Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22/12/2024, 10:02
Behavioral task
behavioral1
Sample
JaffaCakes118_080f4cef3580490cb80d2994f7c760aac5a89119efb0ad74b452faf47d81ef92.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_080f4cef3580490cb80d2994f7c760aac5a89119efb0ad74b452faf47d81ef92.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_080f4cef3580490cb80d2994f7c760aac5a89119efb0ad74b452faf47d81ef92.exe
-
Size
1.3MB
-
MD5
3238125d5b0e217b96771a01ea0b549e
-
SHA1
0d9c0ddce60ad1feb5faeda5b189a1763053f930
-
SHA256
080f4cef3580490cb80d2994f7c760aac5a89119efb0ad74b452faf47d81ef92
-
SHA512
88f2c39ad0eec7397e879731b6709de200d7d88a161de62c1ebf98f65f970e078454ebf23381919adc1d5e472d80c9c756b8f5159274ebefd549d2e7c063bbe5
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2956 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2956 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1904 2956 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2956 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 2956 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2956 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0007000000016cab-10.dat dcrat behavioral1/memory/2724-13-0x0000000001040000-0x0000000001150000-memory.dmp dcrat behavioral1/memory/2720-35-0x0000000001220000-0x0000000001330000-memory.dmp dcrat behavioral1/memory/2908-399-0x00000000001F0000-0x0000000000300000-memory.dmp dcrat behavioral1/memory/756-459-0x0000000001320000-0x0000000001430000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2276 powershell.exe 2324 powershell.exe 2376 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2724 DllCommonsvc.exe 2720 lsm.exe 2308 lsm.exe 2924 lsm.exe 1916 lsm.exe 1984 lsm.exe 1816 lsm.exe 2908 lsm.exe 756 lsm.exe 1600 lsm.exe 2788 lsm.exe -
Loads dropped DLL 2 IoCs
pid Process 868 cmd.exe 868 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 5 raw.githubusercontent.com 12 raw.githubusercontent.com 22 raw.githubusercontent.com 26 raw.githubusercontent.com 33 raw.githubusercontent.com 37 raw.githubusercontent.com 4 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 29 raw.githubusercontent.com 9 raw.githubusercontent.com -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Cursors\audiodg.exe DllCommonsvc.exe File created C:\Windows\Cursors\42af1c969fbb7b DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_080f4cef3580490cb80d2994f7c760aac5a89119efb0ad74b452faf47d81ef92.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2696 schtasks.exe 2104 schtasks.exe 2644 schtasks.exe 2756 schtasks.exe 1904 schtasks.exe 2636 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2724 DllCommonsvc.exe 2376 powershell.exe 2276 powershell.exe 2324 powershell.exe 2720 lsm.exe 2308 lsm.exe 2924 lsm.exe 1916 lsm.exe 1984 lsm.exe 1816 lsm.exe 2908 lsm.exe 756 lsm.exe 1600 lsm.exe 2788 lsm.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 2724 DllCommonsvc.exe Token: SeDebugPrivilege 2376 powershell.exe Token: SeDebugPrivilege 2276 powershell.exe Token: SeDebugPrivilege 2324 powershell.exe Token: SeDebugPrivilege 2720 lsm.exe Token: SeDebugPrivilege 2308 lsm.exe Token: SeDebugPrivilege 2924 lsm.exe Token: SeDebugPrivilege 1916 lsm.exe Token: SeDebugPrivilege 1984 lsm.exe Token: SeDebugPrivilege 1816 lsm.exe Token: SeDebugPrivilege 2908 lsm.exe Token: SeDebugPrivilege 756 lsm.exe Token: SeDebugPrivilege 1600 lsm.exe Token: SeDebugPrivilege 2788 lsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2272 wrote to memory of 2536 2272 JaffaCakes118_080f4cef3580490cb80d2994f7c760aac5a89119efb0ad74b452faf47d81ef92.exe 31 PID 2272 wrote to memory of 2536 2272 JaffaCakes118_080f4cef3580490cb80d2994f7c760aac5a89119efb0ad74b452faf47d81ef92.exe 31 PID 2272 wrote to memory of 2536 2272 JaffaCakes118_080f4cef3580490cb80d2994f7c760aac5a89119efb0ad74b452faf47d81ef92.exe 31 PID 2272 wrote to memory of 2536 2272 JaffaCakes118_080f4cef3580490cb80d2994f7c760aac5a89119efb0ad74b452faf47d81ef92.exe 31 PID 2536 wrote to memory of 868 2536 WScript.exe 32 PID 2536 wrote to memory of 868 2536 WScript.exe 32 PID 2536 wrote to memory of 868 2536 WScript.exe 32 PID 2536 wrote to memory of 868 2536 WScript.exe 32 PID 868 wrote to memory of 2724 868 cmd.exe 34 PID 868 wrote to memory of 2724 868 cmd.exe 34 PID 868 wrote to memory of 2724 868 cmd.exe 34 PID 868 wrote to memory of 2724 868 cmd.exe 34 PID 2724 wrote to memory of 2376 2724 DllCommonsvc.exe 42 PID 2724 wrote to memory of 2376 2724 DllCommonsvc.exe 42 PID 2724 wrote to memory of 2376 2724 DllCommonsvc.exe 42 PID 2724 wrote to memory of 2324 2724 DllCommonsvc.exe 43 PID 2724 wrote to memory of 2324 2724 DllCommonsvc.exe 43 PID 2724 wrote to memory of 2324 2724 DllCommonsvc.exe 43 PID 2724 wrote to memory of 2276 2724 DllCommonsvc.exe 44 PID 2724 wrote to memory of 2276 2724 DllCommonsvc.exe 44 PID 2724 wrote to memory of 2276 2724 DllCommonsvc.exe 44 PID 2724 wrote to memory of 2720 2724 DllCommonsvc.exe 48 PID 2724 wrote to memory of 2720 2724 DllCommonsvc.exe 48 PID 2724 wrote to memory of 2720 2724 DllCommonsvc.exe 48 PID 2720 wrote to memory of 1736 2720 lsm.exe 49 PID 2720 wrote to memory of 1736 2720 lsm.exe 49 PID 2720 wrote to memory of 1736 2720 lsm.exe 49 PID 1736 wrote to memory of 1744 1736 cmd.exe 51 PID 1736 wrote to memory of 1744 1736 cmd.exe 51 PID 1736 wrote to memory of 1744 1736 cmd.exe 51 PID 1736 wrote to memory of 2308 1736 cmd.exe 52 PID 1736 wrote to memory of 2308 1736 cmd.exe 52 PID 1736 wrote to memory of 2308 1736 cmd.exe 52 PID 2308 wrote to memory of 2456 2308 lsm.exe 53 PID 2308 wrote to memory of 2456 2308 lsm.exe 53 PID 2308 wrote to memory of 2456 2308 lsm.exe 53 PID 2456 wrote to memory of 2880 2456 cmd.exe 55 PID 2456 wrote to memory of 2880 2456 cmd.exe 55 PID 2456 wrote to memory of 2880 2456 cmd.exe 55 PID 2456 wrote to memory of 2924 2456 cmd.exe 56 PID 2456 wrote to memory of 2924 2456 cmd.exe 56 PID 2456 wrote to memory of 2924 2456 cmd.exe 56 PID 2924 wrote to memory of 2832 2924 lsm.exe 57 PID 2924 wrote to memory of 2832 2924 lsm.exe 57 PID 2924 wrote to memory of 2832 2924 lsm.exe 57 PID 2832 wrote to memory of 2952 2832 cmd.exe 59 PID 2832 wrote to memory of 2952 2832 cmd.exe 59 PID 2832 wrote to memory of 2952 2832 cmd.exe 59 PID 2832 wrote to memory of 1916 2832 cmd.exe 60 PID 2832 wrote to memory of 1916 2832 cmd.exe 60 PID 2832 wrote to memory of 1916 2832 cmd.exe 60 PID 1916 wrote to memory of 1016 1916 lsm.exe 61 PID 1916 wrote to memory of 1016 1916 lsm.exe 61 PID 1916 wrote to memory of 1016 1916 lsm.exe 61 PID 1016 wrote to memory of 1980 1016 cmd.exe 63 PID 1016 wrote to memory of 1980 1016 cmd.exe 63 PID 1016 wrote to memory of 1980 1016 cmd.exe 63 PID 1016 wrote to memory of 1984 1016 cmd.exe 64 PID 1016 wrote to memory of 1984 1016 cmd.exe 64 PID 1016 wrote to memory of 1984 1016 cmd.exe 64 PID 1984 wrote to memory of 2340 1984 lsm.exe 65 PID 1984 wrote to memory of 2340 1984 lsm.exe 65 PID 1984 wrote to memory of 2340 1984 lsm.exe 65 PID 2340 wrote to memory of 2200 2340 cmd.exe 67 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080f4cef3580490cb80d2994f7c760aac5a89119efb0ad74b452faf47d81ef92.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080f4cef3580490cb80d2994f7c760aac5a89119efb0ad74b452faf47d81ef92.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:868 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SRNviAgREO.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1744
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2880
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2952
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z6HXYUNDfk.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1980
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QHkN6qNcbm.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2200
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat"16⤵PID:2104
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1712
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"18⤵PID:1812
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1952
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:756 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMOyPGkKXB.bat"20⤵PID:2408
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1364
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DJG58brWjr.bat"22⤵PID:2744
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2608
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat"24⤵PID:1476
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2988
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\providercommon\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Cursors\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54ec8922db362f61198b2df826e30d6c1
SHA19b606268b5b7202d4d8b4754ef5b767224c25164
SHA2565f814d8fba4d422f701118d23fa96a0b9547d8c1d53bacf8c895b28883e1d339
SHA5129a605f01ef7f92415afa725d84b701fb1f4743c64d1f1d343c5dfde4e30ae00214647fec856ea69bb5d85bf75662938acda36ad6f9fa5be9f6b59408f59342e7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54416674e519f350e4181b548bf0f9703
SHA18b38fe7cb32fd56900cff50ecef09648de47a98d
SHA25647d500e83ef189d3b6bc2871e17d09f48d1ed38f648399ecbbe54a99047b697b
SHA512b96245b3c1ce415c7b55f89e7edd00a408cb6df05016e6eb737ca530666ce902cc9f67ce2b1b4d70661a05557b547942cf2ac7957e3b9680c40ae7e1efd36774
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56fc35852c3c2446a728cc2b34b832ddc
SHA1dca018f19bd73b0b84e0040c88ec265046c89055
SHA256b106124a5b31dfbf0ac8b4559070f4c22c9d7621d02303537ccfcb1e02d9977b
SHA51222baef0083727e4783b3dcfe7ed16cdecf401539b72a031297b3ebd98ad39e58dbe239a0ee5b9dd4885d33cd615442a3101375fa3c4baf01cc2b52c52d1df0a0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ab258b3dbb3d8e77df153e2fc4cc291b
SHA1c50b119d1f0b3015a07dbad8c183957676f9150f
SHA256357fe92c017179eb74b6e6bd23f024b3282b67fe7a3390eb45618a7255fe9c3d
SHA51228c26cb4dd95db37f1124c60a645b0beb3d482d0bc5da46db477bf1a20a4463430f8b0c39bfc98ab29243936268bbb2c0fdce4da0d2b60b3ffd599cbff497be1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5191ba7327ac5e7fcfd59195aae62fb1d
SHA1b6486a91ab07080bcbba9ddab5e4aa46188a6484
SHA2567781e58f1e86855caa25adda02cfe737f18ef2b3b3fb1ce452289a720098085a
SHA5121307c4b4ed4af2aad6d8b8d07ab47657fd964433bf6865c8fc16fe0548ba844710e61793e3b88bc64801e12385503b6c34461713676da8d71bba5679b610ae91
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54c8f2ce8af45b969528eac2d0dbe2920
SHA1ada09017bf10fdebcd5cfe447cb0dba684ed9745
SHA256ed46fb8ba21aa73b8507b9ea2831bb7c4e6cbade432eef88d60e5160df75e3bc
SHA512749242e19db844870bd9665333590411dcf0910846378e9c3f244beac9894cf50f9510111364453f025b5cb221edd1806939e2e1dde7a9444ed9041e3083fed3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53ec28c1880530f72a4781b2fec6cf9ca
SHA14437b7a5b9b5a155cfd252bf9398bbbe69e3c1c1
SHA2563c4bf7522c970becdff9c4a720cc2db835a81b530100026e15f86678a09d43a1
SHA512016c89af1dd1882650626903500402aebd3c6e823a065c2da6a75b2bcfbceb16b8752fb373a79d0ddac0043d14bc9144c2b7bc57e4a95e446eb69e5e2902fc12
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD513e52af29eb0984b54ec80ffb2a1a775
SHA156d54da37309fa1ed7e33c5500009c7e7bbccd6a
SHA256a945ed0e45ee19812e1a025d5c0585dcfb05fda9ee6e8f3927f734f981408f4c
SHA512fb41ed8e3223bfe78227e0ffae13d07687294b28a717230bdceee54ab5e37b52e634bb0adb6d7e90e3ce93b88ee5b1e45d663c25020567f78270ab914f3de6be
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD561d15a6577047afaa91efcf2175f8566
SHA129dfde01b5729bcdb6ace8ba2c9b59525fddb7b5
SHA256860e403e7121e6427e31b02fbbfd132ba1d368bc21a52cd47856c0b8aac79f02
SHA512e579e0d6aa0c955eb03b90728bd33ed85c8085cb7fa59f8c490a3ff284d63163e2d6fa8b3ceaf899c0292ad321dcf2eefa1f228d834732e041c8e46429c19b63
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
190B
MD53154c4d9b94c2a05e6ee8adcbef45d88
SHA12f4e1e036118904c9937642ed77fd5f93fee6ca0
SHA256156cd463f8fafc9ebc1e0cf30fc80b9c6b68429c5cfbabd5a1b2c3405dd6d242
SHA5128137d75107504699bae4a123b06e7f6057f1867851aa435b9f3e766dc911f99e56c991a8dd3582284fab018d98de678b105b89d7faaa45e9679f750d9f115d1d
-
Filesize
190B
MD5ab86bd4e35235fc9a5c3d74ab8ccc963
SHA19ac98546681ee2b0f2b58a56d2b77bdc09a87166
SHA2560786443d8f0f81a1ea55baf9178b5da09dcdfe0dbc15d46ca52ea6776ec11f4d
SHA512ce509a1d6ed8528ae3204d5b8e8d4824da5f7758f96e6b67fc75736aba9a0e22ddb2abb7361eab2ddd2def0cdc27c8bd7a79d51c9dc23d59918c45dcd364add4
-
Filesize
190B
MD5538485267288151f373375175025500d
SHA1cd4e258b59b27dffd241a248683e6dffc959c7bf
SHA256a4bc3e0335408bc651d66e4a6f9e0216dcde2a2fdba71df8590b536ca8b63c94
SHA51277d9c4d7ea39f87a3e442f7828f2ba8ae04f726c6b191f860892c49b6cfef75aa579b91c490c3118a65226e2339bda011f2a675d46175b6d0349a1e75c307edc
-
Filesize
190B
MD545347d2bbc6ed10c007eda0d1f08b4ca
SHA1568ee56c27917477bd4ec96a488eaf62e7e5d1ca
SHA2569cb1e92a3f06e52355cd7da5567f2bc34758d9a625bf4c40db7536b8c65234b0
SHA51229be70645a18147ed3701eb4033be711dccb6cbf7303d8ddd0d0cca0317c356e3ddf84625f1c2418e81d9d99c4aa036b2a99ae84047a607cb67016546ee7d4b1
-
Filesize
190B
MD5dd34fcadf1dd1b55a42b365b1342150c
SHA185b7835b795960982830ddd5535265b06715b0f5
SHA256adb1e6c779bc0719ffd77117f2d7447262e320f5c57c50890e21235f6b168dcd
SHA5128bb316eb6a62f3904f86ae7142c1076d60ae1b2b09abd4ff0337b2ff9d433d28af153cd37f3f9039561b8ef72d039f3fbf374fd935704a25e2274149650db866
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
190B
MD5c676bce82783731abc3a6612f11a7bf0
SHA1b99d3239a01940a1c6daf59ea3a590b617e32fc8
SHA256c9ea61f9f9281326fb7852aa07260c0c8f506187d26e33d0d41e55330075443f
SHA5124ea99c51157ca4bc5496c38f467c50a585f5e2db51bfa797e9ff168db1203904900db1d3cd16425b2dccd11dd0cb71e45c2d9600ed95dbc12107f049a5b7d609
-
Filesize
190B
MD5ae8756e6c1496eae8811619bd9cf91f3
SHA10fe91f7906129d55372dd84e77865aecca4c445d
SHA25672814cf2270e0beebcc9c76d7f3b2e6a61431b15576b83ed3d4177613c42feaa
SHA5122e2d09b8b144d61918a957e89e9b6668044d358092ca5d49e88839ba789c5a35ad63c27417906cb2bb429cfaeffff4eb136880519e1d61e355b9c6f8f7c16f46
-
Filesize
190B
MD59b2fced64a07a0f918d2e4c1dfc83252
SHA1d721176f1073017c3ddd29a466ae5d8e4023c89d
SHA25639f47f7358892c8039bb3cc1559bbaca425a1dc4ad8587158bf7b6639ad935ff
SHA512084ac8d43b1453a29fd065cc402d35d28d843b93e575541ae55665d4b6b69cd6b02b1dcef4feda632d47fe54f5483742e835671bfefac7cca8a16e4040354cf3
-
Filesize
190B
MD58840490a54c9d64172c094a106d5b8f8
SHA19e2501aef5c09dbfbccbf8d346dc300546a197d1
SHA256092067c432dcf42ee98ce1b6224b3fae773981a89d8479ad6eefaa440a44e32c
SHA512f57217a30b8dc5a14bded2f3304b5146f7987fadec19853235a62be46c190a6aff9df93cf558cb8630b4e6391753af6460e832213ced7f8899a719018b7a5444
-
Filesize
190B
MD51c3c63337a2aa7915bd30f248b4080bf
SHA1828a34b44ba10797ca196d1271b3421e18842879
SHA256082ba463d54be020295b1a4668a1fc8c114809552404b1e25e4f6ed6878a69e1
SHA512f3f861a2a798b5c7c20d07f7b1acd8b384fbea2a8635162412d22bb6b98dea19fa6a9a6f56007e8269989d9f1bbfc68249ab2fd271101f1e99b3dfa3d2cc1e31
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5778158e3210dc695832186d3a36188ea
SHA194f0020ae2c7e7f8472cdfb190e43fff0bf23567
SHA256013d6cb6d111cb29461ca1502f3e4b61411402116939f512564ca787e621e6c6
SHA5124904b0cb36ba08aee2b6e8e34f17bc244386e2ca5dcf128a260e751109757a1947de7778da581a90c08954d7992d4c8747b7e1b342045fb1124d315ed7578874
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478