Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 07:17
Behavioral task
behavioral1
Sample
JaffaCakes118_cd6167201081d49cc7d345182e37b8c90a9e5e8e59a197c44415832d4d943a05.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_cd6167201081d49cc7d345182e37b8c90a9e5e8e59a197c44415832d4d943a05.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_cd6167201081d49cc7d345182e37b8c90a9e5e8e59a197c44415832d4d943a05.exe
-
Size
1.3MB
-
MD5
84de3f255557da4cfab6e677f221e62d
-
SHA1
9ee230fa22db98e4d9bd337ad3a7b0727ec1335b
-
SHA256
cd6167201081d49cc7d345182e37b8c90a9e5e8e59a197c44415832d4d943a05
-
SHA512
dbba67a7d6547cae444edcaf7153200cbe148ef8b6f2b7910c9a408cdddbb42f779546dd673503c02caee0f64f9736f0d23118e7d6ab648b88e1979edade384c
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1368 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1388 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1120 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 556 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2568 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 856 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1556 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 992 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 920 2796 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x000700000001921d-9.dat dcrat behavioral1/memory/3048-13-0x0000000000B00000-0x0000000000C10000-memory.dmp dcrat behavioral1/memory/1544-48-0x0000000000190000-0x00000000002A0000-memory.dmp dcrat behavioral1/memory/2424-173-0x0000000000FD0000-0x00000000010E0000-memory.dmp dcrat behavioral1/memory/2572-292-0x0000000001120000-0x0000000001230000-memory.dmp dcrat behavioral1/memory/648-470-0x00000000011D0000-0x00000000012E0000-memory.dmp dcrat behavioral1/memory/2516-648-0x00000000013A0000-0x00000000014B0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 620 powershell.exe 1956 powershell.exe 288 powershell.exe 2864 powershell.exe 2392 powershell.exe 2624 powershell.exe 1612 powershell.exe 1940 powershell.exe 2012 powershell.exe 2240 powershell.exe 1588 powershell.exe 3032 powershell.exe 2168 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 3048 DllCommonsvc.exe 1544 spoolsv.exe 2424 spoolsv.exe 2144 spoolsv.exe 2572 spoolsv.exe 2284 spoolsv.exe 352 spoolsv.exe 648 spoolsv.exe 2728 spoolsv.exe 704 spoolsv.exe 2516 spoolsv.exe -
Loads dropped DLL 2 IoCs
pid Process 3016 cmd.exe 3016 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 19 raw.githubusercontent.com 26 raw.githubusercontent.com 36 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 29 raw.githubusercontent.com 32 raw.githubusercontent.com 4 raw.githubusercontent.com 16 raw.githubusercontent.com 23 raw.githubusercontent.com -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Sync Framework\f3b6ecef712a24 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\es-ES\winlogon.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\es-ES\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files\DVD Maker\ja-JP\audiodg.exe DllCommonsvc.exe File created C:\Program Files\DVD Maker\ja-JP\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files\DVD Maker\System.exe DllCommonsvc.exe File created C:\Program Files\DVD Maker\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_cd6167201081d49cc7d345182e37b8c90a9e5e8e59a197c44415832d4d943a05.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1636 schtasks.exe 2368 schtasks.exe 1672 schtasks.exe 2440 schtasks.exe 2700 schtasks.exe 2548 schtasks.exe 1812 schtasks.exe 1852 schtasks.exe 920 schtasks.exe 2544 schtasks.exe 1368 schtasks.exe 2424 schtasks.exe 2568 schtasks.exe 2512 schtasks.exe 1240 schtasks.exe 556 schtasks.exe 2844 schtasks.exe 2336 schtasks.exe 2816 schtasks.exe 1708 schtasks.exe 1120 schtasks.exe 448 schtasks.exe 2040 schtasks.exe 2492 schtasks.exe 1980 schtasks.exe 1740 schtasks.exe 1900 schtasks.exe 856 schtasks.exe 1388 schtasks.exe 2876 schtasks.exe 992 schtasks.exe 2824 schtasks.exe 2456 schtasks.exe 2772 schtasks.exe 1920 schtasks.exe 1556 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 3048 DllCommonsvc.exe 3048 DllCommonsvc.exe 3048 DllCommonsvc.exe 3048 DllCommonsvc.exe 3048 DllCommonsvc.exe 3032 powershell.exe 2864 powershell.exe 2168 powershell.exe 1956 powershell.exe 1940 powershell.exe 1612 powershell.exe 2012 powershell.exe 2624 powershell.exe 620 powershell.exe 1588 powershell.exe 288 powershell.exe 2240 powershell.exe 2392 powershell.exe 1544 spoolsv.exe 2424 spoolsv.exe 2144 spoolsv.exe 2572 spoolsv.exe 2284 spoolsv.exe 352 spoolsv.exe 648 spoolsv.exe 2728 spoolsv.exe 704 spoolsv.exe 2516 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 3048 DllCommonsvc.exe Token: SeDebugPrivilege 3032 powershell.exe Token: SeDebugPrivilege 2864 powershell.exe Token: SeDebugPrivilege 2168 powershell.exe Token: SeDebugPrivilege 1956 powershell.exe Token: SeDebugPrivilege 1940 powershell.exe Token: SeDebugPrivilege 1612 powershell.exe Token: SeDebugPrivilege 2012 powershell.exe Token: SeDebugPrivilege 2624 powershell.exe Token: SeDebugPrivilege 620 powershell.exe Token: SeDebugPrivilege 1588 powershell.exe Token: SeDebugPrivilege 288 powershell.exe Token: SeDebugPrivilege 2240 powershell.exe Token: SeDebugPrivilege 2392 powershell.exe Token: SeDebugPrivilege 1544 spoolsv.exe Token: SeDebugPrivilege 2424 spoolsv.exe Token: SeDebugPrivilege 2144 spoolsv.exe Token: SeDebugPrivilege 2572 spoolsv.exe Token: SeDebugPrivilege 2284 spoolsv.exe Token: SeDebugPrivilege 352 spoolsv.exe Token: SeDebugPrivilege 648 spoolsv.exe Token: SeDebugPrivilege 2728 spoolsv.exe Token: SeDebugPrivilege 704 spoolsv.exe Token: SeDebugPrivilege 2516 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2052 wrote to memory of 2484 2052 JaffaCakes118_cd6167201081d49cc7d345182e37b8c90a9e5e8e59a197c44415832d4d943a05.exe 30 PID 2052 wrote to memory of 2484 2052 JaffaCakes118_cd6167201081d49cc7d345182e37b8c90a9e5e8e59a197c44415832d4d943a05.exe 30 PID 2052 wrote to memory of 2484 2052 JaffaCakes118_cd6167201081d49cc7d345182e37b8c90a9e5e8e59a197c44415832d4d943a05.exe 30 PID 2052 wrote to memory of 2484 2052 JaffaCakes118_cd6167201081d49cc7d345182e37b8c90a9e5e8e59a197c44415832d4d943a05.exe 30 PID 2484 wrote to memory of 3016 2484 WScript.exe 31 PID 2484 wrote to memory of 3016 2484 WScript.exe 31 PID 2484 wrote to memory of 3016 2484 WScript.exe 31 PID 2484 wrote to memory of 3016 2484 WScript.exe 31 PID 3016 wrote to memory of 3048 3016 cmd.exe 33 PID 3016 wrote to memory of 3048 3016 cmd.exe 33 PID 3016 wrote to memory of 3048 3016 cmd.exe 33 PID 3016 wrote to memory of 3048 3016 cmd.exe 33 PID 3048 wrote to memory of 1612 3048 DllCommonsvc.exe 72 PID 3048 wrote to memory of 1612 3048 DllCommonsvc.exe 72 PID 3048 wrote to memory of 1612 3048 DllCommonsvc.exe 72 PID 3048 wrote to memory of 2392 3048 DllCommonsvc.exe 73 PID 3048 wrote to memory of 2392 3048 DllCommonsvc.exe 73 PID 3048 wrote to memory of 2392 3048 DllCommonsvc.exe 73 PID 3048 wrote to memory of 2624 3048 DllCommonsvc.exe 74 PID 3048 wrote to memory of 2624 3048 DllCommonsvc.exe 74 PID 3048 wrote to memory of 2624 3048 DllCommonsvc.exe 74 PID 3048 wrote to memory of 2864 3048 DllCommonsvc.exe 75 PID 3048 wrote to memory of 2864 3048 DllCommonsvc.exe 75 PID 3048 wrote to memory of 2864 3048 DllCommonsvc.exe 75 PID 3048 wrote to memory of 2168 3048 DllCommonsvc.exe 76 PID 3048 wrote to memory of 2168 3048 DllCommonsvc.exe 76 PID 3048 wrote to memory of 2168 3048 DllCommonsvc.exe 76 PID 3048 wrote to memory of 288 3048 DllCommonsvc.exe 77 PID 3048 wrote to memory of 288 3048 DllCommonsvc.exe 77 PID 3048 wrote to memory of 288 3048 DllCommonsvc.exe 77 PID 3048 wrote to memory of 1956 3048 DllCommonsvc.exe 79 PID 3048 wrote to memory of 1956 3048 DllCommonsvc.exe 79 PID 3048 wrote to memory of 1956 3048 DllCommonsvc.exe 79 PID 3048 wrote to memory of 620 3048 DllCommonsvc.exe 81 PID 3048 wrote to memory of 620 3048 DllCommonsvc.exe 81 PID 3048 wrote to memory of 620 3048 DllCommonsvc.exe 81 PID 3048 wrote to memory of 1940 3048 DllCommonsvc.exe 83 PID 3048 wrote to memory of 1940 3048 DllCommonsvc.exe 83 PID 3048 wrote to memory of 1940 3048 DllCommonsvc.exe 83 PID 3048 wrote to memory of 3032 3048 DllCommonsvc.exe 84 PID 3048 wrote to memory of 3032 3048 DllCommonsvc.exe 84 PID 3048 wrote to memory of 3032 3048 DllCommonsvc.exe 84 PID 3048 wrote to memory of 1588 3048 DllCommonsvc.exe 85 PID 3048 wrote to memory of 1588 3048 DllCommonsvc.exe 85 PID 3048 wrote to memory of 1588 3048 DllCommonsvc.exe 85 PID 3048 wrote to memory of 2240 3048 DllCommonsvc.exe 86 PID 3048 wrote to memory of 2240 3048 DllCommonsvc.exe 86 PID 3048 wrote to memory of 2240 3048 DllCommonsvc.exe 86 PID 3048 wrote to memory of 2012 3048 DllCommonsvc.exe 87 PID 3048 wrote to memory of 2012 3048 DllCommonsvc.exe 87 PID 3048 wrote to memory of 2012 3048 DllCommonsvc.exe 87 PID 3048 wrote to memory of 1544 3048 DllCommonsvc.exe 98 PID 3048 wrote to memory of 1544 3048 DllCommonsvc.exe 98 PID 3048 wrote to memory of 1544 3048 DllCommonsvc.exe 98 PID 1544 wrote to memory of 1524 1544 spoolsv.exe 99 PID 1544 wrote to memory of 1524 1544 spoolsv.exe 99 PID 1544 wrote to memory of 1524 1544 spoolsv.exe 99 PID 1524 wrote to memory of 1708 1524 cmd.exe 101 PID 1524 wrote to memory of 1708 1524 cmd.exe 101 PID 1524 wrote to memory of 1708 1524 cmd.exe 101 PID 1524 wrote to memory of 2424 1524 cmd.exe 102 PID 1524 wrote to memory of 2424 1524 cmd.exe 102 PID 1524 wrote to memory of 2424 1524 cmd.exe 102 PID 2424 wrote to memory of 916 2424 spoolsv.exe 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cd6167201081d49cc7d345182e37b8c90a9e5e8e59a197c44415832d4d943a05.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cd6167201081d49cc7d345182e37b8c90a9e5e8e59a197c44415832d4d943a05.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\es-ES\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\ja-JP\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe"C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SzaURWjxsM.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1708
-
-
C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe"C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat"8⤵PID:916
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2108
-
-
C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe"C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c38FLB8gIG.bat"10⤵PID:1080
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1892
-
-
C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe"C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat"12⤵PID:888
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1668
-
-
C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe"C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2284 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hc9iMPvVJ4.bat"14⤵PID:2424
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:916
-
-
C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe"C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:352 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fq9TqI16of.bat"16⤵PID:1892
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:856
-
-
C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe"C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:648 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WYuyh03jyF.bat"18⤵PID:2304
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1708
-
-
C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe"C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat"20⤵PID:1416
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2864
-
-
C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe"C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:704 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"22⤵PID:2924
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2696
-
-
C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe"C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat"24⤵PID:1512
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1648
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\providercommon\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\es-ES\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\ja-JP\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\ja-JP\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\ja-JP\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\providercommon\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD574f688690cf4221e247c460e91dab6f3
SHA155b2cb4a21217589e5881c912869f5c77666d05d
SHA256b43663a3f5f076e5a3e365f5b611510f0977bb6d812b41a348b002f4239a46c5
SHA512d2a171b725adf2a364f7a0549442953a338f1b8e1fef3bf6c31c7cc139fc50ac2108f2c8afd3cd1a2383fd9fafff7ac2c0f0d3c65d0716919742f28bb1f3dd43
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5081a8810dff1deebb0a8c1ef9db0c86e
SHA1cf52c79660846f9ecd14abdd3a1d07afc2523791
SHA256d952651b359c2ea6226e6e4aa267eb4dab1a5a9c4d9ae1ee2883ba84080ce758
SHA51273126c2e10dfb286f48ce3cacd3ed4d99351048e151b51dc4f1322cde7c299adc8ef951a27cef96f19796d9ef968486658d4715acf1627c4dd31dd8cd6d2e9c1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51061c9f482744d47887321ee98899b55
SHA1b686bf7c3d9da498e3674b96c3699c3cced2a3be
SHA25666b4ec16ae70529f0d1da6245ee27fad0bb07e018820fd7e66bfc372d2824c5b
SHA51246e6286229d3df16e598e3ac777066e651e10926b46d5929ac3e7afc2905cb95f64dae9c9d1af5318d6a7d05f26e4bb312ed4857013d5b79011235a8efa76ea8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5299defd8d54c2eca567d0e08ea1397fd
SHA1a408441224ac4ed48f74cf23c69733c010ba8af1
SHA256355b829f879a215e495ded686733b88e11e3b041585cdc570f2bc6ad3dd39a7f
SHA512788432619167318ffc76d36d3c65bc7c34978c9cea5ec2f32de7f5531e5710d102e4c3285f85d02b7254ca3e736fd9accb280b95e00946bcc3cd683cb20f7958
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d34a89468383a012575325a6abedba07
SHA1adc5353a16632f882d4a2bb57df3f065d95e8669
SHA25641431855bdf249e9f1214c725ca8369c2e0c4c98e0d1b2890265c4b353b2040b
SHA512be20967308269c24932aae04d5bd5de89b825767acfb5e9334b0d1de9a263538432e597b1351bec3f88d357af59681a2fb7a3907ccfffa1b77d18fda8337405a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c3a58e5dd67ec23696aa62e2e6eddd49
SHA11dceb9c675b95afc4fcf0c0a1251752324474ee9
SHA256c5e3cd5a08246a14ed1d347fef35b578b7a06366f5d125773ed2c8d5fc7382b1
SHA5129e96d04a2f563a7ff8bfdf8608d464a3f3b1ca1c2aba75696e8e68b0a157c33e2da71b4ef0f1524e082e69247b5058c47f94c3270c0eebaa7ef038fec389f179
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58c2211b3a8de48645c2df83fad5341e7
SHA19d082752804d32ef7752730c0ef34a3669a8cffd
SHA256746059169ef91075341266adc65854e8888bfddd567543d1096314cb8571d4ef
SHA5127fdded7651fb80835b8c7b550b0f76f7daae67f640604a71b912ea602a413addab00464e91df6c5a87139e67c309885452e8598eee53e6faf6e9a63dd14ca316
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cb3487e02644ecf18c4f8403148d2629
SHA188fc3e6436438a8b7912796973c9729766292f09
SHA256377340792a746375022ffdabafab9ffa409ac89bbea7426649e72ae99e4e92f4
SHA512af34116bd30e73b5cac36fb26dd372a54e3e1fdfa9e4a537be28d603d4d00d986d9bdc6d57c2ba780fe6e435e11b1b4710f3d4cbef774bd923abe85a6945aa5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54f4d723f1bb8e0d91b82222df00e278c
SHA148be3130b4af6e91c66da74b5e36056ce741cea4
SHA25696611c03093d99767ce41569102273ca250869fe843264b7e7d9bc3d023b8540
SHA512dc3f95ddc14aacb5d1b7a1553beb2e41e504364272a9d8eeecba8e51b4ae5eb81419c25a1fe9f594d46911ce63860eeb9144344ca83e4ca51f688b0dcb8234ae
-
Filesize
224B
MD565c32a1d54a3f3a8301785b83c6e7d09
SHA16745c874a08e422ee3dcd067441e08b46acea037
SHA25601803931c304cc82335391f2b2a7828c506f012789e0ad243ba553beabe8c2d5
SHA512ac8fa7b3ccaeb93b938c33d0493d0d42e961dbdd40a829fc51dac5c382148837f1e203dc98215feb558ef4a274fab69ecf4e11636187b6ff6554fdb5b1227473
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
224B
MD58e7e546f6d76d78f81a0a2bfcfc67712
SHA145dd18134a718c0610c6a65aa25270e8945f3bcf
SHA2566f7eb631d46c582084d3b7ad8e1f35bf9610d10842ef00b2b6d8e3d76de766b7
SHA512e65485dbcf57635fb8a0403840159862e3b55e6c83fa708f86f6a5c327a1c5a68ad71c089193242d2229b6899ac4b7f012ef54c8b566447ee1d1a1bf7f69159d
-
Filesize
224B
MD59775cc7895a14a950c9fdec78f1cd3d1
SHA1c6354989f7a85d6518b51fa73d65bae33f1e011e
SHA2561264848b94c8ed50c783adeb75836e03edd9329a46134a0b021c8f7d3d2f5a5b
SHA512c1f7fd6fc6866c97f68dd9b47d7cac3c9f54f5024e1e621c8c76c9ea9c8bca6b066732af36238b5a507f82acbb5c8083256f7d4128cfe9136effa1f1ef9d926e
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
224B
MD5d51f8ff12994b54eec6f0fa640006c23
SHA107c6ba48526c268f922b525ad717cfe9646f66a3
SHA256e705d39484a71b6ba855407b7d08b6d2e9a8eb54ae5593ab677c5720ab6868f9
SHA51236fa81ba3badad718e915f695adc23f36028376a6432bd192a3a9d8d754616dd97559056ab582298f3da97e4eab3018ef23877ea76985e1ecf09ce50938db0be
-
Filesize
224B
MD5711223a355999fe4f03997258fe8bda9
SHA1b0dbe9bc7886b70a750f6477ecf39d40be231fca
SHA256f3e0e4ed3c59ee1c68e4cb3c8393f754630f53953ffb6a5d352ec62d7bc612e0
SHA5121a0dca31f6de5a1762f54a8271823212c22d3189c77bd78a1c8434885c1005aba6510772c601373009f68a193e4cde3dba0db840b800f87c12b20198f99ef0cc
-
Filesize
224B
MD5251f4e7820f2b1efc60bdfdf41b9e385
SHA16b29d5df176015b3e4809227de0d0d16b95ccd9c
SHA256eb14d842a50bb11803234608db696d02b77034af4d6477e6c5e908494a19d470
SHA512cea585fe10e1952ae159753c60f7f051fe684b7f6a2c29eea5474dd52b96dc9a6fc36f6bf68b95ec0234493b6327e925747e293e89b6cd67eb37ebb03d13dcd3
-
Filesize
224B
MD56dd4fff609c2428b477d7396ef1fabd6
SHA1b2432317836bb809947638354f6dc37ef3987d10
SHA25688d6b26b48cf9ae1b35c7679577e9eb8a46a9b5801ff5aa79cf3087447e09bac
SHA512aed66ffe35fff3fd714a616abc35922d70a2b1555daf0f441ac2b629e26e7db1af6be85e7d5b139bb8e44d1600b64e6da2b56f40069f1476bf63bf17b1276ccc
-
Filesize
224B
MD582a22e70dc93fa42c1a343cb52ac74da
SHA167cc5755d1580d37901888f132ce72ce1fe31048
SHA25690846f14ba2062cf174b00121afe9535f769a01c98e99b52f3f789a6d28e012a
SHA5121c85ff938bcc235eb76e542546a0737f706dacec9c1189eec432708779e11b2d85c4e25ab568f7c4b38ac2c490e7041b9861c0cba499362898194cb16f1085bd
-
Filesize
224B
MD5aa76b6082fc6c647df23c9c30a6cec0f
SHA136add3e3ebaf49d8fb38ff6c2a839214e60a612a
SHA25680f69840ddc95274d3240cd494b2a114e79f8a7ef39cf2e5bef197ce138a1aa9
SHA512f011f105e01c25abfec373ad0bff3fe09549ee46297ecae0eae698e0d82a598fc845709c44aa43c2833647023a4357d49f9019e1775862d1de5861ab1ff09db2
-
Filesize
224B
MD592e0252e1b333f38157cb747cc8ac1ba
SHA1d9d82f8660cbdfb3093c8a048b185757beccd9bb
SHA2560eb7ff5efbc6965cd3828acf97fd0bce4947a20778da96f17b817c3c12173b00
SHA512af37a64a324dd2b2380888bff14cd020ec767f0601cdb60cbd18f05424eeea32eeb50fe5a050cddd8deaff1656debfcc5edb4a392223742570ef519daa0e62b4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD58cac33c1bebb5f0758bb9d5c87ebe863
SHA105cf908650957cfc322eb40f4a4244efe5055e5d
SHA2565a28a0c291e469fa85ee1f16a5cc675491a50e7e131f845a3b8c24b0a4e567ed
SHA512aef0c9e4f65a5a3d2ed13444f06c6c32b871f2e0ff6eece70c7009901f217a1c04a277094653d2397a2eeb19acefd1f52af8ca9a9c71cc05afd74daee37fae19
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394