Analysis
-
max time kernel
145s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:45
Behavioral task
behavioral1
Sample
JaffaCakes118_2cfbd85a9e504e8876ccd8a92a8ff7fd40c214f1f1f08a80037fdcc77d878d6a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_2cfbd85a9e504e8876ccd8a92a8ff7fd40c214f1f1f08a80037fdcc77d878d6a.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_2cfbd85a9e504e8876ccd8a92a8ff7fd40c214f1f1f08a80037fdcc77d878d6a.exe
-
Size
1.3MB
-
MD5
473689924a7a7a63536c9a6c4a055236
-
SHA1
73ce4d74fffa1ab662c4678a74da2f8977a1f3d6
-
SHA256
2cfbd85a9e504e8876ccd8a92a8ff7fd40c214f1f1f08a80037fdcc77d878d6a
-
SHA512
ac5ca4ba0d48e16ae314c9e1cb564490746058664e4cea4e286f3afb6d1c83185d5ce3447267af0a4541fedef37ce2a34108bef7128072ef207ae772b14e296a
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1268 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1436 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 596 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1296 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1824 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2156 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1104 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1564 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 404 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1392 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1100 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 276 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 812 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 884 768 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 768 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000016dbe-12.dat dcrat behavioral1/memory/2732-13-0x0000000000B80000-0x0000000000C90000-memory.dmp dcrat behavioral1/memory/1444-79-0x0000000000AB0000-0x0000000000BC0000-memory.dmp dcrat behavioral1/memory/560-179-0x0000000000320000-0x0000000000430000-memory.dmp dcrat behavioral1/memory/668-240-0x0000000001070000-0x0000000001180000-memory.dmp dcrat behavioral1/memory/2824-300-0x0000000000080000-0x0000000000190000-memory.dmp dcrat behavioral1/memory/404-360-0x0000000000170000-0x0000000000280000-memory.dmp dcrat behavioral1/memory/564-420-0x0000000000940000-0x0000000000A50000-memory.dmp dcrat behavioral1/memory/2064-480-0x0000000000AF0000-0x0000000000C00000-memory.dmp dcrat behavioral1/memory/2484-540-0x00000000000F0000-0x0000000000200000-memory.dmp dcrat behavioral1/memory/440-601-0x0000000000380000-0x0000000000490000-memory.dmp dcrat behavioral1/memory/2540-661-0x0000000000D60000-0x0000000000E70000-memory.dmp dcrat behavioral1/memory/3000-721-0x0000000000EE0000-0x0000000000FF0000-memory.dmp dcrat behavioral1/memory/2360-782-0x0000000001240000-0x0000000001350000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 984 powershell.exe 1740 powershell.exe 2516 powershell.exe 2532 powershell.exe 2548 powershell.exe 2324 powershell.exe 1048 powershell.exe 2564 powershell.exe 2316 powershell.exe 3028 powershell.exe 2068 powershell.exe 1376 powershell.exe 2312 powershell.exe 1752 powershell.exe -
Executes dropped EXE 13 IoCs
pid Process 2732 DllCommonsvc.exe 1444 taskhost.exe 560 taskhost.exe 668 taskhost.exe 2824 taskhost.exe 404 taskhost.exe 564 taskhost.exe 2064 taskhost.exe 2484 taskhost.exe 440 taskhost.exe 2540 taskhost.exe 3000 taskhost.exe 2360 taskhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2220 cmd.exe 2220 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 4 raw.githubusercontent.com 9 raw.githubusercontent.com 19 raw.githubusercontent.com 23 raw.githubusercontent.com 26 raw.githubusercontent.com 33 raw.githubusercontent.com 36 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 30 raw.githubusercontent.com 39 raw.githubusercontent.com -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\a76d7bf15d8370 DllCommonsvc.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Windows\Prefetch\ReadyBoot\cmd.exe DllCommonsvc.exe File created C:\Windows\Prefetch\ReadyBoot\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Windows\PCHEALTH\ERRORREP\dllhost.exe DllCommonsvc.exe File created C:\Windows\PCHEALTH\ERRORREP\5940a34987c991 DllCommonsvc.exe File created C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\System.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_2cfbd85a9e504e8876ccd8a92a8ff7fd40c214f1f1f08a80037fdcc77d878d6a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2728 schtasks.exe 2172 schtasks.exe 884 schtasks.exe 812 schtasks.exe 2656 schtasks.exe 2852 schtasks.exe 1296 schtasks.exe 3044 schtasks.exe 2136 schtasks.exe 1392 schtasks.exe 2764 schtasks.exe 2612 schtasks.exe 2660 schtasks.exe 1908 schtasks.exe 2052 schtasks.exe 1436 schtasks.exe 2900 schtasks.exe 1508 schtasks.exe 2988 schtasks.exe 2224 schtasks.exe 276 schtasks.exe 1604 schtasks.exe 2072 schtasks.exe 404 schtasks.exe 1100 schtasks.exe 2308 schtasks.exe 2684 schtasks.exe 1268 schtasks.exe 596 schtasks.exe 1824 schtasks.exe 1104 schtasks.exe 2948 schtasks.exe 2596 schtasks.exe 2932 schtasks.exe 2624 schtasks.exe 2748 schtasks.exe 1796 schtasks.exe 2156 schtasks.exe 1564 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 2732 DllCommonsvc.exe 2732 DllCommonsvc.exe 2732 DllCommonsvc.exe 2516 powershell.exe 2564 powershell.exe 2532 powershell.exe 2324 powershell.exe 3028 powershell.exe 1752 powershell.exe 1048 powershell.exe 2316 powershell.exe 984 powershell.exe 2548 powershell.exe 2312 powershell.exe 1740 powershell.exe 2068 powershell.exe 1376 powershell.exe 1444 taskhost.exe 560 taskhost.exe 668 taskhost.exe 2824 taskhost.exe 404 taskhost.exe 564 taskhost.exe 2064 taskhost.exe 2484 taskhost.exe 440 taskhost.exe 2540 taskhost.exe 3000 taskhost.exe 2360 taskhost.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 2732 DllCommonsvc.exe Token: SeDebugPrivilege 2516 powershell.exe Token: SeDebugPrivilege 2564 powershell.exe Token: SeDebugPrivilege 2532 powershell.exe Token: SeDebugPrivilege 2324 powershell.exe Token: SeDebugPrivilege 3028 powershell.exe Token: SeDebugPrivilege 1752 powershell.exe Token: SeDebugPrivilege 1048 powershell.exe Token: SeDebugPrivilege 2316 powershell.exe Token: SeDebugPrivilege 984 powershell.exe Token: SeDebugPrivilege 2548 powershell.exe Token: SeDebugPrivilege 2312 powershell.exe Token: SeDebugPrivilege 1740 powershell.exe Token: SeDebugPrivilege 2068 powershell.exe Token: SeDebugPrivilege 1376 powershell.exe Token: SeDebugPrivilege 1444 taskhost.exe Token: SeDebugPrivilege 560 taskhost.exe Token: SeDebugPrivilege 668 taskhost.exe Token: SeDebugPrivilege 2824 taskhost.exe Token: SeDebugPrivilege 404 taskhost.exe Token: SeDebugPrivilege 564 taskhost.exe Token: SeDebugPrivilege 2064 taskhost.exe Token: SeDebugPrivilege 2484 taskhost.exe Token: SeDebugPrivilege 440 taskhost.exe Token: SeDebugPrivilege 2540 taskhost.exe Token: SeDebugPrivilege 3000 taskhost.exe Token: SeDebugPrivilege 2360 taskhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1868 wrote to memory of 1848 1868 JaffaCakes118_2cfbd85a9e504e8876ccd8a92a8ff7fd40c214f1f1f08a80037fdcc77d878d6a.exe 30 PID 1868 wrote to memory of 1848 1868 JaffaCakes118_2cfbd85a9e504e8876ccd8a92a8ff7fd40c214f1f1f08a80037fdcc77d878d6a.exe 30 PID 1868 wrote to memory of 1848 1868 JaffaCakes118_2cfbd85a9e504e8876ccd8a92a8ff7fd40c214f1f1f08a80037fdcc77d878d6a.exe 30 PID 1868 wrote to memory of 1848 1868 JaffaCakes118_2cfbd85a9e504e8876ccd8a92a8ff7fd40c214f1f1f08a80037fdcc77d878d6a.exe 30 PID 1848 wrote to memory of 2220 1848 WScript.exe 31 PID 1848 wrote to memory of 2220 1848 WScript.exe 31 PID 1848 wrote to memory of 2220 1848 WScript.exe 31 PID 1848 wrote to memory of 2220 1848 WScript.exe 31 PID 2220 wrote to memory of 2732 2220 cmd.exe 33 PID 2220 wrote to memory of 2732 2220 cmd.exe 33 PID 2220 wrote to memory of 2732 2220 cmd.exe 33 PID 2220 wrote to memory of 2732 2220 cmd.exe 33 PID 2732 wrote to memory of 2068 2732 DllCommonsvc.exe 74 PID 2732 wrote to memory of 2068 2732 DllCommonsvc.exe 74 PID 2732 wrote to memory of 2068 2732 DllCommonsvc.exe 74 PID 2732 wrote to memory of 2516 2732 DllCommonsvc.exe 75 PID 2732 wrote to memory of 2516 2732 DllCommonsvc.exe 75 PID 2732 wrote to memory of 2516 2732 DllCommonsvc.exe 75 PID 2732 wrote to memory of 1048 2732 DllCommonsvc.exe 76 PID 2732 wrote to memory of 1048 2732 DllCommonsvc.exe 76 PID 2732 wrote to memory of 1048 2732 DllCommonsvc.exe 76 PID 2732 wrote to memory of 984 2732 DllCommonsvc.exe 77 PID 2732 wrote to memory of 984 2732 DllCommonsvc.exe 77 PID 2732 wrote to memory of 984 2732 DllCommonsvc.exe 77 PID 2732 wrote to memory of 2564 2732 DllCommonsvc.exe 78 PID 2732 wrote to memory of 2564 2732 DllCommonsvc.exe 78 PID 2732 wrote to memory of 2564 2732 DllCommonsvc.exe 78 PID 2732 wrote to memory of 2532 2732 DllCommonsvc.exe 79 PID 2732 wrote to memory of 2532 2732 DllCommonsvc.exe 79 PID 2732 wrote to memory of 2532 2732 DllCommonsvc.exe 79 PID 2732 wrote to memory of 2548 2732 DllCommonsvc.exe 80 PID 2732 wrote to memory of 2548 2732 DllCommonsvc.exe 80 PID 2732 wrote to memory of 2548 2732 DllCommonsvc.exe 80 PID 2732 wrote to memory of 1376 2732 DllCommonsvc.exe 81 PID 2732 wrote to memory of 1376 2732 DllCommonsvc.exe 81 PID 2732 wrote to memory of 1376 2732 DllCommonsvc.exe 81 PID 2732 wrote to memory of 1752 2732 DllCommonsvc.exe 82 PID 2732 wrote to memory of 1752 2732 DllCommonsvc.exe 82 PID 2732 wrote to memory of 1752 2732 DllCommonsvc.exe 82 PID 2732 wrote to memory of 1740 2732 DllCommonsvc.exe 83 PID 2732 wrote to memory of 1740 2732 DllCommonsvc.exe 83 PID 2732 wrote to memory of 1740 2732 DllCommonsvc.exe 83 PID 2732 wrote to memory of 2312 2732 DllCommonsvc.exe 84 PID 2732 wrote to memory of 2312 2732 DllCommonsvc.exe 84 PID 2732 wrote to memory of 2312 2732 DllCommonsvc.exe 84 PID 2732 wrote to memory of 3028 2732 DllCommonsvc.exe 85 PID 2732 wrote to memory of 3028 2732 DllCommonsvc.exe 85 PID 2732 wrote to memory of 3028 2732 DllCommonsvc.exe 85 PID 2732 wrote to memory of 2316 2732 DllCommonsvc.exe 86 PID 2732 wrote to memory of 2316 2732 DllCommonsvc.exe 86 PID 2732 wrote to memory of 2316 2732 DllCommonsvc.exe 86 PID 2732 wrote to memory of 2324 2732 DllCommonsvc.exe 87 PID 2732 wrote to memory of 2324 2732 DllCommonsvc.exe 87 PID 2732 wrote to memory of 2324 2732 DllCommonsvc.exe 87 PID 2732 wrote to memory of 1444 2732 DllCommonsvc.exe 102 PID 2732 wrote to memory of 1444 2732 DllCommonsvc.exe 102 PID 2732 wrote to memory of 1444 2732 DllCommonsvc.exe 102 PID 1444 wrote to memory of 2256 1444 taskhost.exe 104 PID 1444 wrote to memory of 2256 1444 taskhost.exe 104 PID 1444 wrote to memory of 2256 1444 taskhost.exe 104 PID 2256 wrote to memory of 2080 2256 cmd.exe 106 PID 2256 wrote to memory of 2080 2256 cmd.exe 106 PID 2256 wrote to memory of 2080 2256 cmd.exe 106 PID 2256 wrote to memory of 560 2256 cmd.exe 107 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2cfbd85a9e504e8876ccd8a92a8ff7fd40c214f1f1f08a80037fdcc77d878d6a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2cfbd85a9e504e8876ccd8a92a8ff7fd40c214f1f1f08a80037fdcc77d878d6a.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2080
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:560 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat"8⤵PID:1752
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:700
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:668 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s2EHkno7yQ.bat"10⤵PID:2544
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:608
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat"12⤵PID:2724
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2156
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:404 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat"14⤵PID:316
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2628
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\18eSMsDQCm.bat"16⤵PID:2548
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2756
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat"18⤵PID:884
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1512
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat"20⤵PID:2032
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1124
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:440 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GX2kvMhQbI.bat"22⤵PID:3004
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2752
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O1BWw2qr2X.bat"24⤵PID:636
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:904
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat"26⤵PID:2908
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:920
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Start Menu\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Local Settings\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Local Settings\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\ReadyBoot\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\PCHEALTH\ERRORREP\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\PCHEALTH\ERRORREP\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\providercommon\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\providercommon\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD595dd390259226a57b760e35bccf89da0
SHA1c5e28f109989d32a09bd74f7d515fcbd25cea4a9
SHA256f7269dc07bfe8b38140aafc99bef717ac1cb6df62c35f1da889cfe30d649d592
SHA512c8ee67019c6e89f488eddc3f787f6ec55bbb1208660054d50fff62fb9b94a91083af2cbd7e1c1c56b0aa2fcdebc0462ce6bf437fadc51135e7650ecd86f1dc5d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50082179196c5387fea405289c6a8c7db
SHA1b2d6210db4ba84cad47067ebffccc1dd65377428
SHA2566234ca0ff43cd3c66412b085babb1954e395a90441221dfa4e8eb2755a401dfe
SHA512643583cf6ac59c0f16f054d6fedcab22962ecfe642d8d09e5da38056bfdd1b2dd991198b2bcd20c41eada78a33691873466ec4b8f7edeb9f455e6a593e429470
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a0df300231e71a4c4d1da63dd73d1248
SHA1a78aa13400a1c7710ab1fa505527597426239235
SHA256b8e6f325ea38289e75c2165e00385b3148ad5643f8f22bbe2bc4f433efc33a70
SHA512cc9072d77bbd1018fb08f9f0ef7c345ab69104dc62bf895d36f3d4a7f18fe4169135b71cac49ba0f89458f2df18c98a71e3aef1c40a66ebf7736398616ff8f68
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5966edf62e2b11f4ea3d2ed1e0c342048
SHA1d3d4b39b9d0497b6e3f4f86136a1c576d42b08c9
SHA2565bba8e34cd8f29fcd8fd0502b97c9342a80888bec0067c1d90ee36ebf54da111
SHA51261fdae896c3e0ac8dba5065ce2b7be72e17c36f7c1f2719492d80cc2a1c7c3a26f6c9a9a4d93c5bfdb48623092f496d74c8e58045c56c68156fc7383156b6062
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a3309b397b66f30bb3f2b83bd9bc6632
SHA1d808ead65087c2121bfcbfc76b9d1b7972aa929e
SHA25682f4f53b15e2c8776ff6bcf09d162ebfdbc7cfb1efdaec4223a1acbe3abfd1f3
SHA512192fae8c946f182f9075e17bbd3f8f399dc5acb77ed026a57311b6281e03b27cf601b4f28a629139a9529a3ccbed931de1726dba603f36c53f1a21cf194cf61a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b69b44218009727a3254de3e8d32d816
SHA15bc29bdda2758155b5718c8f6d2aa794e36b2192
SHA2562ab9dc6647f294ec4dc8ff84a284ccf5b91c074658a0929548e09f2331deaf1b
SHA5120249122c54bde8d11f70ab4bfbe2fae181abf97a65afda2eef310bfb4a4efff79de90ed00d388a69d286675d1a97779d0ebddfbed7725a3bd28ec696715f52d6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f505bc0a6097e0de4425f9377866d1ae
SHA16f605eefae1f9b0d7783c245359d258fa5f5c8ea
SHA256cad2e68fa0dd0bb2e8604ff5f508666c4068ec93806f5291024402fca8293e99
SHA51222e765eea17822bcecd11c014f4133b5577210390d808623cb14f17b6057e123f9786d25b7b6f93eb0ba02a30449a081221a8fbe78788983f630acf92a2bd4f8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d577a7073352b5fdd3c94c5804006fe9
SHA1708617e7b057b49eca73ffea4e4925ca4ef712c1
SHA256d73df6aba80469eef34510a28dfeb67d14125ddcd2a7e8a665b48fbfbf8ca885
SHA5122f59eb86c74e0f9753a45beb26ddcbf8b57da23828f980a95a3a9464b9b05b2d84ac42c3a441dbd4db91c44dce4cf6f1462d9df10dfb669013ff1b1ef30635d5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD576c7c0c3c623f2c165b4742c84599268
SHA10da6d2ef6611029bfd4ab32daa1064a17a22f42d
SHA25670bfb3c9a6f8fc77dba4175858a15014639e09f616c7718e85b6b2ff11c73241
SHA5122cafcd18d51c2818f8678d35cd3f32c99c229d30cbc68701c13d3cb416d1b1237af7173f42594ee36b5665ce7d431552409351d6ad929de59518971cfb52c8fb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e23af1207fa36ac79ac63dcc5621468c
SHA1857a4c337a14f8e0d091683b04e60db9f8aa5b1e
SHA2565d35d9ac372feb68b43fdb31bcd3fe1dd21483847ee13a8c4ca14d726cf1a22b
SHA512dfa8f2155a22295530b96b657440580f2d3aae4e62bd436d9f54ca745e7d05aa20fdc4736b066514295f963720d3439a3105abd6560a13b4ae39d8bb38c7ea2f
-
Filesize
226B
MD54b36ef4f344f409de888ba55e4e6ee2b
SHA136ffac3f57091e7e4ce755412cb508ca006d7fed
SHA2563778811c6b7a24ac0c0d1d2373884711a8c03f96c5c0f989c4eec88c277f3e70
SHA512338359a83db4494055894ebe5e8d9503b489a2fd726b3b220951c8e000b042f6b29f903744dfda74bf3db4e94e7ee1a32eb7a5c3a82bf17fe1342e8eb3acf1aa
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
226B
MD5fecd9044925682069b3671eca4b2ffde
SHA12ce97649309032b2d74535118aacc87ddfe08c44
SHA256f8094bc242a419a2d073872b296bbe69bea1130daca23cf77e20194ca44f0cf7
SHA512b2af0a1195da197a7637c9f1b1c3b865f57365d8a7bd354906ba910093df4a347ad894987e6a4799a0d79285ae76490dd4d5b80111c42296e5956d9c2b35a9f9
-
Filesize
226B
MD5ac4a2a44ec1793897ff939569dd95b63
SHA1387f956ee54fe955cceeb6018b00ba986e703994
SHA256ec5a8d225d1ca0092ac8e58ca810e1f28c005ce4484cf840c16f8a16443090b1
SHA5123aad09f78b2eb7d0818282969e669511d6146b20f8a6e1d497f4a45821d5abc22548a9f363a2e5cedacced806ae49411afe0f5526cf209f93d55bca86164ec0f
-
Filesize
226B
MD5930b88280cb7e8b65a136df405b37b49
SHA179b73b5b75a8ab092ee441ddda6304cb58a1da2f
SHA256bf4fa84f883e39044258f79392cdf0f031ee4ef7b7c656159ce1954d17507a26
SHA51220ecd21a58cc82a4d2de547f9e2a96d67ae2c41c7c5bbdbbff1ff24410efc1b11c03b193fa3bf1b39bf2a46f0fe226a2bf6faa076288c01f710dc3928f9d053e
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
226B
MD5ca1fce37237138217c1cc66ec2b0d844
SHA1e62689dc79de9a680fc0b5c52f3615d67364a6fb
SHA256efc1a400bfbc66cf4787a7c62baba978545b517c6b616f18312de2d44e6927a0
SHA512ba66d202f49515d75b7d4f2375eda09d6837fd9f1c83cbfb9966b90cc8d56cc01ad97d7e81ca7ac100c8ea979a2704cd73ad684eb90a6216a53387a5565d6352
-
Filesize
226B
MD599c79beed9402a802f3f2d614ad87280
SHA1fc1cd3a25b50d9987e5c6094d73404e8335db261
SHA25677a7ab7172bd3f85005445f22359ec54a0cafe4d343657744dbee38fde1eeec5
SHA512fa6406e9365bf95cac3dce6d0b4fa0d49ea3f57849ddda7d548d5c3436882a1ff9852c2b4ac2ed0885a0d1432b5b03bc94fd1e651e3cabd865235dd405fed683
-
Filesize
226B
MD5c7ab180c59fb0d1fb65c6b4c8eddf89d
SHA171377b388b8feb3831653d33180ed5a888409f9a
SHA256ee90fecf035e899f7b2adb31668499438897de6616bcb798dde32d222854727b
SHA5125f4a53d3048845793f2c28b8eef3e09a43b10e95ccd8d5cb2d37f2512480a7244fa105fa36f980d5dc66f7599e9946fbd8e737dd5960d5f570eb8728c1ef9f7a
-
Filesize
226B
MD5d5179dceae8234681c754cde39641566
SHA1909d7214c976ee5cac24f7316850c6372aaa16f9
SHA256a7be4d6b981c6f7d68f413da95343690fa701263cfa0ce5c61629309ca7d9154
SHA5125847de289e3c50e9652339c9a3362c5ab21d3b6dca3d31275d2f1a81ad3b6737fdd509aeef0341c6eebe75c4f74a84f463c5ecc26636b08c64019953a003397f
-
Filesize
226B
MD54b25ccad1944af09d0ff035c781f9a19
SHA17cc8b1671d72bec0ea5ba688fccca9f13c43c2bb
SHA2563b11bff87730453e0b3e6d458951cf76dbd7c9c047e8e1150dc4f180a19557e4
SHA512c83004d19f396be69a933d001ed809112872a68ce6d74de7f91e6960bc00da1c605f87fd7f7974f6238bc6628b8acf258b4f690dd4ace2d64dee806aa205772f
-
Filesize
226B
MD504a11333c67f3b0b264ff1671884d69e
SHA1e45f313db49430834fb785f05f94c23b3e52f37e
SHA25643b22352a5862b3fdabd63fbeff96b31700c8e9aae3d23864432cb0a36ce6f02
SHA512c6af749988f1f16b9144ca532c8570d8b74c38e4255a36989884ed0d3384dbbf2dddda27dcc1d3530626d89855692dd2164a26242392d77a16b20530c612c902
-
Filesize
226B
MD550fdfe93f8836cce5ba647e7ed19f5bc
SHA1430d5bb584beba0beda715c0b7f6a96e5e0514b5
SHA2567049be576c4755c33d5e0fb85b98984fdf06ad92d6876ef6f30421f18aa249e3
SHA512655dfe7dcd1c9e4685e93aa1c33cb734ace837e9c7be92017ab668939419ef50ed413e6286e467ebe2bf7eb60e226382ab4041faa83f685a85003162330f2a35
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b5e308aabfd2b35152bf29347c7d0f03
SHA1b805a1e5e5be9b22a4ca0cf39e38bc98b9d31842
SHA2562b5550bd0c0977b8762a08c2e9bd834fb0b4d4c22992ee28073a99a8b96602af
SHA5125e68ff09a6a74ab6f31c6c75a22c1323fbf742e2263d3c0148d6c25db1d534dcfae4f0afa917367c200f54cbeb4960f335e8481c12408f92b1824d901f0e034f
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478