Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 01:06
Behavioral task
behavioral1
Sample
JaffaCakes118_1fc1bb05571c3c986b20f9d61e53b31bf922b137ed79f70d46dfeba829bd2482.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_1fc1bb05571c3c986b20f9d61e53b31bf922b137ed79f70d46dfeba829bd2482.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_1fc1bb05571c3c986b20f9d61e53b31bf922b137ed79f70d46dfeba829bd2482.exe
-
Size
1.3MB
-
MD5
9cd27df9b90df9bb1928b3d8548fd4c4
-
SHA1
2f94e9e8aaa913dee25385328eb7236f6e775d83
-
SHA256
1fc1bb05571c3c986b20f9d61e53b31bf922b137ed79f70d46dfeba829bd2482
-
SHA512
3f2e5bac1fe4a1d8cfe9e5a312d92e53e8e0cd6f052f01a85b083f575e1a0ca1165bae34053b94b53c21be7fc35d75133e4a11b1039d57ce204d66532fcce3a3
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1340 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 332 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1112 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1348 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 796 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1872 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2068 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 772 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 408 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1252 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 2524 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1324 2524 schtasks.exe 32 -
resource yara_rule behavioral1/files/0x0008000000014b28-9.dat dcrat behavioral1/memory/2904-13-0x00000000012E0000-0x00000000013F0000-memory.dmp dcrat behavioral1/memory/1964-111-0x00000000003D0000-0x00000000004E0000-memory.dmp dcrat behavioral1/memory/2052-180-0x0000000000E30000-0x0000000000F40000-memory.dmp dcrat behavioral1/memory/2080-240-0x0000000001310000-0x0000000001420000-memory.dmp dcrat behavioral1/memory/1932-478-0x0000000000380000-0x0000000000490000-memory.dmp dcrat behavioral1/memory/700-538-0x0000000000C90000-0x0000000000DA0000-memory.dmp dcrat behavioral1/memory/2840-658-0x0000000000050000-0x0000000000160000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1784 powershell.exe 568 powershell.exe 916 powershell.exe 1832 powershell.exe 1880 powershell.exe 1368 powershell.exe 1576 powershell.exe 888 powershell.exe 1164 powershell.exe 1048 powershell.exe 812 powershell.exe 1356 powershell.exe 2044 powershell.exe 928 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2904 DllCommonsvc.exe 1964 dllhost.exe 2052 dllhost.exe 2080 dllhost.exe 1560 dllhost.exe 2980 dllhost.exe 2060 dllhost.exe 1932 dllhost.exe 700 dllhost.exe 2652 dllhost.exe 2840 dllhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2760 cmd.exe 2760 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 23 raw.githubusercontent.com 30 raw.githubusercontent.com 16 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 19 raw.githubusercontent.com 26 raw.githubusercontent.com 33 raw.githubusercontent.com 37 raw.githubusercontent.com 4 raw.githubusercontent.com -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files\Windows NT\Accessories\ja-JP\taskhost.exe DllCommonsvc.exe File created C:\Program Files\Windows NT\Accessories\ja-JP\b75386f1303e64 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\5940a34987c991 DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\de-DE\taskhost.exe DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\de-DE\b75386f1303e64 DllCommonsvc.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\addins\56085415360792 DllCommonsvc.exe File created C:\Windows\Panther\actionqueue\cmd.exe DllCommonsvc.exe File created C:\Windows\Panther\actionqueue\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\conhost.exe DllCommonsvc.exe File created C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\088424020bedd6 DllCommonsvc.exe File created C:\Windows\addins\wininit.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1fc1bb05571c3c986b20f9d61e53b31bf922b137ed79f70d46dfeba829bd2482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2072 schtasks.exe 796 schtasks.exe 2916 schtasks.exe 1708 schtasks.exe 408 schtasks.exe 2032 schtasks.exe 1872 schtasks.exe 772 schtasks.exe 1252 schtasks.exe 1112 schtasks.exe 2800 schtasks.exe 2824 schtasks.exe 1348 schtasks.exe 1324 schtasks.exe 2756 schtasks.exe 1636 schtasks.exe 1664 schtasks.exe 2008 schtasks.exe 2076 schtasks.exe 2352 schtasks.exe 2544 schtasks.exe 1680 schtasks.exe 2736 schtasks.exe 1932 schtasks.exe 3036 schtasks.exe 2380 schtasks.exe 1816 schtasks.exe 1740 schtasks.exe 2068 schtasks.exe 2992 schtasks.exe 332 schtasks.exe 1492 schtasks.exe 1660 schtasks.exe 2844 schtasks.exe 1768 schtasks.exe 1340 schtasks.exe 1808 schtasks.exe 1508 schtasks.exe 2020 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 2904 DllCommonsvc.exe 1164 powershell.exe 928 powershell.exe 1048 powershell.exe 1356 powershell.exe 888 powershell.exe 2044 powershell.exe 916 powershell.exe 812 powershell.exe 1832 powershell.exe 568 powershell.exe 1368 powershell.exe 1880 powershell.exe 1784 powershell.exe 1576 powershell.exe 1964 dllhost.exe 2052 dllhost.exe 2080 dllhost.exe 1560 dllhost.exe 2980 dllhost.exe 2060 dllhost.exe 1932 dllhost.exe 700 dllhost.exe 2652 dllhost.exe 2840 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 2904 DllCommonsvc.exe Token: SeDebugPrivilege 1164 powershell.exe Token: SeDebugPrivilege 928 powershell.exe Token: SeDebugPrivilege 1048 powershell.exe Token: SeDebugPrivilege 1356 powershell.exe Token: SeDebugPrivilege 888 powershell.exe Token: SeDebugPrivilege 2044 powershell.exe Token: SeDebugPrivilege 916 powershell.exe Token: SeDebugPrivilege 812 powershell.exe Token: SeDebugPrivilege 1832 powershell.exe Token: SeDebugPrivilege 568 powershell.exe Token: SeDebugPrivilege 1368 powershell.exe Token: SeDebugPrivilege 1880 powershell.exe Token: SeDebugPrivilege 1784 powershell.exe Token: SeDebugPrivilege 1576 powershell.exe Token: SeDebugPrivilege 1964 dllhost.exe Token: SeDebugPrivilege 2052 dllhost.exe Token: SeDebugPrivilege 2080 dllhost.exe Token: SeDebugPrivilege 1560 dllhost.exe Token: SeDebugPrivilege 2980 dllhost.exe Token: SeDebugPrivilege 2060 dllhost.exe Token: SeDebugPrivilege 1932 dllhost.exe Token: SeDebugPrivilege 700 dllhost.exe Token: SeDebugPrivilege 2652 dllhost.exe Token: SeDebugPrivilege 2840 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1044 wrote to memory of 2964 1044 JaffaCakes118_1fc1bb05571c3c986b20f9d61e53b31bf922b137ed79f70d46dfeba829bd2482.exe 28 PID 1044 wrote to memory of 2964 1044 JaffaCakes118_1fc1bb05571c3c986b20f9d61e53b31bf922b137ed79f70d46dfeba829bd2482.exe 28 PID 1044 wrote to memory of 2964 1044 JaffaCakes118_1fc1bb05571c3c986b20f9d61e53b31bf922b137ed79f70d46dfeba829bd2482.exe 28 PID 1044 wrote to memory of 2964 1044 JaffaCakes118_1fc1bb05571c3c986b20f9d61e53b31bf922b137ed79f70d46dfeba829bd2482.exe 28 PID 2964 wrote to memory of 2760 2964 WScript.exe 29 PID 2964 wrote to memory of 2760 2964 WScript.exe 29 PID 2964 wrote to memory of 2760 2964 WScript.exe 29 PID 2964 wrote to memory of 2760 2964 WScript.exe 29 PID 2760 wrote to memory of 2904 2760 cmd.exe 31 PID 2760 wrote to memory of 2904 2760 cmd.exe 31 PID 2760 wrote to memory of 2904 2760 cmd.exe 31 PID 2760 wrote to memory of 2904 2760 cmd.exe 31 PID 2904 wrote to memory of 1880 2904 DllCommonsvc.exe 72 PID 2904 wrote to memory of 1880 2904 DllCommonsvc.exe 72 PID 2904 wrote to memory of 1880 2904 DllCommonsvc.exe 72 PID 2904 wrote to memory of 1356 2904 DllCommonsvc.exe 73 PID 2904 wrote to memory of 1356 2904 DllCommonsvc.exe 73 PID 2904 wrote to memory of 1356 2904 DllCommonsvc.exe 73 PID 2904 wrote to memory of 1368 2904 DllCommonsvc.exe 75 PID 2904 wrote to memory of 1368 2904 DllCommonsvc.exe 75 PID 2904 wrote to memory of 1368 2904 DllCommonsvc.exe 75 PID 2904 wrote to memory of 1576 2904 DllCommonsvc.exe 76 PID 2904 wrote to memory of 1576 2904 DllCommonsvc.exe 76 PID 2904 wrote to memory of 1576 2904 DllCommonsvc.exe 76 PID 2904 wrote to memory of 2044 2904 DllCommonsvc.exe 77 PID 2904 wrote to memory of 2044 2904 DllCommonsvc.exe 77 PID 2904 wrote to memory of 2044 2904 DllCommonsvc.exe 77 PID 2904 wrote to memory of 812 2904 DllCommonsvc.exe 78 PID 2904 wrote to memory of 812 2904 DllCommonsvc.exe 78 PID 2904 wrote to memory of 812 2904 DllCommonsvc.exe 78 PID 2904 wrote to memory of 1164 2904 DllCommonsvc.exe 80 PID 2904 wrote to memory of 1164 2904 DllCommonsvc.exe 80 PID 2904 wrote to memory of 1164 2904 DllCommonsvc.exe 80 PID 2904 wrote to memory of 1832 2904 DllCommonsvc.exe 81 PID 2904 wrote to memory of 1832 2904 DllCommonsvc.exe 81 PID 2904 wrote to memory of 1832 2904 DllCommonsvc.exe 81 PID 2904 wrote to memory of 1048 2904 DllCommonsvc.exe 82 PID 2904 wrote to memory of 1048 2904 DllCommonsvc.exe 82 PID 2904 wrote to memory of 1048 2904 DllCommonsvc.exe 82 PID 2904 wrote to memory of 916 2904 DllCommonsvc.exe 83 PID 2904 wrote to memory of 916 2904 DllCommonsvc.exe 83 PID 2904 wrote to memory of 916 2904 DllCommonsvc.exe 83 PID 2904 wrote to memory of 928 2904 DllCommonsvc.exe 84 PID 2904 wrote to memory of 928 2904 DllCommonsvc.exe 84 PID 2904 wrote to memory of 928 2904 DllCommonsvc.exe 84 PID 2904 wrote to memory of 888 2904 DllCommonsvc.exe 85 PID 2904 wrote to memory of 888 2904 DllCommonsvc.exe 85 PID 2904 wrote to memory of 888 2904 DllCommonsvc.exe 85 PID 2904 wrote to memory of 568 2904 DllCommonsvc.exe 87 PID 2904 wrote to memory of 568 2904 DllCommonsvc.exe 87 PID 2904 wrote to memory of 568 2904 DllCommonsvc.exe 87 PID 2904 wrote to memory of 1784 2904 DllCommonsvc.exe 88 PID 2904 wrote to memory of 1784 2904 DllCommonsvc.exe 88 PID 2904 wrote to memory of 1784 2904 DllCommonsvc.exe 88 PID 2904 wrote to memory of 1964 2904 DllCommonsvc.exe 100 PID 2904 wrote to memory of 1964 2904 DllCommonsvc.exe 100 PID 2904 wrote to memory of 1964 2904 DllCommonsvc.exe 100 PID 1964 wrote to memory of 2888 1964 dllhost.exe 101 PID 1964 wrote to memory of 2888 1964 dllhost.exe 101 PID 1964 wrote to memory of 2888 1964 dllhost.exe 101 PID 2888 wrote to memory of 2624 2888 cmd.exe 103 PID 2888 wrote to memory of 2624 2888 cmd.exe 103 PID 2888 wrote to memory of 2624 2888 cmd.exe 103 PID 2888 wrote to memory of 2052 2888 cmd.exe 104 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fc1bb05571c3c986b20f9d61e53b31bf922b137ed79f70d46dfeba829bd2482.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fc1bb05571c3c986b20f9d61e53b31bf922b137ed79f70d46dfeba829bd2482.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1368
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\de-DE\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\actionqueue\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\ja-JP\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2624
-
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zj0hR7WTEZ.bat"8⤵PID:2908
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2320
-
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat"10⤵PID:2204
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1784
-
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat"12⤵PID:2924
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1724
-
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2sHl3bGdB9.bat"14⤵PID:1356
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2580
-
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1lJXnITmE.bat"16⤵PID:2688
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1860
-
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TBzEQtkdDl.bat"18⤵PID:996
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2676
-
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:700 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat"20⤵PID:2564
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:676
-
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat"22⤵PID:2240
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:868
-
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gZmmY05In2.bat"24⤵PID:2272
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2512
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Documents\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\addins\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\addins\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\Panther\actionqueue\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\actionqueue\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD553bdd94c080c82dc9909bf09b4fbd7d5
SHA12005df6eb322058f2a868dd25b7eea894e495320
SHA256538c28bf49d7dc246dcb4b01f4f11af6825d21cbf255c098ac66aa74c4c4fee9
SHA512ee85ea4e5d6953c76e60611bf6963722975ac26d9fd349fb3085513ac308bc6109abd5c4b9891cbaca158a3f34168dce073b4f285d009c27c01cf75e195fca12
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51236f9e0bd8843cdaa6b47a4c15bf24c
SHA136cfd61d8506795182fdd4a3207f71dee3aeebab
SHA25605a2849e76ce0ecc908467ad96b903839d67ceac04cef5b82ba9af825a5f41b9
SHA5128d87067dee0a7a233984bbc910f99c96affc2dfa4d872cf6b9d57780b4627367dc33d528873a7a8615f5e992b131504ee29eba49263262b0a8fb89589cae4cf0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56ffbaf998b7e001de3d7e687dd59bbac
SHA17c5ba3f6759412db3765422da6793324189df591
SHA256fcbbbfede6327a5d8db2af6fe517e4ee6c807b007dae9a9f454ab903cf173849
SHA51212f2801cad26785ed341d2d32b009e1d86988c6592382a70ac83fc4ec6d03e92f7a73b324992b23c3e6bdd3dbbc1df3035d88abcbea059510d86b454b79ff371
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD543a33dce626f98bcbcf92be012d9f226
SHA133b2632d50c2a19a428524da7fc0854913a93236
SHA256c58cc582f03ba818bbb864543a54367914c1d417f843060320f915e10b05f05f
SHA512d76255ba7a0b15264b0d33243add25542be92b7ab92005de9afdefcb9620b3b7509a4f002afc5e8971cbf4a307aaba1a8c5f0862c2c168935981acaf38ee805b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5839882427809a560106eabdfc9dd66c8
SHA1cd77fed5761a4c2eea6d10fca72df1cd63e69330
SHA2561e8c4ae0747bd211db2d686e8ceb2e376315166c87168f3745d61cd20d327b85
SHA512f0a431531ddafbb504411b8384d3c5453c817323f7b04895adffce0d0007102df85cba1f44dc705e95974cda110dbfe44fd1c425c7480f4178740bf59058b990
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54d0f1bdb5d1d0cd6c6d919933a5c7326
SHA1084eff6d19b3b8d0c31298ee563667c4421ab5f1
SHA256d8506c4da1bc7b7a6ad2aa3d2e7f5deb7ba4e7838603db86acb3fd11b1ef7e9b
SHA51210ed4259a1ed99e11fe60e2160be33b1b5f88bbdada7e2550f7516e8785e28005bf9f5e2f77e31495e1469058ae833d58c93737eaf05481798d2f5d0cfd85bcd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55d164a30de2e370d28602da2e70aff41
SHA1b8b1cd80a425f1d2fdbe56d0fbfdd16d3de4465e
SHA256c9158251b7be95ccbd559a9bfc22f8d471015a36a743f3b3164595be5a73fe9b
SHA51231ee8a180aa7c8dacaabe6853cb77e9592f8c84a87cbe1bc183f8fb8f1c65ea3e4416d5c7d4f89f5077bcc367d252bc837475c4cd5424beb76a4953a35736042
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD591b01f06f5e404aca0fc9de506fb114c
SHA12f75b2453ea786a32fe2caaee2e42ed50f97ee70
SHA25693bb2944e0e657fcaf6c305dc28d543567cedce21147308a62cebfb30a86f9fa
SHA51254194097a92da5733b856c754c302b7426cfa17e827eb4aea15db9d1b150d546d52991ddf58129c33d3ad9a15ca668b09f4bd1e506500d96252b6f3fd327c9c6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e79732abfceb70d5fcd45d4908ed30d3
SHA1fbb4cc7b4fc9ce128987340b30976cc5a74b43f8
SHA2561d3d937c8c4c5d33517c94243919b7c501705e17275d086abf6a079a60a6d050
SHA512b7870012a72fc8a8d284e9ccd28aa787f05b3b177e91cebebf0ede8ecca0bc230d86d18a2c66211e895ae1a3b22371f20baab2cc1ab695a8bef6c9a1c70192fc
-
Filesize
240B
MD58e521d1747d50a620c4e5263406738b1
SHA1f419ee78b21b5a72f64a0c0bd5037b9753f8ad9d
SHA25604202a89446c7ab81208a4fb9afdfb957ab508a4014f9f7fa38ab112324661a6
SHA51298e33e880f0f37a3ea576ed7126ca514fc8a13b15438b07ba7317ab95bc1e69c8609f1b23b67671d5d6888e5a29f9dda5695c732ef64012cd6ea91a102fe2667
-
Filesize
240B
MD56a877b2b975c6d4c5d1a7b1203d8893b
SHA1478648275cef0491c479a3fc23be85e07850ffd4
SHA25672ee32120ff199fd3b78d6750f7375b8bd13caf6dd9a806e03f7ac244d8b3cc3
SHA512ee0008a5cc470eac8fba8c20771bb92b2ba06d99c99ddd5881b022928d1a37fc0b2d7698b83ea0849be466084835f0686763f2235e529195cdb89ffa1517d9ac
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
240B
MD533505d3f6be2f3cf0b3569fea98dfa08
SHA1c37b73adef63ed508043e93da7df1e554659bdc3
SHA256d9ebf1b613e8be8b97a4e80661fb0adfae14dafcc2aa1c6e128dbd76af577456
SHA512b05464066d7cbf75ffd6a3bb6c51747be598ef9e9d81917c4f3ad3280c8b47b64ab0fc18174fee2f3e9b6042134013c99662715e654c889dc6194e2d29f23482
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
240B
MD52e87227e1b40db0a22e4002abdb05af1
SHA13ac43ca74f3b7c52aeef938391fe65e087ec0860
SHA256d3f5f81adec0b623eaec1f2225d33f40c55b654d6691ce004f72729d0491afb6
SHA5126c24fe3017d2e8aa3fe236b6f6512b48a6ed51ebab33502c4072a35cad97252f37baabbde8da98ac58d832e9e187a6aac6aab5fe0fc9e962a20067b51278bfe4
-
Filesize
240B
MD573d3eba7507da9988a5b5ee30de1a8f6
SHA11cfdfab8ee64fc5f17f196623466400be91b8e2b
SHA2562066f2e0449888b94a0044438e8ad5de8e0389d7afae62feb8ff0110419ed85b
SHA512ebe1fc902bd0f166e4f608041c9fcb884d2f52998606fa20a02f1ec342eb4a50b90d87d05332c9247fd60ef613b60bb187e7698e0a5496e1a2e9afaa55b0ca62
-
Filesize
240B
MD5666d0770e61ec8a8093c99248340e1ff
SHA192f6093e13cb7ec72d561fce542b348edfd72b92
SHA2566d2b7af09b9cafac499ca42a64c5f8765a06db99f4d0d478a16a273be50fb20d
SHA512d7474dd7d621d8d23ebd8c7b12b3321d3a85d4845d3c0604c2e74d39bddca43dcbe8f220bbc55ca3e970742a7fe74565f68d69156f86b4e448ff93c5a48345ef
-
Filesize
240B
MD538054a1984719f687d86c5a2a52656a8
SHA1651a3a5fbedd61dbcc3b8ce8464f6d138ab3c545
SHA256b4baefb58b692017cf9a75466ad64d4dbcf5f074272631118c45995a48c449b2
SHA51293136cb18243192d14ea9fb74aa4c483b0b05ba5ec5fa9dbbcd4191099e6445a891fc34e36ef444c27984955cd0a73261b7e24e3c2be398c2e00dff82ef9b5d7
-
Filesize
240B
MD59e0962735271f557d2399afba6fd4b47
SHA1c202dc28f9e9e61a35752161947164ae0918833b
SHA2563d91488693043a47a5e399d40f8634b13fe81c377512940e331d2b30c492c0e9
SHA512f9e38241a0558a7e1043aa42fb8615d4131d529949dce936dc506739c8c1a73e280c22d575376b15b80b35d46e241bb31b62260a71d5bd36324b74d8160e3b82
-
Filesize
240B
MD5b00ec0ff0ad678282b2c68d2d53e7f6f
SHA117c65871a747fc94298b6d6802e9245418248ac1
SHA2567cab5cfef135940b4a8e6ab196e418ca96302fd15ac67c0aed057d3cb7abe047
SHA5129f0257440d922127a9c3af0d65f91a03b8aa7e52d3ef4a0581ba2e677833358f4c004164c8b95630c8afa729a5698689159659de661e280b9cba25db45f49555
-
Filesize
240B
MD59d3d9892377cbe859eaaec58b644cc30
SHA1a7588d6b0844b0416392fc6c6dd805912c5d5139
SHA2564ecdb152930777358416d0f8db93afb6584c2f53c7d1ae3c20e4a93760256078
SHA5126027c6eca324bd3554ef983fb4b75edf08aac04874ac96a8d2ea467836923674f3fce424e6ec4010d270aab6695dda288a9a5fa14ec18b05e051809725cd4849
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD507b444f1201256338a8c4917496be1b1
SHA1746f3cb57e8567d9c3198f7fca43ed25f1c8be9b
SHA25679ab50c127b9dd480f6b719c4b90e99277275ec73af49ede4aa8c871d0745a03
SHA512e01ea04f438d5fb4008c26cb7e7e99d43fa39a41c16a8c2d451ed811738a043a2e4170773c2c0bee92c4fb6f028f1001c3ff8c5c416988a08167b4ca3bd97e18
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394