Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 01:36
Behavioral task
behavioral1
Sample
JaffaCakes118_fb17bf49139bfa51ff7e8de632f59b7c8919fb1d1cfab10fa4001df9d90ecad8.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_fb17bf49139bfa51ff7e8de632f59b7c8919fb1d1cfab10fa4001df9d90ecad8.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_fb17bf49139bfa51ff7e8de632f59b7c8919fb1d1cfab10fa4001df9d90ecad8.exe
-
Size
1.3MB
-
MD5
eab5d8ba642b56cf7d68abeb9f4a60a9
-
SHA1
f1badd421425c5d9d97c5b862ef29520d34e4ef4
-
SHA256
fb17bf49139bfa51ff7e8de632f59b7c8919fb1d1cfab10fa4001df9d90ecad8
-
SHA512
d707ef3663abcdb9264fa996c0d7478f6184802a1ff003c13967cd75f7c9bf58b6c970ba5a25c1f0584656ffaef9a092beb7b6d097df94a75aa12abdcbbd619b
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2896 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 2896 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2896 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2896 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2896 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2896 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000016dd1-11.dat dcrat behavioral1/memory/2436-13-0x00000000001C0000-0x00000000002D0000-memory.dmp dcrat behavioral1/memory/284-28-0x0000000000930000-0x0000000000A40000-memory.dmp dcrat behavioral1/memory/2304-103-0x00000000009A0000-0x0000000000AB0000-memory.dmp dcrat behavioral1/memory/3052-163-0x0000000001200000-0x0000000001310000-memory.dmp dcrat behavioral1/memory/1196-283-0x0000000000320000-0x0000000000430000-memory.dmp dcrat behavioral1/memory/1240-343-0x0000000001030000-0x0000000001140000-memory.dmp dcrat behavioral1/memory/1744-522-0x00000000000D0000-0x00000000001E0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2688 powershell.exe 2384 powershell.exe 2736 powershell.exe -
Executes dropped EXE 10 IoCs
pid Process 2436 DllCommonsvc.exe 284 taskhost.exe 2304 taskhost.exe 3052 taskhost.exe 1896 taskhost.exe 1196 taskhost.exe 1240 taskhost.exe 804 taskhost.exe 824 taskhost.exe 1744 taskhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2320 cmd.exe 2320 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 9 raw.githubusercontent.com 12 raw.githubusercontent.com 22 raw.githubusercontent.com 26 raw.githubusercontent.com 29 raw.githubusercontent.com 33 raw.githubusercontent.com 5 raw.githubusercontent.com 15 raw.githubusercontent.com 18 raw.githubusercontent.com 4 raw.githubusercontent.com -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\inf\winlogon.exe DllCommonsvc.exe File opened for modification C:\Windows\inf\winlogon.exe DllCommonsvc.exe File created C:\Windows\inf\cc11b995f2a76d DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_fb17bf49139bfa51ff7e8de632f59b7c8919fb1d1cfab10fa4001df9d90ecad8.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3004 schtasks.exe 2788 schtasks.exe 2664 schtasks.exe 2620 schtasks.exe 2204 schtasks.exe 2732 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2436 DllCommonsvc.exe 2736 powershell.exe 2384 powershell.exe 2688 powershell.exe 284 taskhost.exe 2304 taskhost.exe 3052 taskhost.exe 1896 taskhost.exe 1196 taskhost.exe 1240 taskhost.exe 804 taskhost.exe 824 taskhost.exe 1744 taskhost.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2436 DllCommonsvc.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 2384 powershell.exe Token: SeDebugPrivilege 2688 powershell.exe Token: SeDebugPrivilege 284 taskhost.exe Token: SeDebugPrivilege 2304 taskhost.exe Token: SeDebugPrivilege 3052 taskhost.exe Token: SeDebugPrivilege 1896 taskhost.exe Token: SeDebugPrivilege 1196 taskhost.exe Token: SeDebugPrivilege 1240 taskhost.exe Token: SeDebugPrivilege 804 taskhost.exe Token: SeDebugPrivilege 824 taskhost.exe Token: SeDebugPrivilege 1744 taskhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2080 wrote to memory of 1792 2080 JaffaCakes118_fb17bf49139bfa51ff7e8de632f59b7c8919fb1d1cfab10fa4001df9d90ecad8.exe 30 PID 2080 wrote to memory of 1792 2080 JaffaCakes118_fb17bf49139bfa51ff7e8de632f59b7c8919fb1d1cfab10fa4001df9d90ecad8.exe 30 PID 2080 wrote to memory of 1792 2080 JaffaCakes118_fb17bf49139bfa51ff7e8de632f59b7c8919fb1d1cfab10fa4001df9d90ecad8.exe 30 PID 2080 wrote to memory of 1792 2080 JaffaCakes118_fb17bf49139bfa51ff7e8de632f59b7c8919fb1d1cfab10fa4001df9d90ecad8.exe 30 PID 1792 wrote to memory of 2320 1792 WScript.exe 32 PID 1792 wrote to memory of 2320 1792 WScript.exe 32 PID 1792 wrote to memory of 2320 1792 WScript.exe 32 PID 1792 wrote to memory of 2320 1792 WScript.exe 32 PID 2320 wrote to memory of 2436 2320 cmd.exe 34 PID 2320 wrote to memory of 2436 2320 cmd.exe 34 PID 2320 wrote to memory of 2436 2320 cmd.exe 34 PID 2320 wrote to memory of 2436 2320 cmd.exe 34 PID 2436 wrote to memory of 2688 2436 DllCommonsvc.exe 42 PID 2436 wrote to memory of 2688 2436 DllCommonsvc.exe 42 PID 2436 wrote to memory of 2688 2436 DllCommonsvc.exe 42 PID 2436 wrote to memory of 2736 2436 DllCommonsvc.exe 43 PID 2436 wrote to memory of 2736 2436 DllCommonsvc.exe 43 PID 2436 wrote to memory of 2736 2436 DllCommonsvc.exe 43 PID 2436 wrote to memory of 2384 2436 DllCommonsvc.exe 44 PID 2436 wrote to memory of 2384 2436 DllCommonsvc.exe 44 PID 2436 wrote to memory of 2384 2436 DllCommonsvc.exe 44 PID 2436 wrote to memory of 284 2436 DllCommonsvc.exe 48 PID 2436 wrote to memory of 284 2436 DllCommonsvc.exe 48 PID 2436 wrote to memory of 284 2436 DllCommonsvc.exe 48 PID 284 wrote to memory of 1176 284 taskhost.exe 49 PID 284 wrote to memory of 1176 284 taskhost.exe 49 PID 284 wrote to memory of 1176 284 taskhost.exe 49 PID 1176 wrote to memory of 2496 1176 cmd.exe 51 PID 1176 wrote to memory of 2496 1176 cmd.exe 51 PID 1176 wrote to memory of 2496 1176 cmd.exe 51 PID 1176 wrote to memory of 2304 1176 cmd.exe 52 PID 1176 wrote to memory of 2304 1176 cmd.exe 52 PID 1176 wrote to memory of 2304 1176 cmd.exe 52 PID 2304 wrote to memory of 536 2304 taskhost.exe 53 PID 2304 wrote to memory of 536 2304 taskhost.exe 53 PID 2304 wrote to memory of 536 2304 taskhost.exe 53 PID 536 wrote to memory of 660 536 cmd.exe 55 PID 536 wrote to memory of 660 536 cmd.exe 55 PID 536 wrote to memory of 660 536 cmd.exe 55 PID 536 wrote to memory of 3052 536 cmd.exe 56 PID 536 wrote to memory of 3052 536 cmd.exe 56 PID 536 wrote to memory of 3052 536 cmd.exe 56 PID 3052 wrote to memory of 1748 3052 taskhost.exe 57 PID 3052 wrote to memory of 1748 3052 taskhost.exe 57 PID 3052 wrote to memory of 1748 3052 taskhost.exe 57 PID 1748 wrote to memory of 2652 1748 cmd.exe 59 PID 1748 wrote to memory of 2652 1748 cmd.exe 59 PID 1748 wrote to memory of 2652 1748 cmd.exe 59 PID 1748 wrote to memory of 1896 1748 cmd.exe 60 PID 1748 wrote to memory of 1896 1748 cmd.exe 60 PID 1748 wrote to memory of 1896 1748 cmd.exe 60 PID 1896 wrote to memory of 692 1896 taskhost.exe 61 PID 1896 wrote to memory of 692 1896 taskhost.exe 61 PID 1896 wrote to memory of 692 1896 taskhost.exe 61 PID 692 wrote to memory of 1544 692 cmd.exe 63 PID 692 wrote to memory of 1544 692 cmd.exe 63 PID 692 wrote to memory of 1544 692 cmd.exe 63 PID 692 wrote to memory of 1196 692 cmd.exe 64 PID 692 wrote to memory of 1196 692 cmd.exe 64 PID 692 wrote to memory of 1196 692 cmd.exe 64 PID 1196 wrote to memory of 1924 1196 taskhost.exe 65 PID 1196 wrote to memory of 1924 1196 taskhost.exe 65 PID 1196 wrote to memory of 1924 1196 taskhost.exe 65 PID 1924 wrote to memory of 2328 1924 cmd.exe 67 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fb17bf49139bfa51ff7e8de632f59b7c8919fb1d1cfab10fa4001df9d90ecad8.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fb17bf49139bfa51ff7e8de632f59b7c8919fb1d1cfab10fa4001df9d90ecad8.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384
-
-
C:\providercommon\taskhost.exe"C:\providercommon\taskhost.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:284 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KtkjGbmHOL.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2496
-
-
C:\providercommon\taskhost.exe"C:\providercommon\taskhost.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GN1wkOWwnv.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:660
-
-
C:\providercommon\taskhost.exe"C:\providercommon\taskhost.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f70LHM7oRz.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2652
-
-
C:\providercommon\taskhost.exe"C:\providercommon\taskhost.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1CE969IshF.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1544
-
-
C:\providercommon\taskhost.exe"C:\providercommon\taskhost.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2328
-
-
C:\providercommon\taskhost.exe"C:\providercommon\taskhost.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1240 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat"16⤵PID:2320
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2012
-
-
C:\providercommon\taskhost.exe"C:\providercommon\taskhost.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:804 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OVj8bjUD5N.bat"18⤵PID:1108
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:952
-
-
C:\providercommon\taskhost.exe"C:\providercommon\taskhost.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iu0amT0ExO.bat"20⤵PID:2312
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2528
-
-
C:\providercommon\taskhost.exe"C:\providercommon\taskhost.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat"22⤵PID:2660
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2788
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\inf\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\inf\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\inf\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\providercommon\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5954375ba303bca98524914cbb5bc7e9b
SHA16bf120142fe9d1e44510733c165a5966b8c239b2
SHA25668e426ae27d95fbebab19a6ae6cb0f8f6790d1badd64b57ed05ad0ad4a215be1
SHA5128a039d2e4c325a55d5e563e3cc5a24c58fcc8de40fc399978a870b96279d29c572e8da8075194bd199d25cfba568d60941cbb0dc09f6c27c2bafecb8eef10f41
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58db5b523f92dba576dd08481a57bb6d2
SHA1a0643f4547e22a0b4b850c5187a5dd4b3aa43d79
SHA256ccc7f2ac29fd14fc57f7b52f7286681d6654f110405646dbed38c818ada391ac
SHA5121b98950c861c8da02372b22988d10f82b0f7984575ab10b00b5401cbd54ec91b0e2cc700d3ab8a5a1e5379fe7a941769c67134a92f19295301478cbf8dfe46bf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5093a0a02ababc58866fe31fcd0993ee4
SHA14cdd165dab3fb1189dbe4b8986f687423b58d005
SHA256f0f3586c87f5b547b59846785dbbca816c3259ff0f6f7d26acb31109b0d393bb
SHA512758803c3f1c0dde029c5af7c9844ad7d65411be1f3804ee1c486e61c5c03fd4f8fc52a0d835b861dcb55a7e7953edea25f18d6131819a475046864219ff54b17
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD558a14b13c79f6a0084894b9a3145bb6f
SHA13e313ce15a933310c82b6dbcb0032e542f78d997
SHA25690f2a263e4e487ad907ccc84c06af2b72e0c99d53670a15716a23ad57ce8b3d3
SHA5124e1958c0b692c0d72c994efff7db5a5bae7d8255cd01f979324e08b1900f088f5475202cf639817972c32a53dbe04d8e64b9894986c62ff51c888ab358955a3e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5340d8c000166f57c7b87808d8da8d233
SHA18e48637998b16000a53df115a1a8b3dbaa8ff867
SHA256a6ffa7658b7729ac32bc2005309989e000398fff94993fb5d5c0adde91b4a2fb
SHA5125d5603c8027a77ca8551451e5d48b78f7fca4ee129309c5f2e38ce9da89f47dbe3385cdabbfd0d9d35ff8c30e2f02f0e0f34267773423d1b37e82f38e35d17ed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d3eca20ed3f475bc1e166e42a0401d9a
SHA1d586450b60f05ddf80dd01b14d40e2d3b6fb6ff3
SHA256cb08962411c01dc128f976cdb442b52363e77ba25f54b11354c35a4235946b7d
SHA5124e460522eea77a056d822e426de10ef4fd5098870b2023cac392746b90ac9ff8f77ef72461949be18ae7281edd4ad39f2d9270fc877c3d2e376c7d4d24101732
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD578154047f84fb8473e0bc151c5daba6b
SHA1322a67c43ba62cc7c041d55113ae61a09053b9d9
SHA256a80b16ea76ae181d3dc1ec8b12c71547f0dcadf9dc5686c604b91ebdfe90c0de
SHA512ed3e9976e3b9f2eea9f551fe383abd11c9e3cffdf7e2a2cbdab19bc421c7320e75f90592be3ecd93bee5f87d4e5e7af2d1f09b4217d5d0d528147e7e16959f37
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5de67d20918febd1178376d5653afc76a
SHA13952a27818c8a9b7465f3aff59a0f0b08adec3a7
SHA2567e5b044a85078f23b1ac4b60cafa65499d5de30f7332fc1a1b3b35c1b580734d
SHA5128f36a51bea286d18251c4c27e68e267c7431c31015015bf02836bd6b868dd3fa8a91aa4d6bc4c8e09204c5ab623896c43496b4ab947b56473e1ee0dbea61019f
-
Filesize
195B
MD5c3399f91ee0b851a8b1409ac36c26739
SHA1030718d5b65edd2d738328b4ed4632786aa52d46
SHA25649939626c8ce6cc6ef035d2a3f10ab696dd64586714d2eb59e2cc09121c38ac3
SHA5128a995c55bd3cf6973dbecaf806aad2b02491e83429e0942e5c029bc1e78d13927f9f6a954828f6e10368c07169a5de49c9847eb66a65ecc6d51b960f2af8723d
-
Filesize
195B
MD57728be3980a5128a9e731ecceb518756
SHA13aa9d357cd39aebad7a2c2131ac5d184dfbcfbe5
SHA25693aac2b3f2d39067f4b1d03ac6008cba7100cc0f98e32097249feb0f35d35ec4
SHA512eaeaf0d7e7e93fca7dd2d1df311d3fd1746dbc9362a3ff525b1f8b61865695d0d1d8cb8bbd197b4dfba3533f5557a1d7f0f2127b9c3e6c23c16bc8b732b7715e
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
195B
MD5ebfb4f007290b5275898642e76fe35c7
SHA1609648781cb2bbe474a7df61807c253144ba8272
SHA256e7b36e51f8109dade69bdfd38df0b05326175057a71ced454b70952d244959be
SHA512e836d9d741a244655fd34f7666e46c6eec2999ad423110b896bc14f238b23d66f89601d987c8c95693a76117d4b5b15669e925ec9146042e0f520cbd68dc2972
-
Filesize
195B
MD54c77ad9ff02e4c480c2596f56c8b5943
SHA13e2277bea58f3897383ae5dd60f0fa395560800c
SHA2568de5ee038ab275796581e3db9a79dd51101a4d037643a9ec8eebe192ce289f27
SHA5129745ae2c00533200630c045f4173c4068b58c9ecb689fff0432792e49862333dea03f6215d0a8426a8420def57cb17f9d9a10fa2aed977cd2044892a78064b44
-
Filesize
195B
MD5b4443988f7044ffdd9a5a22eff67867e
SHA111c3eebaec359bca922506aa7ee10cb2f5559e48
SHA256d5191204ecc31d1d68d6e81810b9a0a101f45e3879f1ef363008f62ae13cef93
SHA51210097aa7d09baeb6bae33668e35c58b1687d4ea86593ffc3d9b6556bbd572ac5a428762671ed312cb58760f57fe349f8af7a4b4f9041148e071e2c3f3ba4634b
-
Filesize
195B
MD5188578b825d506accd0e2d084847d85b
SHA1d3198f561acc73a8214e146ea925b283c0ce5d38
SHA2568928a8969bed9b027d1193becb3fdeaaf02672567043f80a08bf8351810bafa8
SHA512f760cb49c5f97c3e49abf434c6227d46755f56b3f3b7d8e1c4657e25d6e92764a525c715a3710643beb521da078a72c739fd8392df4ffa9fd88c36c0af3251e1
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
195B
MD5a201c48dfc2bb147f046a03689f2976c
SHA1a4384ef6a326e204381d8c47e7b89f9c7375f446
SHA2562c20fe6f172b0c3b7337af51e0020b25788eadcb75daba3082886a40cc1f8cc7
SHA512e6c692c191d01c5ed251db422ad724545fd7ff9133b1fbc18e5334070a6846f3c5450fc5bc9b6eae4b19f1d3faed73585524438a1c7c7da4e9391bdcd9334a02
-
Filesize
195B
MD55f971297f044726428811b4cfd333e3e
SHA164856b7803b6ccc33f0b70a60274c3c1afcd73d4
SHA256cf5f5eae07a3d60ad421a4c3b2588fc22a4152ea9aa8e490e18e04d384d51479
SHA512d56ab2428f57a17ce33bb90cd70eb3356473c328dcffb6b3da6b8898369e9ceb2c09867ec2fa136d5551009fcec594c09c2024236bffea64b940c92a205167c7
-
Filesize
195B
MD53af466c0b3506869be3e01eb5f060094
SHA1527758132895f72fa9534a9b1cf6dea1739b2ffa
SHA256ea50fe598d54bceba06aea9ce21d95602a6b4ead9b7520f79bb725e66c0507b0
SHA5127ca17804158cc38c1fc70e620450540ad6aeaf68645751c6409ac17fe9493ad439c6949ded4b12e1b95b0436e2b2870c8d87ea9c9183940c6d12eba005a49297
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD554bb4e0352b51a3e2308f89a414d16d2
SHA183cb08b1a10b5d92211cdd8a0a314abfee560d22
SHA2567febb037dd7b5e74aca636998982b4259b8ffbd3c28fc153c9ab588c1739b88c
SHA512bc175e70a1a6853d4cebf38784da1faaf5ab2d74c55f37c4a85dcdaff10f803c61634720e733e29032c255e094ff40691b43e88478b80defb5b49fe0961b9cc9
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394