Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 01:18
Behavioral task
behavioral1
Sample
JaffaCakes118_f23b4d09d63b9aa0b310446271aed5ffa5909e06aa9eee43b5a2dacf692b963b.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_f23b4d09d63b9aa0b310446271aed5ffa5909e06aa9eee43b5a2dacf692b963b.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_f23b4d09d63b9aa0b310446271aed5ffa5909e06aa9eee43b5a2dacf692b963b.exe
-
Size
1.3MB
-
MD5
5f4aab056bab46b7eebb56c88cb334e3
-
SHA1
b9ff4b731f5e3d58f42a1000cbd96c6da6db0ee0
-
SHA256
f23b4d09d63b9aa0b310446271aed5ffa5909e06aa9eee43b5a2dacf692b963b
-
SHA512
0cdc260b14c3b4c0d794411a4d7f17152bccd337be82152b9e7fae3eb993b996efa5ff47270b5115780b14d37a2b6af9312fc6f8ae040fd83cb5206d6f170f58
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1800 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 340 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1756 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1164 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1012 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 840 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 704 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1904 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2836 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000015d59-9.dat dcrat behavioral1/memory/2340-13-0x00000000013A0000-0x00000000014B0000-memory.dmp dcrat behavioral1/memory/2576-116-0x00000000008C0000-0x00000000009D0000-memory.dmp dcrat behavioral1/memory/1972-176-0x0000000001010000-0x0000000001120000-memory.dmp dcrat behavioral1/memory/2868-236-0x0000000000180000-0x0000000000290000-memory.dmp dcrat behavioral1/memory/1736-296-0x0000000000B10000-0x0000000000C20000-memory.dmp dcrat behavioral1/memory/1896-415-0x0000000000EE0000-0x0000000000FF0000-memory.dmp dcrat behavioral1/memory/1196-653-0x00000000010F0000-0x0000000001200000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 608 powershell.exe 1788 powershell.exe 2568 powershell.exe 2316 powershell.exe 2440 powershell.exe 1504 powershell.exe 1376 powershell.exe 2212 powershell.exe 2072 powershell.exe 2312 powershell.exe 2352 powershell.exe 1936 powershell.exe 2424 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2340 DllCommonsvc.exe 2576 audiodg.exe 1972 audiodg.exe 2868 audiodg.exe 1736 audiodg.exe 2160 audiodg.exe 1896 audiodg.exe 1164 audiodg.exe 2080 audiodg.exe 2964 audiodg.exe 1196 audiodg.exe -
Loads dropped DLL 2 IoCs
pid Process 2360 cmd.exe 2360 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 16 raw.githubusercontent.com 22 raw.githubusercontent.com 25 raw.githubusercontent.com 29 raw.githubusercontent.com 35 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 19 raw.githubusercontent.com 32 raw.githubusercontent.com 4 raw.githubusercontent.com -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\Windows NT\TableTextService\de-DE\b75386f1303e64 DllCommonsvc.exe File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe DllCommonsvc.exe File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\cmd.exe DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files\Windows NT\TableTextService\de-DE\taskhost.exe DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\spoolsv.exe DllCommonsvc.exe File created C:\Windows\Tasks\f3b6ecef712a24 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_f23b4d09d63b9aa0b310446271aed5ffa5909e06aa9eee43b5a2dacf692b963b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2208 schtasks.exe 2040 schtasks.exe 2628 schtasks.exe 2884 schtasks.exe 2284 schtasks.exe 840 schtasks.exe 3052 schtasks.exe 1800 schtasks.exe 1908 schtasks.exe 1964 schtasks.exe 2636 schtasks.exe 1668 schtasks.exe 2924 schtasks.exe 1716 schtasks.exe 1756 schtasks.exe 2052 schtasks.exe 1092 schtasks.exe 1604 schtasks.exe 2640 schtasks.exe 2696 schtasks.exe 1792 schtasks.exe 340 schtasks.exe 2560 schtasks.exe 1856 schtasks.exe 704 schtasks.exe 2840 schtasks.exe 2364 schtasks.exe 2868 schtasks.exe 1164 schtasks.exe 2036 schtasks.exe 2116 schtasks.exe 1904 schtasks.exe 2788 schtasks.exe 2132 schtasks.exe 1012 schtasks.exe 2276 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2340 DllCommonsvc.exe 2340 DllCommonsvc.exe 2340 DllCommonsvc.exe 2340 DllCommonsvc.exe 2340 DllCommonsvc.exe 2340 DllCommonsvc.exe 2340 DllCommonsvc.exe 2212 powershell.exe 2316 powershell.exe 2312 powershell.exe 2352 powershell.exe 2424 powershell.exe 1788 powershell.exe 1504 powershell.exe 1376 powershell.exe 2072 powershell.exe 2440 powershell.exe 2568 powershell.exe 1936 powershell.exe 608 powershell.exe 2576 audiodg.exe 1972 audiodg.exe 2868 audiodg.exe 1736 audiodg.exe 2160 audiodg.exe 1896 audiodg.exe 1164 audiodg.exe 2080 audiodg.exe 2964 audiodg.exe 1196 audiodg.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2340 DllCommonsvc.exe Token: SeDebugPrivilege 2212 powershell.exe Token: SeDebugPrivilege 2316 powershell.exe Token: SeDebugPrivilege 2312 powershell.exe Token: SeDebugPrivilege 2352 powershell.exe Token: SeDebugPrivilege 2424 powershell.exe Token: SeDebugPrivilege 1788 powershell.exe Token: SeDebugPrivilege 1504 powershell.exe Token: SeDebugPrivilege 1376 powershell.exe Token: SeDebugPrivilege 2072 powershell.exe Token: SeDebugPrivilege 2440 powershell.exe Token: SeDebugPrivilege 2568 powershell.exe Token: SeDebugPrivilege 1936 powershell.exe Token: SeDebugPrivilege 608 powershell.exe Token: SeDebugPrivilege 2576 audiodg.exe Token: SeDebugPrivilege 1972 audiodg.exe Token: SeDebugPrivilege 2868 audiodg.exe Token: SeDebugPrivilege 1736 audiodg.exe Token: SeDebugPrivilege 2160 audiodg.exe Token: SeDebugPrivilege 1896 audiodg.exe Token: SeDebugPrivilege 1164 audiodg.exe Token: SeDebugPrivilege 2080 audiodg.exe Token: SeDebugPrivilege 2964 audiodg.exe Token: SeDebugPrivilege 1196 audiodg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2584 wrote to memory of 1672 2584 JaffaCakes118_f23b4d09d63b9aa0b310446271aed5ffa5909e06aa9eee43b5a2dacf692b963b.exe 30 PID 2584 wrote to memory of 1672 2584 JaffaCakes118_f23b4d09d63b9aa0b310446271aed5ffa5909e06aa9eee43b5a2dacf692b963b.exe 30 PID 2584 wrote to memory of 1672 2584 JaffaCakes118_f23b4d09d63b9aa0b310446271aed5ffa5909e06aa9eee43b5a2dacf692b963b.exe 30 PID 2584 wrote to memory of 1672 2584 JaffaCakes118_f23b4d09d63b9aa0b310446271aed5ffa5909e06aa9eee43b5a2dacf692b963b.exe 30 PID 1672 wrote to memory of 2360 1672 WScript.exe 31 PID 1672 wrote to memory of 2360 1672 WScript.exe 31 PID 1672 wrote to memory of 2360 1672 WScript.exe 31 PID 1672 wrote to memory of 2360 1672 WScript.exe 31 PID 2360 wrote to memory of 2340 2360 cmd.exe 33 PID 2360 wrote to memory of 2340 2360 cmd.exe 33 PID 2360 wrote to memory of 2340 2360 cmd.exe 33 PID 2360 wrote to memory of 2340 2360 cmd.exe 33 PID 2340 wrote to memory of 1376 2340 DllCommonsvc.exe 72 PID 2340 wrote to memory of 1376 2340 DllCommonsvc.exe 72 PID 2340 wrote to memory of 1376 2340 DllCommonsvc.exe 72 PID 2340 wrote to memory of 608 2340 DllCommonsvc.exe 73 PID 2340 wrote to memory of 608 2340 DllCommonsvc.exe 73 PID 2340 wrote to memory of 608 2340 DllCommonsvc.exe 73 PID 2340 wrote to memory of 1788 2340 DllCommonsvc.exe 74 PID 2340 wrote to memory of 1788 2340 DllCommonsvc.exe 74 PID 2340 wrote to memory of 1788 2340 DllCommonsvc.exe 74 PID 2340 wrote to memory of 2568 2340 DllCommonsvc.exe 75 PID 2340 wrote to memory of 2568 2340 DllCommonsvc.exe 75 PID 2340 wrote to memory of 2568 2340 DllCommonsvc.exe 75 PID 2340 wrote to memory of 2316 2340 DllCommonsvc.exe 76 PID 2340 wrote to memory of 2316 2340 DllCommonsvc.exe 76 PID 2340 wrote to memory of 2316 2340 DllCommonsvc.exe 76 PID 2340 wrote to memory of 2440 2340 DllCommonsvc.exe 77 PID 2340 wrote to memory of 2440 2340 DllCommonsvc.exe 77 PID 2340 wrote to memory of 2440 2340 DllCommonsvc.exe 77 PID 2340 wrote to memory of 2212 2340 DllCommonsvc.exe 78 PID 2340 wrote to memory of 2212 2340 DllCommonsvc.exe 78 PID 2340 wrote to memory of 2212 2340 DllCommonsvc.exe 78 PID 2340 wrote to memory of 1936 2340 DllCommonsvc.exe 79 PID 2340 wrote to memory of 1936 2340 DllCommonsvc.exe 79 PID 2340 wrote to memory of 1936 2340 DllCommonsvc.exe 79 PID 2340 wrote to memory of 2352 2340 DllCommonsvc.exe 80 PID 2340 wrote to memory of 2352 2340 DllCommonsvc.exe 80 PID 2340 wrote to memory of 2352 2340 DllCommonsvc.exe 80 PID 2340 wrote to memory of 2312 2340 DllCommonsvc.exe 83 PID 2340 wrote to memory of 2312 2340 DllCommonsvc.exe 83 PID 2340 wrote to memory of 2312 2340 DllCommonsvc.exe 83 PID 2340 wrote to memory of 2072 2340 DllCommonsvc.exe 85 PID 2340 wrote to memory of 2072 2340 DllCommonsvc.exe 85 PID 2340 wrote to memory of 2072 2340 DllCommonsvc.exe 85 PID 2340 wrote to memory of 1504 2340 DllCommonsvc.exe 87 PID 2340 wrote to memory of 1504 2340 DllCommonsvc.exe 87 PID 2340 wrote to memory of 1504 2340 DllCommonsvc.exe 87 PID 2340 wrote to memory of 2424 2340 DllCommonsvc.exe 88 PID 2340 wrote to memory of 2424 2340 DllCommonsvc.exe 88 PID 2340 wrote to memory of 2424 2340 DllCommonsvc.exe 88 PID 2340 wrote to memory of 1736 2340 DllCommonsvc.exe 95 PID 2340 wrote to memory of 1736 2340 DllCommonsvc.exe 95 PID 2340 wrote to memory of 1736 2340 DllCommonsvc.exe 95 PID 1736 wrote to memory of 2068 1736 cmd.exe 100 PID 1736 wrote to memory of 2068 1736 cmd.exe 100 PID 1736 wrote to memory of 2068 1736 cmd.exe 100 PID 1736 wrote to memory of 2576 1736 cmd.exe 101 PID 1736 wrote to memory of 2576 1736 cmd.exe 101 PID 1736 wrote to memory of 2576 1736 cmd.exe 101 PID 2576 wrote to memory of 1304 2576 audiodg.exe 102 PID 2576 wrote to memory of 1304 2576 audiodg.exe 102 PID 2576 wrote to memory of 1304 2576 audiodg.exe 102 PID 1304 wrote to memory of 2716 1304 cmd.exe 104 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f23b4d09d63b9aa0b310446271aed5ffa5909e06aa9eee43b5a2dacf692b963b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f23b4d09d63b9aa0b310446271aed5ffa5909e06aa9eee43b5a2dacf692b963b.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\de-DE\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FECcZAZ6Xv.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2068
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2716
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\04VLARgLyy.bat"9⤵PID:3060
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2364
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat"11⤵PID:1564
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2772
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oPL6j2OtN4.bat"13⤵PID:2108
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2528
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat"15⤵PID:920
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2172
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xHU7fKnwSZ.bat"17⤵PID:2196
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2068
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat"19⤵PID:1412
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2648
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat"21⤵PID:2428
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1660
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QRlBHoY6P9.bat"23⤵PID:2420
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:3064
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ATZuYpZxcK.bat"25⤵PID:2140
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2264
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\providercommon\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Favorites\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Favorites\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Favorites\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Tasks\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54cd38d7bf9d55086262d2ee564692f3d
SHA18bc0abfc7327bd5415bf9c53727abf72b8f06596
SHA256f2c25e622d56bd1418c4fba1265ed622004b04a1f14147c444625bb511fd2684
SHA5124fdc66aa5ac9167daa17669a48f95c3bb17913cde19a24a072147c9713b1a000d12920114eaa7b21530091a0c85218599dd646dee6ea7a9829b786e14a47f5dd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c6d101344adfa0e454d5fd4a40c4878c
SHA1005660c4cce9a3e1643c4573f55445b76c6111df
SHA2565e50fd3e4f8115cabb74ace3447dcb91f3efb6fa66b206af340a1b706a3179be
SHA512fbb7e2f20b6b1ae3f30c035ef3125250b8a55c38ef600948064adce1cd2c0d194e3cde29b7e23ffbd7a6919126a39435dcd38b1fe1967c3c997d9c2820e5c441
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ae4bee6f22d095fa95392803aff213ce
SHA163b9a01e2dae1458c5cb31570e2ae1f4c1e5f662
SHA2564b89b9befe5a8782cb7e1858b4aedc18cbb9cf7f7f3df064f46eef6a088ad151
SHA51205908780f51154e1758df2e5fb41cc05758d2fcfc736e4dc5a9561bf5e0a896817a213c78b09f984a5cb479456c1799675769c74c8bc06f9434e96e62eb2af4b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55f91b800ad9e88767598647d08fcaffb
SHA1921ef8d69abe98152e8ad5860169d4deae26c412
SHA2568681c456bea467d62b445feee5aafa09f364afa4da466cc6d0614ebea88398e5
SHA512772d4fab10c31245ac48049224ebbaa1bb12d65c458408e11d68aa1e25ad0685604d0052bd419d68c5a33b4c8a761ef85b75b13ebe761c7229cb26fb15fd2183
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c363be2a3b0819fd6bcbe43f0436967a
SHA17f41930c6a52e42ff315c7816942ba6d71afaa0f
SHA2562cd986ab102d2e397220be6dccf967dc1cdd1440d78d30d556725ff4b47fb987
SHA512dd50fcc40a8ae786592d28f1acbaa55775391651242f385cf2d026bc53c4af14be1da541d57816c3307317acdd4d724291a6adedc617d3ba9ec913adc2d25b4b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58bd00a64ec31724af2582b99107c85f1
SHA18558c640ffd1593470172c6d8c92e8e25c127c05
SHA256b57bf44f5eb6bb5bd51338bd757dcbb0586a4c0495c002d6cb965c992872cc3d
SHA5123a0a05bc80a6d8ab276c0cade6946e9e369c40f77a4c70dbf304138ee6ec6390c5b0e814882df1a1c7c0f8e37e24dbf0712ec89fb1224d4bac8b20eeffce5a34
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD560369dcd4ea5616ea70d299b16dbe0dd
SHA104c6b718b192541435523c85ec7707c948cd1298
SHA25655c1ea4d2c573a63ed692ad857f46fa8e18995bbe7762f066a2422a8255b5d67
SHA512cc51ba11841b4dc658c15b8f3947afbd8ca814f037e23df60b5cf05a4e8d7672602a622596ac4228a4aedf6111ca072115bea226b23d753341f08111f57597bf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52cba63ea073ae3a3f784efc450e5ae58
SHA19995a0677aa4bde7170388496cf0bb4dadbec489
SHA25689e16192ebb96581e3d9afb511b933a3081a9de86ffe2d1145c59155d9b409ea
SHA512658f508acd32e1f21e62dee994fd01f6a4571419f9f4f11a4b40e51ee5d66c395d4c992aa82952920da8391b3ea41ec4b48b59f8c6993b4c7bf5922785c461f6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5934cc39be015773f2afb37a53cf2d5d2
SHA1347240bc18caaee520043c04b594b6fe0ac75d39
SHA2569292c3e83e9103fe2795b45b6d19fbd462c776f0d3f14555ea3a3bc43c5ea0b5
SHA5124383bae6429db5aaf6763dd0692dd33a74c404e738b59737d5d1d061b51a5b073d5334bd850e7bfa619aafbddea33ea7b8417df1ae8f20ae78cd78c46e87b2a8
-
Filesize
256B
MD5dfc91dc1cf87533b19b3df397dd7f0d1
SHA113e8587a2214df33637d49f4b3e6a883dd3876f4
SHA2567ea60156bcae44bb0ca6094f8e3013c1011f4ac86e008d7a028cef8633bb265b
SHA5122918b7c29ded47e079fc3f3600076139111246e0de5617a36ecc78b028e615ffbee7e0eba6dbfd47a892fda224ed7af0a97290ff0447b2d7fc757ea4556de72c
-
Filesize
256B
MD56f9d2f27dba04af065949b437cc7faa6
SHA162ff69d8b2a1674d5a32d4365c60fbc25188fa65
SHA2565043c9b076284ea5f8829181dac6a2917ee28f3383eb96b88475c6f0d6bd23d8
SHA51250f1962c1bb754218bc670ab9345916da22841461ecd11ce9431fd7b976e3ad244a83a463b9b74755d704477b51d22fc96954431ef5aedd58cdb50fcc1255b2b
-
Filesize
256B
MD50c24faa6b31fd2444a8de94bddb8b7eb
SHA148e17755c24548147f77251b0bca7ac34c2354f5
SHA25610170d83149b7d028ad270646caef49619979ae8df179961addf8cc3fc363e26
SHA5127f8902ab8bace45be73a3e284dd61c46d1e95bdc9bd577f2b971536aaa3bd40afbc3483ef03eea947f336593d837907f83b0afeb5eb2db80afd401408d998a1f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
256B
MD5ae0661d0c6edb024fdbdccfae20a38b8
SHA17d2cc4195925465251a7350b29bcce7443482860
SHA256822cbdbe90af5c018182124ce69651abeec210f4edec9cba514031858161ef41
SHA5124f7a68ebe73d40592eb9374ea90661b87f0d0ef1901b2b33def12070239e77421014b3a7127afb9d59cd838d309a85ffc5286493a055395c7b229128ed8c798e
-
Filesize
256B
MD5b476262c9442db0e045976a35ab67b43
SHA1195ddd5f08fbf85b5827d03817163d54fcafcc0c
SHA256cd3345da9ac80b235ef0cd1f26676fc7ad27ecce9aef6854db6a644bf0355c1a
SHA5124fb6b7400bb490233a0bc4ce5bff6836dae81e950b0d06d42fbbc3afc0b4b2d6d09e3b081aff152219d660682b6de5bcda5549e0c82c76496d5e9acecfd4c9e5
-
Filesize
256B
MD5856e902c408723cda2a4fd8e9552d7fd
SHA1d78e6e02ae27f84782338683ccafe83cc27ca6ba
SHA256608bab5620d1dff0bf0b0bd276f64e20a72fe4514b2cfca6bcc5ea4b3e57e375
SHA5120d17c8a3dcb188b5e496aca0558fe6be28de63b95ca05bcef0a2aa3dfb86ea7ddc06c74468d38d046abc6dd875a4541984d2999f05ccc80464b5cc29f48f534a
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
256B
MD57f9f87742356f7265dd1ea58dec78fcb
SHA17115be39a2aa150a0346cc15cdead4ca6f978d1d
SHA256561d1aea161447c3f871f92863d00c9294fe1d610d10c35ee66577901b3f81e9
SHA512b16c9479b3580be2657bc1d7d1d5ab3ca393fea5dcbdbb45a50e3efddea34ba24586ba8a1ff1be736295e8c1dced42716bbfd6c9634d445f1090d7eaeee08396
-
Filesize
256B
MD5e92d37e09c8948138ea587336312be55
SHA1b5c418c5d61ffa7771297603f34fe9cf0305925f
SHA2569439b7f89b96193813afa5b589d4d3668f2698ef0b1e28e5f63380b794323a62
SHA512987bac0e082b6412525df20d6ed018bb8b73870efa2c6aac1e17c6fe10d8eeb7338efac200eb4c2563e0bfce021287dec9e582484387a6a998045252c18d4909
-
Filesize
256B
MD54b6051d1fc6a554206f506ba164a4b96
SHA12d39f30f52b245d252d1af8e63b24ba3c4f87c8a
SHA256dd5d2d5f2621e40c2c7a0944daeba2f1bca98482b07133b9c1b98d6b961eaca7
SHA512204dec3241f0c8651b2673b42b1614a55a9524946e2c27b12b82651263884aa07384ce0d0db87ebdab6cc966f6f04732e6b8a6bebfce97c19784a55b55c36195
-
Filesize
256B
MD5179b7fa3cb09d02eab44f1112f727602
SHA1340978e73ddfccd5b5ec9c5e02af7f4a710d0443
SHA256d883978ff66141dde22ab6923de567eacbc095c122f747cb42db6aadf9a2d84a
SHA51264d746d2b8cb1e0da411dc84349bf7e8bc01fe5da8f33cee4d2e0923472f124d3cc69686a2bb8396d9d24dfcb4cb6fc01d41011dbb7d826b9c9ae1fc905a8259
-
Filesize
256B
MD534f6fff21005ed1ffb680d28a9d694be
SHA1d270af3f0b60cb873a47fd9e961886f9b4dd5ebd
SHA25607e48c32ffb6a115420c8d51429dfe46afc7d36db98159fa32253062360ad7ee
SHA5126905c3eb07752dbe25cdd32703f0e1f8dbb54dffd376603bc9c1022a7d593f4a386d858f152932bb5cc37d2c6bac7152c6858640e1c533db2b5e908cea121ac4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD510d8a959bb8112fa5a203fbeb7f24692
SHA1053a935f2b611e9ef8f2834c83e0ae2f23df71bb
SHA256fff96250d477977797caba7cf4584abd4e76267d01e5157a9357aeb5938a1b15
SHA512067d7f06399089d6f77535e184abb9d9af6c5188af1cc8e16a4273e5c680f587e6e36706ca7c59ab5f3ea57cd0d6fbacec49fe3ddc167075e1b9fb3fbd76f2dc
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394