Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:32
Behavioral task
behavioral1
Sample
JaffaCakes118_878dcee76a13035d14d5356aa5dbcbd47cebac2895ec350ed84d73a50bc40f41.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_878dcee76a13035d14d5356aa5dbcbd47cebac2895ec350ed84d73a50bc40f41.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_878dcee76a13035d14d5356aa5dbcbd47cebac2895ec350ed84d73a50bc40f41.exe
-
Size
1.3MB
-
MD5
efc2f1ade97d40cd963071750ed36d46
-
SHA1
7f4f75fbcec9b09d321fac8971c28b5fb1a5bef8
-
SHA256
878dcee76a13035d14d5356aa5dbcbd47cebac2895ec350ed84d73a50bc40f41
-
SHA512
1a3e54c109922847ee73d4df675c6e04b7d9d01bfba2ca252d108ca02265bd500635ca23215565713cefa329b6296d4ace49ad819c65ec216d3fd3ff0afb6903
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 344 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 980 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1304 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 988 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1148 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 340 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 424 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1328 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1360 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1872 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 1144 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 1144 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016d0e-9.dat dcrat behavioral1/memory/2276-13-0x0000000001320000-0x0000000001430000-memory.dmp dcrat behavioral1/memory/1080-48-0x0000000000D90000-0x0000000000EA0000-memory.dmp dcrat behavioral1/memory/2900-173-0x0000000000DD0000-0x0000000000EE0000-memory.dmp dcrat behavioral1/memory/1272-233-0x00000000013D0000-0x00000000014E0000-memory.dmp dcrat behavioral1/memory/1496-411-0x00000000000C0000-0x00000000001D0000-memory.dmp dcrat behavioral1/memory/2004-471-0x0000000000040000-0x0000000000150000-memory.dmp dcrat behavioral1/memory/2528-532-0x0000000000A30000-0x0000000000B40000-memory.dmp dcrat behavioral1/memory/1576-592-0x0000000000270000-0x0000000000380000-memory.dmp dcrat behavioral1/memory/2416-653-0x00000000010D0000-0x00000000011E0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1772 powershell.exe 2252 powershell.exe 2088 powershell.exe 1592 powershell.exe 1724 powershell.exe 1648 powershell.exe 764 powershell.exe 1744 powershell.exe 2308 powershell.exe 1344 powershell.exe 1560 powershell.exe 1860 powershell.exe 2072 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2276 DllCommonsvc.exe 1080 wininit.exe 2900 wininit.exe 1272 wininit.exe 1528 wininit.exe 2512 wininit.exe 1496 wininit.exe 2004 wininit.exe 2528 wininit.exe 1576 wininit.exe 2416 wininit.exe 2960 wininit.exe -
Loads dropped DLL 2 IoCs
pid Process 2484 cmd.exe 2484 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 18 raw.githubusercontent.com 26 raw.githubusercontent.com 29 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com 22 raw.githubusercontent.com 32 raw.githubusercontent.com 35 raw.githubusercontent.com 39 raw.githubusercontent.com -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\MSBuild\Microsoft\lsm.exe DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\101b941d020240 DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\DigitalLocker\ja-JP\lsass.exe DllCommonsvc.exe File created C:\Windows\DigitalLocker\ja-JP\6203df4a6bafc7 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_878dcee76a13035d14d5356aa5dbcbd47cebac2895ec350ed84d73a50bc40f41.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1528 schtasks.exe 2520 schtasks.exe 1740 schtasks.exe 424 schtasks.exe 1360 schtasks.exe 1872 schtasks.exe 1304 schtasks.exe 2340 schtasks.exe 2024 schtasks.exe 3008 schtasks.exe 2476 schtasks.exe 2908 schtasks.exe 344 schtasks.exe 2920 schtasks.exe 1672 schtasks.exe 2868 schtasks.exe 2456 schtasks.exe 988 schtasks.exe 1852 schtasks.exe 2556 schtasks.exe 2784 schtasks.exe 2352 schtasks.exe 2040 schtasks.exe 3060 schtasks.exe 2700 schtasks.exe 980 schtasks.exe 1040 schtasks.exe 340 schtasks.exe 2564 schtasks.exe 1512 schtasks.exe 264 schtasks.exe 2760 schtasks.exe 2232 schtasks.exe 1148 schtasks.exe 1328 schtasks.exe 1568 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2276 DllCommonsvc.exe 2276 DllCommonsvc.exe 2276 DllCommonsvc.exe 2276 DllCommonsvc.exe 2276 DllCommonsvc.exe 2276 DllCommonsvc.exe 2276 DllCommonsvc.exe 2276 DllCommonsvc.exe 2276 DllCommonsvc.exe 2276 DllCommonsvc.exe 2276 DllCommonsvc.exe 2276 DllCommonsvc.exe 2276 DllCommonsvc.exe 1724 powershell.exe 764 powershell.exe 1560 powershell.exe 2252 powershell.exe 1648 powershell.exe 2308 powershell.exe 1860 powershell.exe 1744 powershell.exe 1772 powershell.exe 1344 powershell.exe 1592 powershell.exe 2088 powershell.exe 2072 powershell.exe 1080 wininit.exe 2900 wininit.exe 1272 wininit.exe 1528 wininit.exe 2512 wininit.exe 1496 wininit.exe 2004 wininit.exe 2528 wininit.exe 1576 wininit.exe 2416 wininit.exe 2960 wininit.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 2276 DllCommonsvc.exe Token: SeDebugPrivilege 764 powershell.exe Token: SeDebugPrivilege 1724 powershell.exe Token: SeDebugPrivilege 1560 powershell.exe Token: SeDebugPrivilege 2252 powershell.exe Token: SeDebugPrivilege 1648 powershell.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeDebugPrivilege 1860 powershell.exe Token: SeDebugPrivilege 1744 powershell.exe Token: SeDebugPrivilege 1772 powershell.exe Token: SeDebugPrivilege 1344 powershell.exe Token: SeDebugPrivilege 1592 powershell.exe Token: SeDebugPrivilege 2088 powershell.exe Token: SeDebugPrivilege 2072 powershell.exe Token: SeDebugPrivilege 1080 wininit.exe Token: SeDebugPrivilege 2900 wininit.exe Token: SeDebugPrivilege 1272 wininit.exe Token: SeDebugPrivilege 1528 wininit.exe Token: SeDebugPrivilege 2512 wininit.exe Token: SeDebugPrivilege 1496 wininit.exe Token: SeDebugPrivilege 2004 wininit.exe Token: SeDebugPrivilege 2528 wininit.exe Token: SeDebugPrivilege 1576 wininit.exe Token: SeDebugPrivilege 2416 wininit.exe Token: SeDebugPrivilege 2960 wininit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1944 wrote to memory of 1472 1944 JaffaCakes118_878dcee76a13035d14d5356aa5dbcbd47cebac2895ec350ed84d73a50bc40f41.exe 30 PID 1944 wrote to memory of 1472 1944 JaffaCakes118_878dcee76a13035d14d5356aa5dbcbd47cebac2895ec350ed84d73a50bc40f41.exe 30 PID 1944 wrote to memory of 1472 1944 JaffaCakes118_878dcee76a13035d14d5356aa5dbcbd47cebac2895ec350ed84d73a50bc40f41.exe 30 PID 1944 wrote to memory of 1472 1944 JaffaCakes118_878dcee76a13035d14d5356aa5dbcbd47cebac2895ec350ed84d73a50bc40f41.exe 30 PID 1472 wrote to memory of 2484 1472 WScript.exe 31 PID 1472 wrote to memory of 2484 1472 WScript.exe 31 PID 1472 wrote to memory of 2484 1472 WScript.exe 31 PID 1472 wrote to memory of 2484 1472 WScript.exe 31 PID 2484 wrote to memory of 2276 2484 cmd.exe 33 PID 2484 wrote to memory of 2276 2484 cmd.exe 33 PID 2484 wrote to memory of 2276 2484 cmd.exe 33 PID 2484 wrote to memory of 2276 2484 cmd.exe 33 PID 2276 wrote to memory of 1744 2276 DllCommonsvc.exe 71 PID 2276 wrote to memory of 1744 2276 DllCommonsvc.exe 71 PID 2276 wrote to memory of 1744 2276 DllCommonsvc.exe 71 PID 2276 wrote to memory of 2308 2276 DllCommonsvc.exe 72 PID 2276 wrote to memory of 2308 2276 DllCommonsvc.exe 72 PID 2276 wrote to memory of 2308 2276 DllCommonsvc.exe 72 PID 2276 wrote to memory of 1772 2276 DllCommonsvc.exe 73 PID 2276 wrote to memory of 1772 2276 DllCommonsvc.exe 73 PID 2276 wrote to memory of 1772 2276 DllCommonsvc.exe 73 PID 2276 wrote to memory of 2252 2276 DllCommonsvc.exe 74 PID 2276 wrote to memory of 2252 2276 DllCommonsvc.exe 74 PID 2276 wrote to memory of 2252 2276 DllCommonsvc.exe 74 PID 2276 wrote to memory of 2088 2276 DllCommonsvc.exe 75 PID 2276 wrote to memory of 2088 2276 DllCommonsvc.exe 75 PID 2276 wrote to memory of 2088 2276 DllCommonsvc.exe 75 PID 2276 wrote to memory of 1344 2276 DllCommonsvc.exe 76 PID 2276 wrote to memory of 1344 2276 DllCommonsvc.exe 76 PID 2276 wrote to memory of 1344 2276 DllCommonsvc.exe 76 PID 2276 wrote to memory of 1860 2276 DllCommonsvc.exe 77 PID 2276 wrote to memory of 1860 2276 DllCommonsvc.exe 77 PID 2276 wrote to memory of 1860 2276 DllCommonsvc.exe 77 PID 2276 wrote to memory of 1560 2276 DllCommonsvc.exe 78 PID 2276 wrote to memory of 1560 2276 DllCommonsvc.exe 78 PID 2276 wrote to memory of 1560 2276 DllCommonsvc.exe 78 PID 2276 wrote to memory of 1592 2276 DllCommonsvc.exe 79 PID 2276 wrote to memory of 1592 2276 DllCommonsvc.exe 79 PID 2276 wrote to memory of 1592 2276 DllCommonsvc.exe 79 PID 2276 wrote to memory of 764 2276 DllCommonsvc.exe 80 PID 2276 wrote to memory of 764 2276 DllCommonsvc.exe 80 PID 2276 wrote to memory of 764 2276 DllCommonsvc.exe 80 PID 2276 wrote to memory of 1648 2276 DllCommonsvc.exe 81 PID 2276 wrote to memory of 1648 2276 DllCommonsvc.exe 81 PID 2276 wrote to memory of 1648 2276 DllCommonsvc.exe 81 PID 2276 wrote to memory of 2072 2276 DllCommonsvc.exe 83 PID 2276 wrote to memory of 2072 2276 DllCommonsvc.exe 83 PID 2276 wrote to memory of 2072 2276 DllCommonsvc.exe 83 PID 2276 wrote to memory of 1724 2276 DllCommonsvc.exe 85 PID 2276 wrote to memory of 1724 2276 DllCommonsvc.exe 85 PID 2276 wrote to memory of 1724 2276 DllCommonsvc.exe 85 PID 2276 wrote to memory of 1080 2276 DllCommonsvc.exe 97 PID 2276 wrote to memory of 1080 2276 DllCommonsvc.exe 97 PID 2276 wrote to memory of 1080 2276 DllCommonsvc.exe 97 PID 1080 wrote to memory of 1864 1080 wininit.exe 99 PID 1080 wrote to memory of 1864 1080 wininit.exe 99 PID 1080 wrote to memory of 1864 1080 wininit.exe 99 PID 1864 wrote to memory of 2588 1864 cmd.exe 101 PID 1864 wrote to memory of 2588 1864 cmd.exe 101 PID 1864 wrote to memory of 2588 1864 cmd.exe 101 PID 1864 wrote to memory of 2900 1864 cmd.exe 102 PID 1864 wrote to memory of 2900 1864 cmd.exe 102 PID 1864 wrote to memory of 2900 1864 cmd.exe 102 PID 2900 wrote to memory of 1312 2900 wininit.exe 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_878dcee76a13035d14d5356aa5dbcbd47cebac2895ec350ed84d73a50bc40f41.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_878dcee76a13035d14d5356aa5dbcbd47cebac2895ec350ed84d73a50bc40f41.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\ja-JP\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2588
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat"8⤵PID:1312
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2396
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1272 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YQG5KQjShu.bat"10⤵PID:1344
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:340
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat"12⤵PID:2800
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1936
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yvlYFj4oEg.bat"14⤵PID:3068
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2080
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3gUlVaPHfz.bat"16⤵PID:2896
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1972
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PCaGvPqXNx.bat"18⤵PID:2508
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1568
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CV35gbisF1.bat"20⤵PID:900
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2928
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RBIFf9IaIr.bat"22⤵PID:1492
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2088
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\goxiuQmrpE.bat"24⤵PID:2976
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2344
-
-
C:\providercommon\wininit.exe"C:\providercommon\wininit.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OxVZsORhRP.bat"26⤵PID:1684
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:952
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\DigitalLocker\ja-JP\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\ja-JP\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\ja-JP\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\providercommon\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5713e9fada52a3e08ab3be3ae2c75cf9a
SHA13613a33ceda900b47a6c12eccd14f2051ed1e89c
SHA256cdecbb27996999d6b5510b9673bf7c4a850199017ac4ce661ecc1330d1ffaf87
SHA512e0fd1983a55322cf5d2d7e037a3b33d22bbf4c141bab2eb0cef4266912a06364a5b359812ea0e0dfdd9948246acf0dd58dc4baf2ed1d732ad3b6f7342d752aef
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD579b23b5222f6b3a194e7de77dcea551a
SHA19c6278f65aa8275b92e017c445a20507ea874389
SHA2565aa18304cafb0498544e3340b97f3b22370fdeec6f60229fe4054cadd3248e89
SHA512bba4d5adb36e257a42d9889377bf605654bf4353a2f59a5de27456d7381a362c951d23ebc9fe9a9e8819c0415cad57cb91d756d6ca868520a6506767197561e0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51f382e83bd4a2fda60a4bc3a42bfad2c
SHA1e79ad2ed9a6a4045c49269674c3fc91a92a4fddf
SHA2568757a9e7ff83b74a9017ab0e429229d133244227748a2ff9d8dbea700c86bae1
SHA512c8f38f2f62907fe5390f4bc7ff8f2af33d38a638c209dc7487087a9adfa6925d4a083b11df0d58bfe7daea1cc2ab1d74e3b7e145a512ecabd612f74d2d511d08
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD508f14c04881d791b3e769d847903cef3
SHA1d40c4f621eac148def500ab1ba9805688951b8f9
SHA25659c54443aadfd75f76154dac8bb67f68797abefae63587d30b451fe6980d49c7
SHA5122f374cf1dbfa53cf4f2a665e2efc75ec9ea707a8ca23cf1d68d8dac64bc16e615c233d85909b398aa7a8482a9ff8f5ab7dba08d9262081887a8217ba4e2dacac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cef8670a4d7aa437a3cc451e62dfa044
SHA123051182da822c7eee44e4bca038194789939bbd
SHA25697c458b48b995606506bfe8dec66309624eee6dcf670865fd45562eddb788610
SHA51257675dfa6169929cc1e4e0f5e42719c16771a94ed93dec7c7913fecb19c7ca0f77dfe4633c228d81c8ca1ae65d2322a005675c1d4e9a6b819ba6c84385236860
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52c7afe5918aacedecf0c98d3cca96d63
SHA15cc35a63968b1e60991299ad86a3bdeb6cb0024d
SHA256b9aa12c75bd964600e91c4deb954a08b4d6736383887b1b1f9ea741b900e0732
SHA5126b604451bfe02af7f2891ad6590ce782e4946778c3c8671811a19a4e0fef84d8247f1e5d231f0e718811724dcdbb81137c584ca6c15b2dcdf96cd561d290e294
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bf1e0480023b97aec6739a252dddf2f3
SHA15e59b987f013bae4c2e8b4ad67b1cb8d0f9d15a4
SHA2560962025a63b3d381aa2bcb1dc66b846188b7923e82820d70a5d01b7d436912be
SHA512701f59bc58c08ce1e1e1f445e7a8bdc5cf9c55a4870476afae745f2c740254505146d64484a7249c9e94c7747160add3ea24165e3e064cab6f2ab963c400d8eb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5997e66d7985cd9dbfb54fdbcc32b1f2b
SHA11f0a730a74f09f48f6d39b7fca74770f3d88b077
SHA25610d96f7482c54cbe0b1b76741d423bc90124423c061b2bab2bf3d7dadc78b84c
SHA512f6668f6aeafb1121ed76af7cba499421a2187214d83b8e3e07eef437480221fb6711c9f2c5bf47405356049f3a13babf3c00e80eaf3c5b9a750ad59edd3e787f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a087bc3bdb03a3e5fbdee0f7212a109b
SHA17ff44c80e384381d6715a4cbed3e0f93ade38a23
SHA256bc524a3aadbeb931f8f69c1785ff488907e1b138d5fbcc8d4fc9c0bbab263fae
SHA512e4aed3215e6560cc9e93dcdd66b4c58fb0db8165db709ebdda9dad55454397f8d8e902694f14286cd05f80e6c60117e4d92366ca7b8be1a762426544e53f19b5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fb81cfa7e830a82fab3d169578236e3d
SHA19120a55e0f68411fd1596602b69d624af947b393
SHA256231da49e64e83380b51402207fd85f6af9bef7f1d73f4c9a28087b5216beadb1
SHA512de52117dca8098b440a36734a5accd8450cdaddc30f1afaff735848f4eb0c66df126baa8b18be95a8e6dffb54ff784c35d6d6a3cbe0db40c235e8993bf422a02
-
Filesize
194B
MD54a58b1d13b1c044825656d7f47fed42a
SHA1dadf6fd6a12052b1150c55d3e13822f7171b8b95
SHA256986f58baab91f521df3ab36a6abeb722db87f3a6c1195f761d1acff74499932c
SHA512db66d5673172f6855f00b8d71642c8c35c928167c029ceb88ef777822c514b06579ebb442eb315d7ec757c88f62aa8a560bbd7fc24132228ba878348e5b8eee2
-
Filesize
194B
MD544bcf86e2edda18ce6957eb19d1e6a94
SHA14eda2f696dc78e93812d5e9e77343bf4e9f2a07d
SHA25654751b022c0b4cd978a290a0a428867ffbcbe52c7471e1134b1829a8fd69e677
SHA5122712d5510bd7b9d2666ce29c3c65f15d01ffb2f7cd2f117a880123b213a24701cb46ca03816700e4e4449284c85faa700b8c2a244453bf06988d26705b4b8f43
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
194B
MD51712a999cb3208d876efae4b3e0b13a1
SHA1c819991344936830b5ba7125986ba25d61de7f0d
SHA256ec2643c8d2d98196645870d68ba569a21c30e636608a2677e21609c6257687f8
SHA512d6e8e664fdf009f716df0db7b86e06e43105da8a81afdbac784c58b2a5e1cc0fdc5906226ecf4679d883f4aff64e91f394b0b97c969474a812dbe0a742224b43
-
Filesize
194B
MD5f09699b5dc3232b2fd245a3d992a2148
SHA12499f7d1ad1cbe8e12f79241b45895faf593b422
SHA256228d90742ec6b0e39bb756f611b335976d960c3abfae9eb8c8fdf4446acea7fd
SHA512cf1adf9fd957d0dc27fbf5d27570bfa1697a4621045f183c5b9ab72fb467238818ce93abeeb4e041fd0dfddf29b46052beec9358d8937561c988e5a0bc37b97e
-
Filesize
194B
MD57395f753317e32eb3d7268fd6a98e5bf
SHA10bc23ed0638fd87853393fbbdc7326b222f6992a
SHA25628c74bec9a8b43a5c19ddf85ba1d5b16dc320b5b7d02db20f8fe87fbb3bceaee
SHA512785d047906b6a86fd7f274a921c02f1c220f3b712759ac33c93efa3512671bc4d67ea7510f93a047597b12bcbd94f7b73e6b10063cb4ed37bca196cd50dec31a
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
194B
MD58f96fb08565e1a46831b5b5e11b8b145
SHA18f6aeb8336139abb8692ac643d75533cfc6ab974
SHA25680d01bc8338c0a5f342e568049be17565ca5a581afe320e81055a4c030807a2a
SHA512ed0c2ce0bf4ec0f6813720f266cce5f40f4705e74129b945fc70d112d4a21711732fa53c98f625a46c30c9005955e49ea39169bfe01bcd74fe6b9b527771bd79
-
Filesize
194B
MD5dda5d5b4941e70c7e7ee4eb0af3b467c
SHA1aaa569e5b1aa83bb8ce633fe02eaca694b889f51
SHA256cd4981593a4d059afdfc9773f31fbbf67a38f6dc7fbb67f33f23803fa10f5d68
SHA5120d729993bade2b3ed1f6db7da26c6c8d235150a3ccd9ea661a00284580dba8e7431c6c13bf85bf63e598dead0b57feed3e9e4e2889d97022ff6a7d7236876648
-
Filesize
194B
MD52319b7a71cf582e4dd4a772c35d9c412
SHA12cd8af0235f75357b4188591f1832d2285073623
SHA256b3a7c74f9c235bd19bff44899b3aaea24f12aa585e462399519275c7a8179a13
SHA512bef9c365293c4613a541bdd0ce8dadaca473fa756be0f98056397a6748868cf647c0d0e6b5af7861ba6b861ea29ad17044a6f56c07bf4a93c5283e51b4c21c43
-
Filesize
194B
MD5136642c35424c32a8e30975a4d38a404
SHA1063f6109b297e9744ff4ca9626ae70900921267d
SHA2563baf416a6dbc57ddfd98a68ec7e47f31690096ad4ab59ff161b09da9f9c7f2aa
SHA51256a4c3b26b9b425fc04bedfe6f6e8b32898e994e5548ee5f7c09cd824c0f6f30bc7e034b5989cc9be6835cd712cf559c0e163ba5dd86de23f12de1e3e4ea78df
-
Filesize
194B
MD5f0900c27c7574301cb9ac7c94c91eda8
SHA107e25cb8ff48a07230c8347ea21eb6e7cdf2e174
SHA25613341d337b6bb8f836aec134d37b4bf55af6f2f6eaf34d6cc5c2a776040e028b
SHA512e8561f9ba27e7b085bb1fdb2f3f8db4c480f95a70d42609b0bf4186bdb536e4968157bf8c1a6687a91d83811f2fb41b1b6d3cb0e1003e039926751eb15dfbe73
-
Filesize
194B
MD5c61fcb99753939925b3d9b038752f233
SHA19b910e8e33e82e7fdf446762f6dff26c346346dc
SHA256e83930b98433adc2c437219899b24051fa2bee53243dd4d790c737771054e86b
SHA512282fc85ae39c9b3bfddf330a5d91804a73df60c543f9e7baab39d2e16bb0e98ffaa80921434c16ff49282c58975d921a659d3fe480715f8e9501e95c6ae01870
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5f421ef38a65735191fb128b8d5e7effb
SHA168f2c2c6a831e9762ef0b523776114ffa2083306
SHA25621efd8431e2a881f5ff68005dc97eb6073a8fb45da45dc953e4a7426d64cf607
SHA512084279d13fd5db72b3109054155ffdb6dd566d955294400c9543c0ff1de3c97687bc1c0f10f40e3184a2ba583c8d8d69fb5dc1b3ec00f2f01d2cdbea0de22d40
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394