560b0137bad63e4daa67a69b66c5654831dfe94634e138
-
SHA512
b2d2078abaf2a2bad4e195afeb9c119a1f177442e4abe3ce6126244af588994b556f9b1703034c027e55cc35976dce3200bdfd362c1cf441fe83c3988a09bbe3
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2812 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 476 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 592 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 708 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 352 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1060 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 272 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1800 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1020 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 840 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 324 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1532 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1360 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 284 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 2612 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000018d7b-10.dat dcrat behavioral1/memory/1648-13-0x0000000000F60000-0x0000000001070000-memory.dmp dcrat behavioral1/memory/1580-122-0x0000000000020000-0x0000000000130000-memory.dmp dcrat behavioral1/memory/2336-181-0x00000000001A0000-0x00000000002B0000-memory.dmp dcrat behavioral1/memory/2244-241-0x0000000000040000-0x0000000000150000-memory.dmp dcrat behavioral1/memory/888-302-0x0000000000030000-0x0000000000140000-memory.dmp dcrat behavioral1/memory/1708-362-0x0000000000D40000-0x0000000000E50000-memory.dmp dcrat behavioral1/memory/584-422-0x00000000012E0000-0x00000000013F0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 908 powershell.exe 2284 powershell.exe 556 powershell.exe 1832 powershell.exe 1636 powershell.exe 2308 powershell.exe 2292 powershell.exe 2548 powershell.exe 2040 powershell.exe 924 powershell.exe 2472 powershell.exe 2440 powershell.exe 2068 powershell.exe 2408 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 1648 DllCommonsvc.exe 1580 lsass.exe 2336 lsass.exe 2244 lsass.exe 888 lsass.exe 1708 lsass.exe 584 lsass.exe 904 lsass.exe 1224 lsass.exe 2360 lsass.exe 2084 lsass.exe -
Loads dropped DLL 2 IoCs
pid Process 2908 cmd.exe 2908 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 24 raw.githubusercontent.com 13 raw.githubusercontent.com 16 raw.githubusercontent.com 9 raw.githubusercontent.com 20 raw.githubusercontent.com 27 raw.githubusercontent.com 31 raw.githubusercontent.com 34 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\7-Zip\Lang\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Program Files\Common Files\csrss.exe DllCommonsvc.exe File created C:\Program Files\Common Files\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\de-DE\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files\7-Zip\Lang\dwm.exe DllCommonsvc.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\Globalization\MCT\MCT-GB\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Windows\Migration\WTR\audiodg.exe DllCommonsvc.exe File created C:\Windows\Migration\WTR\42af1c969fbb7b DllCommonsvc.exe File created C:\Windows\Media\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Windows\Help\OEM\cmd.exe DllCommonsvc.exe File created C:\Windows\Help\OEM\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Windows\Globalization\MCT\MCT-GB\dwm.exe DllCommonsvc.exe File created C:\Windows\assembly\tmp\cmd.exe DllCommonsvc.exe File created C:\Windows\assembly\tmp\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Windows\Media\services.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_79b1493352e30f733c560b0137bad63e4daa67a69b66c5654831dfe94634e138.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2872 schtasks.exe 708 schtasks.exe 2592 schtasks.exe 1688 schtasks.exe 2396 schtasks.exe 1560 schtasks.exe 324 schtasks.exe 2600 schtasks.exe 2960 schtasks.exe 2116 schtasks.exe 1704 schtasks.exe 1360 schtasks.exe 3068 schtasks.exe 272 schtasks.exe 1680 schtasks.exe 2656 schtasks.exe 476 schtasks.exe 1748 schtasks.exe 1588 schtasks.exe 1812 schtasks.exe 2812 schtasks.exe 2136 schtasks.exe 1040 schtasks.exe 2080 schtasks.exe 1800 schtasks.exe 1020 schtasks.exe 1676 schtasks.exe 2716 schtasks.exe 2268 schtasks.exe 2424 schtasks.exe 592 schtasks.exe 1060 schtasks.exe 1532 schtasks.exe 284 schtasks.exe 1816 schtasks.exe 2932 schtasks.exe 840 schtasks.exe 1788 schtasks.exe 352 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1648 DllCommonsvc.exe 1636 powershell.exe 1832 powershell.exe 556 powershell.exe 924 powershell.exe 2068 powershell.exe 2408 powershell.exe 2292 powershell.exe 2308 powershell.exe 908 powershell.exe 2040 powershell.exe 2548 powershell.exe 2440 powershell.exe 2284 powershell.exe 2472 powershell.exe 1580 lsass.exe 2336 lsass.exe 2244 lsass.exe 888 lsass.exe 1708 lsass.exe 584 lsass.exe 904 lsass.exe 1224 lsass.exe 2360 lsass.exe 2084 lsass.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 1648 DllCommonsvc.exe Token: SeDebugPrivilege 1636 powershell.exe Token: SeDebugPrivilege 1832 powershell.exe Token: SeDebugPrivilege 556 powershell.exe Token: SeDebugPrivilege 924 powershell.exe Token: SeDebugPrivilege 2068 powershell.exe Token: SeDebugPrivilege 2408 powershell.exe Token: SeDebugPrivilege 2292 powershell.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeDebugPrivilege 908 powershell.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeDebugPrivilege 2548 powershell.exe Token: SeDebugPrivilege 2440 powershell.exe Token: SeDebugPrivilege 2284 powershell.exe Token: SeDebugPrivilege 2472 powershell.exe Token: SeDebugPrivilege 1580 lsass.exe Token: SeDebugPrivilege 2336 lsass.exe Token: SeDebugPrivilege 2244 lsass.exe Token: SeDebugPrivilege 888 lsass.exe Token: SeDebugPrivilege 1708 lsass.exe Token: SeDebugPrivilege 584 lsass.exe Token: SeDebugPrivilege 904 lsass.exe Token: SeDebugPrivilege 1224 lsass.exe Token: SeDebugPrivilege 2360 lsass.exe Token: SeDebugPrivilege 2084 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1984 wrote to memory of 1684 1984 JaffaCakes118_79b1493352e30f733c560b0137bad63e4daa67a69b66c5654831dfe94634e138.exe 30 PID 1984 wrote to memory of 1684 1984 JaffaCakes118_79b1493352e30f733c560b0137bad63e4daa67a69b66c5654831dfe94634e138.exe 30 PID 1984 wrote to memory of 1684 1984 JaffaCakes118_79b1493352e30f733c560b0137bad63e4daa67a69b66c5654831dfe94634e138.exe 30 PID 1984 wrote to memory of 1684 1984 JaffaCakes118_79b1493352e30f733c560b0137bad63e4daa67a69b66c5654831dfe94634e138.exe 30 PID 1684 wrote to memory of 2908 1684 WScript.exe 31 PID 1684 wrote to memory of 2908 1684 WScript.exe 31 PID 1684 wrote to memory of 2908 1684 WScript.exe 31 PID 1684 wrote to memory of 2908 1684 WScript.exe 31 PID 2908 wrote to memory of 1648 2908 cmd.exe 33 PID 2908 wrote to memory of 1648 2908 cmd.exe 33 PID 2908 wrote to memory of 1648 2908 cmd.exe 33 PID 2908 wrote to memory of 1648 2908 cmd.exe 33 PID 1648 wrote to memory of 908 1648 DllCommonsvc.exe 74 PID 1648 wrote to memory of 908 1648 DllCommonsvc.exe 74 PID 1648 wrote to memory of 908 1648 DllCommonsvc.exe 74 PID 1648 wrote to memory of 924 1648 DllCommonsvc.exe 75 PID 1648 wrote to memory of 924 1648 DllCommonsvc.exe 75 PID 1648 wrote to memory of 924 1648 DllCommonsvc.exe 75 PID 1648 wrote to memory of 556 1648 DllCommonsvc.exe 76 PID 1648 wrote to memory of 556 1648 DllCommonsvc.exe 76 PID 1648 wrote to memory of 556 1648 DllCommonsvc.exe 76 PID 1648 wrote to memory of 1636 1648 DllCommonsvc.exe 78 PID 1648 wrote to memory of 1636 1648 DllCommonsvc.exe 78 PID 1648 wrote to memory of 1636 1648 DllCommonsvc.exe 78 PID 1648 wrote to memory of 2472 1648 DllCommonsvc.exe 80 PID 1648 wrote to memory of 2472 1648 DllCommonsvc.exe 80 PID 1648 wrote to memory of 2472 1648 DllCommonsvc.exe 80 PID 1648 wrote to memory of 2040 1648 DllCommonsvc.exe 82 PID 1648 wrote to memory of 2040 1648 DllCommonsvc.exe 82 PID 1648 wrote to memory of 2040 1648 DllCommonsvc.exe 82 PID 1648 wrote to memory of 2548 1648 DllCommonsvc.exe 83 PID 1648 wrote to memory of 2548 1648 DllCommonsvc.exe 83 PID 1648 wrote to memory of 2548 1648 DllCommonsvc.exe 83 PID 1648 wrote to memory of 2292 1648 DllCommonsvc.exe 84 PID 1648 wrote to memory of 2292 1648 DllCommonsvc.exe 84 PID 1648 wrote to memory of 2292 1648 DllCommonsvc.exe 84 PID 1648 wrote to memory of 2408 1648 DllCommonsvc.exe 85 PID 1648 wrote to memory of 2408 1648 DllCommonsvc.exe 85 PID 1648 wrote to memory of 2408 1648 DllCommonsvc.exe 85 PID 1648 wrote to memory of 2284 1648 DllCommonsvc.exe 90 PID 1648 wrote to memory of 2284 1648 DllCommonsvc.exe 90 PID 1648 wrote to memory of 2284 1648 DllCommonsvc.exe 90 PID 1648 wrote to memory of 2068 1648 DllCommonsvc.exe 91 PID 1648 wrote to memory of 2068 1648 DllCommonsvc.exe 91 PID 1648 wrote to memory of 2068 1648 DllCommonsvc.exe 91 PID 1648 wrote to memory of 1832 1648 DllCommonsvc.exe 92 PID 1648 wrote to memory of 1832 1648 DllCommonsvc.exe 92 PID 1648 wrote to memory of 1832 1648 DllCommonsvc.exe 92 PID 1648 wrote to memory of 2440 1648 DllCommonsvc.exe 93 PID 1648 wrote to memory of 2440 1648 DllCommonsvc.exe 93 PID 1648 wrote to memory of 2440 1648 DllCommonsvc.exe 93 PID 1648 wrote to memory of 2308 1648 DllCommonsvc.exe 94 PID 1648 wrote to memory of 2308 1648 DllCommonsvc.exe 94 PID 1648 wrote to memory of 2308 1648 DllCommonsvc.exe 94 PID 1648 wrote to memory of 2528 1648 DllCommonsvc.exe 102 PID 1648 wrote to memory of 2528 1648 DllCommonsvc.exe 102 PID 1648 wrote to memory of 2528 1648 DllCommonsvc.exe 102 PID 2528 wrote to memory of 2796 2528 cmd.exe 104 PID 2528 wrote to memory of 2796 2528 cmd.exe 104 PID 2528 wrote to memory of 2796 2528 cmd.exe 104 PID 2528 wrote to memory of 1580 2528 cmd.exe 106 PID 2528 wrote to memory of 1580 2528 cmd.exe 106 PID 2528 wrote to memory of 1580 2528 cmd.exe 106 PID 1580 wrote to memory of 1000 1580 lsass.exe 107 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_79b1493352e30f733c560b0137bad63e4daa67a69b66c5654831dfe94634e138.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_79b1493352e30f733c560b0137bad63e4daa67a69b66c5654831dfe94634e138.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\OEM\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\MCT\MCT-GB\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\tmp\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BesxsIGQPd.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2796
-
-
C:\Users\Public\Pictures\lsass.exe"C:\Users\Public\Pictures\lsass.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat"7⤵PID:1000
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2280
-
-
C:\Users\Public\Pictures\lsass.exe"C:\Users\Public\Pictures\lsass.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat"9⤵PID:908
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:764
-
-
C:\Users\Public\Pictures\lsass.exe"C:\Users\Public\Pictures\lsass.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2244 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat"11⤵PID:1800
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:3004
-
-
C:\Users\Public\Pictures\lsass.exe"C:\Users\Public\Pictures\lsass.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:888 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat"13⤵PID:1336
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2168
-
-
C:\Users\Public\Pictures\lsass.exe"C:\Users\Public\Pictures\lsass.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CooinIVsng.bat"15⤵PID:1788
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2228
-
-
C:\Users\Public\Pictures\lsass.exe"C:\Users\Public\Pictures\lsass.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:584 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat"17⤵PID:2548
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2108
-
-
C:\Users\Public\Pictures\lsass.exe"C:\Users\Public\Pictures\lsass.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VoHf0I0Wzs.bat"19⤵PID:848
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2676
-
-
C:\Users\Public\Pictures\lsass.exe"C:\Users\Public\Pictures\lsass.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1224 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTtrehocny.bat"21⤵PID:2428
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2388
-
-
C:\Users\Public\Pictures\lsass.exe"C:\Users\Public\Pictures\lsass.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjauxUKpXQ.bat"23⤵PID:2728
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2184
-
-
C:\Users\Public\Pictures\lsass.exe"C:\Users\Public\Pictures\lsass.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Windows\Help\OEM\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Help\OEM\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Windows\Help\OEM\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\Globalization\MCT\MCT-GB\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Globalization\MCT\MCT-GB\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\Globalization\MCT\MCT-GB\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Start Menu\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Start Menu\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Windows\assembly\tmp\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\assembly\tmp\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Windows\assembly\tmp\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Media\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Pictures\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50a3d23de50ea2c802539db8415ecea03
SHA13bf19f7ba886e2ac85b0ff1c9311fab5e2fcf43d
SHA2568a205bf4cb887bb492896d08ee8ab0990af067cbc397c6466ee689bc73d0cab0
SHA512bb7bcf9f8c20ba71f6c16a682032406e54099ea31976934667b9ff5845e2793e083c3770be12d17daa8340b28990cf9e4ca0b6775b15c27f6225180b1126d9ba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50b215cd2cfd1a0c2396458465c7b7c59
SHA164737d636ddb565e13693f133a2b25826e54bf5a
SHA256af5bcd0a419a37cb53153db5310244ffe869d7daf92e87766dbaefc77a008574
SHA5127d74ebfe87381521f5160e9362c86cd1b6842d140c2403b5400b9a4d29f712d286cc878063e0bf9cc1e977a53ae6ff801ee7a0552bdee51c9fdf7e8b2526f0ba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c2317194edeb6374a5bab3266313e772
SHA1d07d0a69fed17bdabf26dc4317ecbff2c45a01ad
SHA25673e23bb8174a2dcac58113e8279e3323fe9bce981df7b904d94d991158f76c64
SHA5121b3bd19dd2c66713f01dcf8d6c1389c348d12637ca89ca7800b7c103098b0c7ea4adcc3d9a23d348261601cdfb0d4222d0664bda1bb0c4917e3aa627ec268969
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bcb9246e1cb4f085cd4f9d570dddf669
SHA1474883ab4951130616531dcb646118a56f54429e
SHA2562177a734b7f58459da1e68ff35f154f56cda260e38f765a1dd8ee4b9542b977b
SHA512fa978a325ae3fea30ac822f5380a413f93401037b1f18c9c4d0bc6c2b3e12f58a574ed12524582cc06bf70469502b71112add56c5e368b84eeba1334925bd9c3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5652f4348e289b87a80b588536cdf9f47
SHA1dddd6e6eb0f8f898ab9456dbac181e787e97cb2d
SHA25694ff0c6dd8764b11792a6a8b443236128232643569310c63bad8db71abbeff13
SHA5122b088e90d11e45b37c81b5966f72580b830c8881fc714bdef1f5bb0a1dc3a89620b09589f64344c0e413810dcd5958fe7cc7d8c179dadb265bb71aecbcd87943
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d519c068c3b4b37419041b63258a618b
SHA1e863a5647b90b8da6db92d2ce922223e52c33bea
SHA2562002eae0654fb1d3afd91dd94bb6527b4a94c5e95b14c25296a2fa0af2db8e99
SHA512edfa1659ad2e1e59656e3ea64e4ca18e405626aac08863cc1fe3af2446a55e38e67d9ac4a523ed0b29b5c81328f648c5f500a245444e6474f7537d2bdeaa88ec
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD546dc9598e4c27beb58a85385c93da994
SHA1c8d07f283ae807939c53c6d1f6a035b351990b86
SHA2562a008c483288088da4c50c4fdd4e5812e7a244e74a4c95520f3db41f43d33040
SHA512537ad738bb89a7f17d25bf748ba607d1ce96019d26a5078e42e90453898ad134e36e20f1ab74e14f6b38cf54cab709cfb058cdcecb1c0242c0f6a9b2a60a656d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5405d25748e15c33bb311f959f0d7e36a
SHA1bee9fb8919441ae52f9fad33844599f12c48c26b
SHA256b33a74c7294277f9f10756fde4724f16f998a4f763ad8e76c665601793aa6a52
SHA512e71b5f1da3bf96b7e62a47f0a506730349543e55f5df39b9cfc9542c87005ddc1c474a384c45572a97ada9154209a06e1eb9c95b1fec8c4257511105f530b219
-
Filesize
199B
MD5d0888ead80ed93bcccc9370c3845abf1
SHA1595f04bf1fa1be99060aa4429a0071075e55969f
SHA2560a426ac6fae42c1c9158de61530ad0ccd2c40667752410ece83310b225a72647
SHA5121a3457ca1e5797e859964e8f0bfd85a0dd704abff6ff18a3987f3a49ca5c2aeb28a02a12e233e6e80d46a9d9c6cfa72d444129c4a739c39b685c6f2345a0823f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
199B
MD5bf0afadd24df7b2f76c300dee475845c
SHA17facf3f3df99ed50d21f3cfe936f26b2169c8037
SHA25610b9bbd28ccb7033bbcf7e392124907470e530128878024558e804e1a6264cbc
SHA5129f2b9659a816d8d9f1ec09b622ab2dee4f884f3c2874088264a7a7d8085e4777246b885d08a40e3459334b364431384f7e55dcda920f56e0335902e1e467708d
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
199B
MD57c8e675e3667e364588a26f10f204f04
SHA1897b07cbe2deaa84d81cfa1663abbde68050f9d2
SHA2563c3287a0cf0df7fd74ba3cb5c8ca5a9fa3d7319f09c5c5980c470d43d295caa5
SHA512f8f811438be701839fbf3ae4e48902fdab6bad7d3773a5ae28506057de084ef8bd43ca98ca02cca7c15421ed4545610c0ea469ec910fd9f632f4fa3c05bfb849
-
Filesize
199B
MD5b939b4f4015fb73b5bd3210b59a8039f
SHA1a965e6213b2da5261c7491cae2e6d82677ea5b20
SHA256c0e0454364bafb46da74516701798cf1db684d20c5d587e808f2554c362b6a91
SHA5124cc9a2f141315c8de2f8a3092b26cd3faee163c108579b4b243edff6d1285d0f5974fbe700b5ed77602d17fad63f9760bf40cdca13a566957f8bb0d696081613
-
Filesize
199B
MD5a13577e7f89d96e4a4c672afae4c3f4b
SHA15313aba7a6221cbec8afe6b709d8dc36835d5eb7
SHA256b465e14643680caa42d972277ad9b2ff3129a724ef51192136b0d6b6d35ec81a
SHA51287a6a5183e8d1e172c97d637a37f651633d95ce1f3f4a967226a32221ecf942a6a6f90c6b31b533097b334f2f3eed47ed0854e9d86afa40d0c46333891187bb6
-
Filesize
199B
MD55f5c5c28244e5e8ce344b2f48652d9ac
SHA18a5c2c86371269f571e341e767da857673e21842
SHA2569e679c698a96b8fe415d0d9331403c44f10cd41507917b7c85b7d65aa49ac47b
SHA5128878db3090e8954b111a626e652378fbe1de71af0432e7e59905884fc810f4263d9a09311734c32795a1c2722b7110a7d4ff1a14585ef8eed77d5c6d99245347
-
Filesize
199B
MD56ea4b393e1fea0f2fcaf2a9363ba0d4f
SHA1a6f363571d91f209ab9c92507fc87ef9a9a17ccd
SHA25637fc181b9686a2390c73f743f4276e2a1bbc8c943c06b79db159fb41c31ee474
SHA512a502f0a45ef9823e5945bc655a42df028204092142c9aaddfa9029c10973b39de2e835c0f31dc5591def27c3b4bc1c8687a9683a82c7ae83e78defce7caa1cd2
-
Filesize
199B
MD5d1351c8c2372fb64187662127fbf5d3a
SHA11c505472aebaea1db33a3a22ee941774c7725694
SHA256c0e07f5467c2b7f94e9f857c544658b72ac02f10128d2977b7330d8b0304ec3b
SHA51265bf6f80b891a44d119d99d2925e687e01e7710a706a6502fd164875e54f14fc610e81cb3977f16698fd2e02ebb7457533a250bdcbab0b0dd6249dedeeab972c
-
Filesize
199B
MD54dace6864ff695f5dbc0702fb44b6376
SHA10c0a71f0f1b6aeab37c162809af25745d806f5f0
SHA256aa2bb7eb222952e7cb15b1abb93b0213050b3e34587942614bedfb75e4d18e58
SHA5120119783df8583c08bf51c3c445ce8dffeb8eb911ab4054928787fe23fb21f3beef575388103db2aa5adfc38682953237846e44ed6c9ff34964b6c58f632520f6
-
Filesize
199B
MD52a7ce42f43a3623a002602db7c0e6976
SHA170b5835da51098fe8cbf74ada8b2f4ba824b60f6
SHA2565b769f1a2f218a5045b3d7cce57a25eefc0d1ec190ddfde6939e010d51f0c63a
SHA512f00ee28601dde92eac5a2ff3e17fb4d765f691e327b04ce7fb7ca00ee068a3730ef9528c5ef435763f85b6e3352a9fe5282e0abaec4dbd5b7c9899ce2a385c8a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD50140ee332ec87c4fcbbdfc7f3717fd19
SHA1ca4c92bb73ed7d4c1ee72c747ad35727b253bfb9
SHA2567f51d10d824ef43dc1bee60b05d08a6bd6c952a825b0a8114dd840f01ea4c754
SHA51237e3eae54f381d345b0134d8243e776b4c4c64fd880135d80e3a79e15028dc52628ed14b20c98c8f81ea8ca9e455bb5d078959784311814fe3927b41664d4c47
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478