Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 01:02
Behavioral task
behavioral1
Sample
JaffaCakes118_6b144bcf04c6f084a1bb7fc699a57110245ebed317855dbf2ec5a168e01c6de8.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_6b144bcf04c6f084a1bb7fc699a57110245ebed317855dbf2ec5a168e01c6de8.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_6b144bcf04c6f084a1bb7fc699a57110245ebed317855dbf2ec5a168e01c6de8.exe
-
Size
1.3MB
-
MD5
64cae7d041c959ee7545970d9622c85c
-
SHA1
1cf9db970ac32d19cd3db570ac42739ec3589549
-
SHA256
6b144bcf04c6f084a1bb7fc699a57110245ebed317855dbf2ec5a168e01c6de8
-
SHA512
4bcf5b15c5213bfc07b19045bcd30c690910f8c1db458bfc284c7b48b055c43be57788409ca83b29cf1c728d5b3c62e0d40b07d30a64b21b6be2805d448c5651
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 932 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 784 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1112 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 792 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1260 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2220 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 864 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1208 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1100 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1324 2944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2944 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0009000000018b28-9.dat dcrat behavioral1/memory/2776-13-0x0000000000F70000-0x0000000001080000-memory.dmp dcrat behavioral1/memory/2540-52-0x0000000001280000-0x0000000001390000-memory.dmp dcrat behavioral1/memory/524-305-0x0000000000160000-0x0000000000270000-memory.dmp dcrat behavioral1/memory/2456-366-0x00000000013A0000-0x00000000014B0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1168 powershell.exe 1580 powershell.exe 1620 powershell.exe 2072 powershell.exe 2596 powershell.exe 2172 powershell.exe 2556 powershell.exe 1576 powershell.exe 804 powershell.exe 2604 powershell.exe 2716 powershell.exe 2560 powershell.exe 1036 powershell.exe 1040 powershell.exe 2388 powershell.exe -
Executes dropped EXE 10 IoCs
pid Process 2776 DllCommonsvc.exe 2540 cmd.exe 2384 cmd.exe 2276 cmd.exe 524 cmd.exe 2456 cmd.exe 2492 cmd.exe 2172 cmd.exe 704 cmd.exe 2872 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 2972 cmd.exe 2972 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
flow ioc 5 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 22 raw.githubusercontent.com 27 raw.githubusercontent.com 31 raw.githubusercontent.com 4 raw.githubusercontent.com 9 raw.githubusercontent.com 13 raw.githubusercontent.com -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\smss.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\lsm.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\101b941d020240 DllCommonsvc.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\Vss\explorer.exe DllCommonsvc.exe File created C:\Windows\Vss\7a0fd90576e088 DllCommonsvc.exe File created C:\Windows\CSC\v2.0.6\spoolsv.exe DllCommonsvc.exe File created C:\Windows\Globalization\OSPPSVC.exe DllCommonsvc.exe File created C:\Windows\Globalization\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Windows\debug\conhost.exe DllCommonsvc.exe File created C:\Windows\debug\088424020bedd6 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6b144bcf04c6f084a1bb7fc699a57110245ebed317855dbf2ec5a168e01c6de8.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2268 schtasks.exe 1956 schtasks.exe 2428 schtasks.exe 1260 schtasks.exe 2836 schtasks.exe 2252 schtasks.exe 2416 schtasks.exe 864 schtasks.exe 1932 schtasks.exe 2060 schtasks.exe 2056 schtasks.exe 1768 schtasks.exe 2436 schtasks.exe 1100 schtasks.exe 2664 schtasks.exe 2452 schtasks.exe 1112 schtasks.exe 2052 schtasks.exe 2384 schtasks.exe 1964 schtasks.exe 2228 schtasks.exe 1544 schtasks.exe 2012 schtasks.exe 1628 schtasks.exe 832 schtasks.exe 2748 schtasks.exe 792 schtasks.exe 2504 schtasks.exe 2192 schtasks.exe 784 schtasks.exe 2448 schtasks.exe 2220 schtasks.exe 1208 schtasks.exe 1920 schtasks.exe 3068 schtasks.exe 2080 schtasks.exe 2188 schtasks.exe 2004 schtasks.exe 932 schtasks.exe 2704 schtasks.exe 1324 schtasks.exe 2112 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 2776 DllCommonsvc.exe 2776 DllCommonsvc.exe 2776 DllCommonsvc.exe 2388 powershell.exe 804 powershell.exe 2716 powershell.exe 2172 powershell.exe 2604 powershell.exe 2072 powershell.exe 1036 powershell.exe 2560 powershell.exe 1040 powershell.exe 1580 powershell.exe 1168 powershell.exe 2556 powershell.exe 2596 powershell.exe 1576 powershell.exe 1620 powershell.exe 2540 cmd.exe 2384 cmd.exe 2276 cmd.exe 524 cmd.exe 2456 cmd.exe 2492 cmd.exe 2172 cmd.exe 704 cmd.exe 2872 cmd.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 2776 DllCommonsvc.exe Token: SeDebugPrivilege 2388 powershell.exe Token: SeDebugPrivilege 2540 cmd.exe Token: SeDebugPrivilege 804 powershell.exe Token: SeDebugPrivilege 2172 powershell.exe Token: SeDebugPrivilege 2716 powershell.exe Token: SeDebugPrivilege 2604 powershell.exe Token: SeDebugPrivilege 2072 powershell.exe Token: SeDebugPrivilege 1036 powershell.exe Token: SeDebugPrivilege 2560 powershell.exe Token: SeDebugPrivilege 1040 powershell.exe Token: SeDebugPrivilege 1580 powershell.exe Token: SeDebugPrivilege 1168 powershell.exe Token: SeDebugPrivilege 2556 powershell.exe Token: SeDebugPrivilege 2596 powershell.exe Token: SeDebugPrivilege 1576 powershell.exe Token: SeDebugPrivilege 1620 powershell.exe Token: SeDebugPrivilege 2384 cmd.exe Token: SeDebugPrivilege 2276 cmd.exe Token: SeDebugPrivilege 524 cmd.exe Token: SeDebugPrivilege 2456 cmd.exe Token: SeDebugPrivilege 2492 cmd.exe Token: SeDebugPrivilege 2172 cmd.exe Token: SeDebugPrivilege 704 cmd.exe Token: SeDebugPrivilege 2872 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2536 wrote to memory of 1824 2536 JaffaCakes118_6b144bcf04c6f084a1bb7fc699a57110245ebed317855dbf2ec5a168e01c6de8.exe 30 PID 2536 wrote to memory of 1824 2536 JaffaCakes118_6b144bcf04c6f084a1bb7fc699a57110245ebed317855dbf2ec5a168e01c6de8.exe 30 PID 2536 wrote to memory of 1824 2536 JaffaCakes118_6b144bcf04c6f084a1bb7fc699a57110245ebed317855dbf2ec5a168e01c6de8.exe 30 PID 2536 wrote to memory of 1824 2536 JaffaCakes118_6b144bcf04c6f084a1bb7fc699a57110245ebed317855dbf2ec5a168e01c6de8.exe 30 PID 1824 wrote to memory of 2972 1824 WScript.exe 31 PID 1824 wrote to memory of 2972 1824 WScript.exe 31 PID 1824 wrote to memory of 2972 1824 WScript.exe 31 PID 1824 wrote to memory of 2972 1824 WScript.exe 31 PID 2972 wrote to memory of 2776 2972 cmd.exe 33 PID 2972 wrote to memory of 2776 2972 cmd.exe 33 PID 2972 wrote to memory of 2776 2972 cmd.exe 33 PID 2972 wrote to memory of 2776 2972 cmd.exe 33 PID 2776 wrote to memory of 2604 2776 DllCommonsvc.exe 77 PID 2776 wrote to memory of 2604 2776 DllCommonsvc.exe 77 PID 2776 wrote to memory of 2604 2776 DllCommonsvc.exe 77 PID 2776 wrote to memory of 2596 2776 DllCommonsvc.exe 78 PID 2776 wrote to memory of 2596 2776 DllCommonsvc.exe 78 PID 2776 wrote to memory of 2596 2776 DllCommonsvc.exe 78 PID 2776 wrote to memory of 2172 2776 DllCommonsvc.exe 80 PID 2776 wrote to memory of 2172 2776 DllCommonsvc.exe 80 PID 2776 wrote to memory of 2172 2776 DllCommonsvc.exe 80 PID 2776 wrote to memory of 1168 2776 DllCommonsvc.exe 82 PID 2776 wrote to memory of 1168 2776 DllCommonsvc.exe 82 PID 2776 wrote to memory of 1168 2776 DllCommonsvc.exe 82 PID 2776 wrote to memory of 2716 2776 DllCommonsvc.exe 85 PID 2776 wrote to memory of 2716 2776 DllCommonsvc.exe 85 PID 2776 wrote to memory of 2716 2776 DllCommonsvc.exe 85 PID 2776 wrote to memory of 1036 2776 DllCommonsvc.exe 86 PID 2776 wrote to memory of 1036 2776 DllCommonsvc.exe 86 PID 2776 wrote to memory of 1036 2776 DllCommonsvc.exe 86 PID 2776 wrote to memory of 1580 2776 DllCommonsvc.exe 87 PID 2776 wrote to memory of 1580 2776 DllCommonsvc.exe 87 PID 2776 wrote to memory of 1580 2776 DllCommonsvc.exe 87 PID 2776 wrote to memory of 2556 2776 DllCommonsvc.exe 88 PID 2776 wrote to memory of 2556 2776 DllCommonsvc.exe 88 PID 2776 wrote to memory of 2556 2776 DllCommonsvc.exe 88 PID 2776 wrote to memory of 1040 2776 DllCommonsvc.exe 89 PID 2776 wrote to memory of 1040 2776 DllCommonsvc.exe 89 PID 2776 wrote to memory of 1040 2776 DllCommonsvc.exe 89 PID 2776 wrote to memory of 2560 2776 DllCommonsvc.exe 91 PID 2776 wrote to memory of 2560 2776 DllCommonsvc.exe 91 PID 2776 wrote to memory of 2560 2776 DllCommonsvc.exe 91 PID 2776 wrote to memory of 2388 2776 DllCommonsvc.exe 92 PID 2776 wrote to memory of 2388 2776 DllCommonsvc.exe 92 PID 2776 wrote to memory of 2388 2776 DllCommonsvc.exe 92 PID 2776 wrote to memory of 1576 2776 DllCommonsvc.exe 93 PID 2776 wrote to memory of 1576 2776 DllCommonsvc.exe 93 PID 2776 wrote to memory of 1576 2776 DllCommonsvc.exe 93 PID 2776 wrote to memory of 1620 2776 DllCommonsvc.exe 94 PID 2776 wrote to memory of 1620 2776 DllCommonsvc.exe 94 PID 2776 wrote to memory of 1620 2776 DllCommonsvc.exe 94 PID 2776 wrote to memory of 2072 2776 DllCommonsvc.exe 95 PID 2776 wrote to memory of 2072 2776 DllCommonsvc.exe 95 PID 2776 wrote to memory of 2072 2776 DllCommonsvc.exe 95 PID 2776 wrote to memory of 804 2776 DllCommonsvc.exe 96 PID 2776 wrote to memory of 804 2776 DllCommonsvc.exe 96 PID 2776 wrote to memory of 804 2776 DllCommonsvc.exe 96 PID 2776 wrote to memory of 2540 2776 DllCommonsvc.exe 107 PID 2776 wrote to memory of 2540 2776 DllCommonsvc.exe 107 PID 2776 wrote to memory of 2540 2776 DllCommonsvc.exe 107 PID 2540 wrote to memory of 2248 2540 cmd.exe 108 PID 2540 wrote to memory of 2248 2540 cmd.exe 108 PID 2540 wrote to memory of 2248 2540 cmd.exe 108 PID 2248 wrote to memory of 2072 2248 cmd.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b144bcf04c6f084a1bb7fc699a57110245ebed317855dbf2ec5a168e01c6de8.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b144bcf04c6f084a1bb7fc699a57110245ebed317855dbf2ec5a168e01c6de8.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:804
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9kwbr7Wkdx.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2072
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hD3D8PLBZ9.bat"8⤵PID:2420
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2492
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat"10⤵PID:596
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:720
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:524 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PoOVO2yVWN.bat"12⤵PID:880
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:680
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat"14⤵PID:1500
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1468
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GW80Ek08hx.bat"16⤵PID:2080
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:536
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat"18⤵PID:2476
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1172
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:704 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat"20⤵PID:1688
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1532
-
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Desktop\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Desktop\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Desktop\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\Globalization\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Globalization\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\providercommon\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\debug\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\debug\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Vss\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\Vss\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD517f7772594ba2d9bcc17b0d083c1dd2d
SHA1c2dd2dfd38edbba897027c9de1bc1293b5ab408f
SHA25611a9ae80c45176aebdfdbfd3df70c9d71b9b4863b41a3b49ae01aa43c1ac6627
SHA5127419b95d870b1450b1df480fcef5d4d6d4fc3ca4aa72e1d3582a4eae5d57902701f32cfc0b3f97d1416e03cdf6718b29b6dd29783be3f9490fbb3d8191d01b53
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cb8e866597483b24154184d9ef6f3f4a
SHA1793e2cdb47027096a9a4becb1b551f0953216008
SHA256687bdcacedcf79270878dd326ec4f4e35554ad7af13d0bab2edeff2c8bce64e5
SHA512d38e029e36351ea2bab4eca19544b1e269acf2dae435f3c0a036a3b2ddaa5fdaa2213d5ae0db691b1f52fde65a7cba9c4b1bbe63cab6e55c7f4192e5ac4e4d17
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ae779f67a872fc59e049ee02c42d5d62
SHA1f0607b34f3fc2e7e51e54d95f1c68a2ca4817e99
SHA256fccf1230773eeea410fdaa928aef65aaa7571c93de315226e9399984b2ce2432
SHA512a97b0c23bc8b4fc7746c2f1b311c84f6f5c7e2c69ed64c40871ab3f0bad57baa7c6f3a044d49a537927eedf68408a5d4017a410598c060fd6e35190932ba9616
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a78bbc195bc85cba0b2bbe5f379a238e
SHA1affc17fd649372000cd010125dd46c3d302f1dbc
SHA256d64a2569bfd702e37f5dad70c1d1edc87059461438c9291d23c0dc3ef6992db3
SHA512314cb9eea531fb99af4775cd4296ab705c49f3783ad872317104f031f4de92909739f5dffb51bc7629b3bd99712cd374fa098e744fca43483167e2070ff0392e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54317cd203828d06d549473f0f4b3e8e4
SHA11edf58c4467c249330d8632de658ddb63a62225c
SHA2563a88ab501916aeb01b1075b50d3bf1a9dd3c330d89f04758679c098dc63229ef
SHA51215e03c6c00329923c23131d3fe3176d762374507883b413d575c5304d6d1017adf8a509d856556a1145ec47a7f825810162873d599ec774928e28d6f495bdb19
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56998a5cb1b61da65eb144ba573b6166a
SHA175811e263c88e4743b520ef9dfc1ba8d0b81d61b
SHA256461936d8ae461233b3e4ae162c4994aed083c45267d47dbf4f485c8be52905fd
SHA51241bc4e74005bb606dc2f03b5dd79b7733f153ed8ea968e1724b5b174a3553eb54bcc9b11d3b7c9fd085cd7265bc8c5ac7ea1509a4bc15c3a94ccbb43480b048a
-
Filesize
235B
MD5e0cb6fd7c142965161706072098fbd85
SHA1348591535625bd6f837dd49efccd32853d22b264
SHA2568184f8e57834ac3ea7a1b057ba5b9762b67a61d52126558b5b4eb14e72862b57
SHA5128a67470364f71001f4c50bafcd1ad941e461f022765792c38f07970d9dd002c76ffce6b2a74aafd364aeecd6318a923346dd77be2b738ca51e34a833f5901e5f
-
Filesize
235B
MD5f450f9fedc1755947948af786fa6f643
SHA199eff3aae332bc5f5eb8eccad5b9db93a8f799fb
SHA256322c07288737104b8dbc7e9463db6d51cdaac4607b6e7bb6c0198be40c43880d
SHA512c049451868a4b01afc4e74fc31ecf164954ff58ca51ccf59737af079c847bbe503b9d631e3c3c97432786fd55f1bb802b283de028af4f7b80e05dead151ada00
-
Filesize
235B
MD550392302d1c3526e490f0baef87a7018
SHA117aa0a74f6e715f3e039d8529b3194c64b816855
SHA2563a00bfa7d320d90a6de2a524a2b0b5e0a464b28eb39678a9c5085088ad7fa627
SHA5122a732ebf944d90971e478260cd6e88e4fcf7524cee4bbdb335ea61985cab94b2011ccca6ddf43b62a54a47bfb46bdefaae715b5494bae37748a2291c2360f8ce
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
235B
MD59b1a49aa4f59452377bbedb37bf33025
SHA1d758379d180c30fe2461cfd8496f0ba48e289ac6
SHA256627b1151b324e1fd2cae5206fb20262d1c6937562c3a9d04daab323d64c455b0
SHA5128ef2e19a7a41098bab5e86c300c59dca4cb077bb75145ecec0e0b4d7fbaa1c807ac0498f799bb901a2148fe664608e6a1a869addea036ef69ba26bbdf1d16c9a
-
Filesize
235B
MD5c797c6c32f20dce33111ddbfe6c94641
SHA18a280f364b9f40dd4382694fd1a43d56849302a1
SHA2563caa30f5c8ee21d6f5b8e06dfd02f631059a3d77d8c7dd92a29281e934fe2101
SHA5123dc9892cf57163d8e001a978f145a6ca0816a71beb206a2d5517f3841350f1991bb8c69a09d02d473744768d67eee4b3d32d9afa9c70b1f2b96baadc34220bcf
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
235B
MD53947f4b5ceaa626216ccfb70a9360b0f
SHA1e790b689fabe0288fba987ca6b83491204942d2e
SHA256f22ca1a9c0caee50abd04dd73a2ea4a9d58efea880bb21150800bae6b19ee456
SHA5123621a71a514db2f68d4f40e022f167c97225b3260ac6a9e5db9983ed7797df493a9313beaeab573739a0aa931f4b748dd5d0e94cd43f5f7d58ce1208a1a3dd0c
-
Filesize
235B
MD504e5068ac3993e51ac2946fb10efb02f
SHA1e1ef1b284e4044d58bb9058292b8413ba4a7cba6
SHA256b0168e15313caa281b607cc7c4cdda442ac0ac71cee700248ea02ae4ef1a1be5
SHA5123fde4041682328a6168664ad3b78d946242da676f14bf6c99bb1bb07f93d803eaec3e551a49f2edc2272738f28b4ee9d25d43267bb173afad0e316ebac5e7ecb
-
Filesize
235B
MD5cf26b0e50f65bac712b6adf2c4d7ecac
SHA1242a65695569e853841f6741bc61220f792648b2
SHA2566f0028ed01f420637f41d9002988f09c1ac583388cb5fa58c54e647cfdb689a9
SHA512f276e954b3186438bcce65a5d61d885ff45ce91d432b003c06296f8d425ce3974f0d095511468b4f69c51b4c4449eaa9af30bfa19f07acf03b59af43ea8f5eca
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD53399f273c48048650afe64482323af11
SHA1c95a3811e42ee3a5200a517a6551cee852dd9f93
SHA256dd32cc5661b3d050a01c907a2488e783373f79a320e086ba875e20f6c05705e9
SHA51281b361ba20972eac62a371855a9c978cca7efe2ba0d6d15faac7332968f3cc2917545cdb68fb9a140c982a1fc42926351f8564aad8951d4154dc950d3a489ed5
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394