Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 01:56
Behavioral task
behavioral1
Sample
JaffaCakes118_70f0572bd6526b046b8be82c0669d14b53600f0b2fe0cf3085972106ad1c6a4f.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_70f0572bd6526b046b8be82c0669d14b53600f0b2fe0cf3085972106ad1c6a4f.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_70f0572bd6526b046b8be82c0669d14b53600f0b2fe0cf3085972106ad1c6a4f.exe
-
Size
1.3MB
-
MD5
b9f158cdb090e31654547f8c954c96ff
-
SHA1
dccaf2a828ce17f06ad7b06f00bc8dcf6eb4e07f
-
SHA256
70f0572bd6526b046b8be82c0669d14b53600f0b2fe0cf3085972106ad1c6a4f
-
SHA512
5e351b13e61ea84466f78d7d0ed5a8b0133dcada471c84c31a294151f5604cf9c323be0b712814107b08f21d042f69f0786439479add1893cfbc1b70f1c6d431
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2248 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 844 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1200 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 564 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 236 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2304 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2400 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 924 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 972 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 2872 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2872 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x00060000000195c4-9.dat dcrat behavioral1/memory/2776-13-0x00000000000B0000-0x00000000001C0000-memory.dmp dcrat behavioral1/memory/2856-119-0x0000000000A50000-0x0000000000B60000-memory.dmp dcrat behavioral1/memory/672-178-0x0000000000B90000-0x0000000000CA0000-memory.dmp dcrat behavioral1/memory/2984-239-0x0000000000E80000-0x0000000000F90000-memory.dmp dcrat behavioral1/memory/2040-299-0x0000000001320000-0x0000000001430000-memory.dmp dcrat behavioral1/memory/2176-479-0x0000000000120000-0x0000000000230000-memory.dmp dcrat behavioral1/memory/1748-540-0x00000000008D0000-0x00000000009E0000-memory.dmp dcrat behavioral1/memory/580-601-0x0000000000D30000-0x0000000000E40000-memory.dmp dcrat behavioral1/memory/2868-661-0x0000000000EE0000-0x0000000000FF0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2084 powershell.exe 1300 powershell.exe 1636 powershell.exe 1564 powershell.exe 1912 powershell.exe 1724 powershell.exe 2472 powershell.exe 2260 powershell.exe 2708 powershell.exe 1160 powershell.exe 2216 powershell.exe 1864 powershell.exe 1584 powershell.exe 2068 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2776 DllCommonsvc.exe 2856 dwm.exe 672 dwm.exe 2984 dwm.exe 2040 dwm.exe 1004 dwm.exe 1564 dwm.exe 2176 dwm.exe 1748 dwm.exe 580 dwm.exe 2868 dwm.exe 2364 dwm.exe -
Loads dropped DLL 2 IoCs
pid Process 320 cmd.exe 320 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 19 raw.githubusercontent.com 27 raw.githubusercontent.com 30 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 15 raw.githubusercontent.com 23 raw.githubusercontent.com 33 raw.githubusercontent.com 36 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\0a1fd5f707cd16 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_70f0572bd6526b046b8be82c0669d14b53600f0b2fe0cf3085972106ad1c6a4f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1796 schtasks.exe 1540 schtasks.exe 2888 schtasks.exe 2368 schtasks.exe 1200 schtasks.exe 236 schtasks.exe 1760 schtasks.exe 2996 schtasks.exe 1816 schtasks.exe 2652 schtasks.exe 924 schtasks.exe 1592 schtasks.exe 1516 schtasks.exe 2540 schtasks.exe 2912 schtasks.exe 2944 schtasks.exe 2392 schtasks.exe 2248 schtasks.exe 2748 schtasks.exe 844 schtasks.exe 1652 schtasks.exe 1656 schtasks.exe 1596 schtasks.exe 2304 schtasks.exe 1484 schtasks.exe 2892 schtasks.exe 2364 schtasks.exe 1044 schtasks.exe 2932 schtasks.exe 972 schtasks.exe 564 schtasks.exe 2396 schtasks.exe 2236 schtasks.exe 2676 schtasks.exe 1740 schtasks.exe 2400 schtasks.exe 3004 schtasks.exe 1032 schtasks.exe 1700 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 2776 DllCommonsvc.exe 1564 powershell.exe 2260 powershell.exe 1912 powershell.exe 1636 powershell.exe 1584 powershell.exe 2708 powershell.exe 2084 powershell.exe 1160 powershell.exe 2216 powershell.exe 1724 powershell.exe 1864 powershell.exe 1300 powershell.exe 2472 powershell.exe 2068 powershell.exe 2856 dwm.exe 672 dwm.exe 2984 dwm.exe 2040 dwm.exe 1004 dwm.exe 1564 dwm.exe 2176 dwm.exe 1748 dwm.exe 580 dwm.exe 2868 dwm.exe 2364 dwm.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 2776 DllCommonsvc.exe Token: SeDebugPrivilege 1564 powershell.exe Token: SeDebugPrivilege 2260 powershell.exe Token: SeDebugPrivilege 1912 powershell.exe Token: SeDebugPrivilege 1636 powershell.exe Token: SeDebugPrivilege 1584 powershell.exe Token: SeDebugPrivilege 2708 powershell.exe Token: SeDebugPrivilege 2084 powershell.exe Token: SeDebugPrivilege 1160 powershell.exe Token: SeDebugPrivilege 2216 powershell.exe Token: SeDebugPrivilege 1724 powershell.exe Token: SeDebugPrivilege 1864 powershell.exe Token: SeDebugPrivilege 1300 powershell.exe Token: SeDebugPrivilege 2472 powershell.exe Token: SeDebugPrivilege 2068 powershell.exe Token: SeDebugPrivilege 2856 dwm.exe Token: SeDebugPrivilege 672 dwm.exe Token: SeDebugPrivilege 2984 dwm.exe Token: SeDebugPrivilege 2040 dwm.exe Token: SeDebugPrivilege 1004 dwm.exe Token: SeDebugPrivilege 1564 dwm.exe Token: SeDebugPrivilege 2176 dwm.exe Token: SeDebugPrivilege 1748 dwm.exe Token: SeDebugPrivilege 580 dwm.exe Token: SeDebugPrivilege 2868 dwm.exe Token: SeDebugPrivilege 2364 dwm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3032 wrote to memory of 2172 3032 JaffaCakes118_70f0572bd6526b046b8be82c0669d14b53600f0b2fe0cf3085972106ad1c6a4f.exe 30 PID 3032 wrote to memory of 2172 3032 JaffaCakes118_70f0572bd6526b046b8be82c0669d14b53600f0b2fe0cf3085972106ad1c6a4f.exe 30 PID 3032 wrote to memory of 2172 3032 JaffaCakes118_70f0572bd6526b046b8be82c0669d14b53600f0b2fe0cf3085972106ad1c6a4f.exe 30 PID 3032 wrote to memory of 2172 3032 JaffaCakes118_70f0572bd6526b046b8be82c0669d14b53600f0b2fe0cf3085972106ad1c6a4f.exe 30 PID 2172 wrote to memory of 320 2172 WScript.exe 31 PID 2172 wrote to memory of 320 2172 WScript.exe 31 PID 2172 wrote to memory of 320 2172 WScript.exe 31 PID 2172 wrote to memory of 320 2172 WScript.exe 31 PID 320 wrote to memory of 2776 320 cmd.exe 33 PID 320 wrote to memory of 2776 320 cmd.exe 33 PID 320 wrote to memory of 2776 320 cmd.exe 33 PID 320 wrote to memory of 2776 320 cmd.exe 33 PID 2776 wrote to memory of 1584 2776 DllCommonsvc.exe 74 PID 2776 wrote to memory of 1584 2776 DllCommonsvc.exe 74 PID 2776 wrote to memory of 1584 2776 DllCommonsvc.exe 74 PID 2776 wrote to memory of 1912 2776 DllCommonsvc.exe 75 PID 2776 wrote to memory of 1912 2776 DllCommonsvc.exe 75 PID 2776 wrote to memory of 1912 2776 DllCommonsvc.exe 75 PID 2776 wrote to memory of 2708 2776 DllCommonsvc.exe 78 PID 2776 wrote to memory of 2708 2776 DllCommonsvc.exe 78 PID 2776 wrote to memory of 2708 2776 DllCommonsvc.exe 78 PID 2776 wrote to memory of 1160 2776 DllCommonsvc.exe 79 PID 2776 wrote to memory of 1160 2776 DllCommonsvc.exe 79 PID 2776 wrote to memory of 1160 2776 DllCommonsvc.exe 79 PID 2776 wrote to memory of 1636 2776 DllCommonsvc.exe 81 PID 2776 wrote to memory of 1636 2776 DllCommonsvc.exe 81 PID 2776 wrote to memory of 1636 2776 DllCommonsvc.exe 81 PID 2776 wrote to memory of 1564 2776 DllCommonsvc.exe 82 PID 2776 wrote to memory of 1564 2776 DllCommonsvc.exe 82 PID 2776 wrote to memory of 1564 2776 DllCommonsvc.exe 82 PID 2776 wrote to memory of 2068 2776 DllCommonsvc.exe 83 PID 2776 wrote to memory of 2068 2776 DllCommonsvc.exe 83 PID 2776 wrote to memory of 2068 2776 DllCommonsvc.exe 83 PID 2776 wrote to memory of 2260 2776 DllCommonsvc.exe 85 PID 2776 wrote to memory of 2260 2776 DllCommonsvc.exe 85 PID 2776 wrote to memory of 2260 2776 DllCommonsvc.exe 85 PID 2776 wrote to memory of 2472 2776 DllCommonsvc.exe 86 PID 2776 wrote to memory of 2472 2776 DllCommonsvc.exe 86 PID 2776 wrote to memory of 2472 2776 DllCommonsvc.exe 86 PID 2776 wrote to memory of 1864 2776 DllCommonsvc.exe 87 PID 2776 wrote to memory of 1864 2776 DllCommonsvc.exe 87 PID 2776 wrote to memory of 1864 2776 DllCommonsvc.exe 87 PID 2776 wrote to memory of 2084 2776 DllCommonsvc.exe 88 PID 2776 wrote to memory of 2084 2776 DllCommonsvc.exe 88 PID 2776 wrote to memory of 2084 2776 DllCommonsvc.exe 88 PID 2776 wrote to memory of 2216 2776 DllCommonsvc.exe 89 PID 2776 wrote to memory of 2216 2776 DllCommonsvc.exe 89 PID 2776 wrote to memory of 2216 2776 DllCommonsvc.exe 89 PID 2776 wrote to memory of 1724 2776 DllCommonsvc.exe 90 PID 2776 wrote to memory of 1724 2776 DllCommonsvc.exe 90 PID 2776 wrote to memory of 1724 2776 DllCommonsvc.exe 90 PID 2776 wrote to memory of 1300 2776 DllCommonsvc.exe 91 PID 2776 wrote to memory of 1300 2776 DllCommonsvc.exe 91 PID 2776 wrote to memory of 1300 2776 DllCommonsvc.exe 91 PID 2776 wrote to memory of 2176 2776 DllCommonsvc.exe 102 PID 2776 wrote to memory of 2176 2776 DllCommonsvc.exe 102 PID 2776 wrote to memory of 2176 2776 DllCommonsvc.exe 102 PID 2176 wrote to memory of 1668 2176 cmd.exe 104 PID 2176 wrote to memory of 1668 2176 cmd.exe 104 PID 2176 wrote to memory of 1668 2176 cmd.exe 104 PID 2176 wrote to memory of 2856 2176 cmd.exe 106 PID 2176 wrote to memory of 2856 2176 cmd.exe 106 PID 2176 wrote to memory of 2856 2176 cmd.exe 106 PID 2856 wrote to memory of 1716 2856 dwm.exe 107 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70f0572bd6526b046b8be82c0669d14b53600f0b2fe0cf3085972106ad1c6a4f.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70f0572bd6526b046b8be82c0669d14b53600f0b2fe0cf3085972106ad1c6a4f.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:320 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNilxF3dNP.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1668
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qtVTp5BaF9.bat"7⤵PID:1716
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:820
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:672 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SzaURWjxsM.bat"9⤵PID:2864
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1932
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat"11⤵PID:1612
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2180
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xjNnGM38uG.bat"13⤵PID:2748
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1700
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1004 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat"15⤵PID:2084
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2524
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat"17⤵PID:1552
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1576
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat"19⤵PID:2004
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1532
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat"21⤵PID:1608
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1128
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:580 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat"23⤵PID:2888
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2796
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LgxiiauvsB.bat"25⤵PID:2728
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:1344
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\NetHood\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\NetHood\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\NetHood\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\providercommon\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\providercommon\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Application Data\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50baac3adb6a29fd77aba15772801541a
SHA1ba0eea3515af7d40c2c682f80b9a8c0045eb75c5
SHA256b01fac642de0e203cfa12d68e12ad0779ab284530e63811711ceae3aff14aa52
SHA512d721613007477c08bd8cf40c5febdf06042e9ced222cc8d1b5220908592b43fb04a6f31732130147f1a35ba639eb59b0dff8021c012d5f28d8c67756c8a1fd9c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5672d52332335670d7df2fdcddeddf1e8
SHA160cb1ada72d62c76310fefee280c5341c021fb47
SHA256f14efe72ca9654513135ccc9823e72e3231f66440cecbf867c91ed981942eee5
SHA512b176138c16a462a2851d0fdc56d2f649047a70fa6a423c7bf3c440b5ae77c1b5aba02c0f76c4c42097a29845fc7b4dbbcfe573a4c979b5ced126af2323b356ca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f7ef1a22e991b9c7369dd707620e698c
SHA12fac09c99dbd419908c703a4c2ae6026101de418
SHA256f6a450b6f19252013603be11da221ed1b75d8fd321170adb66188356acecc0ee
SHA5125367345de2e8bec41d601cdac05cb29fc0e7fbd7e5e03f10c1c272f89c476903203c505e4ab8e361a36995db30e0378ee785faa47ce4be9f3b68ce8afd317b9f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e5e72829d9bdef786a5387821e71d64e
SHA1bd4bd49e0b1c0b203cafd2022053ab030463565c
SHA2564020fd62c80f096f27faa5f411e4d8243c078136da8f7da4b7a0554895d068d9
SHA5122123a1d6287e9b7a65a659d77ecf34f7f49fa0c6d77422326dfe28bed3ebb6f65a7871b66fd71789673beefa1600168778cf47057d1a153f24f951df5412f32d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59568d194776f85c9be73840156f3a224
SHA1da5a1734d9269557603f6c868324dcfbdbb437d4
SHA256e5e3dca30e86192e2aef71c53f39f7ccb6cb10430fef2ff419a7e71c75dec037
SHA51261b3e0e18379c9c3b121ade016b99fa3808fe864fa01df9c0998f7ddadc476787645ae5ddc58fbc894c8cdae61adb01f894bc5b2fb78a18927f65bd9da8d0994
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5323c255c122e3f79332ea831155323af
SHA1170aa8e3bb34b2221e98f97d67d982d5d4e0cc10
SHA256a9d949cf41ecdfdc50e4db53adfce96d5fea78cb1fa86a50f1c542baea422cb8
SHA512a9051ad3a161c29fe8b284ebbd77602bf93007a8fe269d5d525b3cd75e2e22e30384994797dac6e042f0b9fd563c09afc9f50c845e481295679e2bbaa40ead5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5708fa43cc0d1924236cccf0f82997c8a
SHA110cf82f7071d83f5634614ca374ff3f9c167be89
SHA256932502305fdc5b11146c618c3909df23aa10fe58763d432cf596fc50843bec6c
SHA512e6555249e9ce3a7e66cc53e5693880928ce2874310f20f74399e0e430a9f9397565e4b98eba0b23b39160658c6a2a78aefb2f1c04f7505082a8ff12bc3b296ca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52d1de8be62d20ef3b4582817892a8ace
SHA1cf91df03266dbf47a4bab17d792c0837eadbdc8f
SHA2561e87b895b85b77a23691298e8023cb2d851a4455bf5828939dae825ba2effbbd
SHA5129c7a3d489919c00e082e8c81f6163f3677aaa98eb4b0cdf0ae4bd8e69af62bb338237fb66affc4aa5bb2fe670e4d2be20c5f90e2b0814f6fa5fb53457bce4f4c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57cc6b9504c9be1fc55a74fd7e3c96716
SHA108a2badecde7c6bf6c236fe9205194e03ab27678
SHA256457ccd890f7db377346a9e1e23bf3b4921c032370d706c2b47d0b8fbdc78edd7
SHA512001ae37a25cec6644ef6f109dde486c7f3dc1d2b0b144ebf982f2b1d96e61aebc762b36ce55c69dca9cedde2ec86c2fe0cdfac6c380ee4cbaeabf883ce00bf9b
-
Filesize
221B
MD51dc1912dffc882ccecb241be729a980d
SHA1764e2900da73a9cb2febacb7af5ae026108dfe17
SHA2568d59f8544f701a00322b470134d001d4824063a7325a96d9f6e10984f8bd2e15
SHA512a8e304abdb35b1e535ed11cb00b31ed542e9717c85e79c1d9e261269a986a26d364552cbfeb16cdc9674c4a51e07329adb9ecf2b88946281aae4949d97c7855d
-
Filesize
221B
MD5bba34a128b44032a918e712a153154b0
SHA164e6b80fa496022f00f35600ce0d19c2b6e0fcea
SHA256b64082b44e0c1161a17bbc520e051a395c0e30af16665fb4896dd3c6d2bd74aa
SHA512d89ae46b7987c18d130e4e94d5f36836eb59c928219832a1e06c055224d175108be9d3476085bf3e0274cca757abdd3b879ed90f45c6ccabec87fd629871dfad
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
221B
MD5c9aef1a16f06e091db288fca80343b09
SHA11f83d0c061a7cd23f1a05ff9f3119f020ea026ef
SHA25684d329096d64f163a7fdf5a2629618e8fdf70a54a90bf810283215d7e0c6a322
SHA5120b1a15fa7e8e612cbf846180e3c82ec4e2bd439dc13cdb3b5e762dc51464067c857d07fa98c823e0a37775bdc3b195d4916a2eba410d189e65dd9dfa0f29ba81
-
Filesize
221B
MD547c23df1cb122ca6bc6880b779f388fa
SHA12b15ce23115dbd52822a21c3172284a9f44ccff9
SHA25682f022bb8855978b011320fb372ad8da980a3fee01a5516297304995bd1c965b
SHA512036602bc660f2410a36f0306d2665d96099791082427fa03b40e04d00d0b7b47f6c5e00797f50b01134a5d02f756f749fcd8dc88c46025fb14d6d564aaf2050e
-
Filesize
221B
MD57b297320726c397b15917549dfd2c49f
SHA1d3c463834fa80451f1c9016d1b045d81b01e2a4a
SHA2562f7e7edb55b9e8c61413df4b838ae0b424da45a8de6a868c48850b645bf98b9b
SHA5123d8a71d048e1ba4d587894c7fe6e5c0c6bb564ea9d01cf30480d41cefeeb497aec995c7a343793c179a3f9c00e1986c4e5cd137328323d9c4f6aee86365433de
-
Filesize
221B
MD56254ea7f43cc5a9fb0d40e891f00202d
SHA12322d9a662aabd66d1075df08efa2aa515d01879
SHA256c1f2c971dba4f446a7eab194a274f379cfc98d2286ff63fbb455f0034d0e9471
SHA51250e506f1cc468f7477f26f3687e14f0a1e5b109115a42a542bc4cd249a1246f814f887e409e91e498ddfe6cd2ee0f4ee6d50cd7607867fc8586654e1085299d0
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
221B
MD546d00df5334272e95cf2bfbf658b1a63
SHA1cb06d9bdfbc31ce10ed67e238d0fae8083214620
SHA25697c09b1a1d4b038502877a2925621ee2dad41556138f80c283d6caaa331dcf11
SHA5127382e076efc908d74a8415375b2af119569087a3018e7118f5503ad4935a887a47e0a2bbda051c6543b1a224a07e3ac30baceba5840aaa32f467e0cde65be86c
-
Filesize
221B
MD5c773dda29d2165ea3fd726eee1fac2e0
SHA12850dab18a49b3bd24ebb815a528aff28cf7cff5
SHA256bb978b17f651a52e65c3b2bcc689b6cb92f241193c4f7be3614ab31e65d54989
SHA5126aa4d1659c5abff437fe77c4517e548a958798fd102e46d7480a5544b7fde759b5a7d6a1175037ecf339fbe8db8e038e5bf3539c047e66b16a38dfc1f675ebcf
-
Filesize
221B
MD5b80710f5e9050b729b157b92cd18ffd2
SHA1630c6100bdf5a0a9c1f5462c22e260688f524255
SHA25620a31ffeeea6345a333a5629d77f8bfa8da06b260973204ca61b3adbab031585
SHA5128458399e1ab8b27c4e4b507cc246acf1d55ad8a2a09594bb6ce622580993480dea62ec553ad6b1eedb493ad573fcc0308f276c40b6cde1c3a5e3b420fc41be41
-
Filesize
221B
MD5ec687a0007ffab5be88bbf6f46657219
SHA1858ad899063ec81d3987a009f5c89e301b5a1a71
SHA25603dc884e567d4568d963c66b3ffbb4f74db1ade4aafc0f40d3c62f260715b882
SHA512b56507439300e995237d92b9543aa1bb18cf74a305e6e8515c056398c4fcd70825928b5a42333b4f7732ea2d584f5e49129f914325e838f64a63dbaae13a3977
-
Filesize
221B
MD5ba3903fba2fc8ee3041b2e665fc7e950
SHA1105ad937931ba27eec07a3c4da40da22992d56f5
SHA25638fa918eead9f384cb886ff067fc98d745255da174cef558cdc8919d1c0f224d
SHA5126e2b505317ca723e0ae65f807a1df4092c2fb12e241c6127c0afd8a48a4418112709fddf98aca7570138319de08cce5e150fea7f94ed2993372ae5195a116968
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5d6771cf88cb0a170a847ac8d5c9408f8
SHA1507815d7e616a3c9683310c942faf5abf7d810fd
SHA256c335a24e5fb33ce93d41a42bb490c715651d175b558d5aec58276da8ad73baab
SHA512a4ae7194a37681f30cf3426167dced827be4822ae31aadede4c014a14419f21e9786affcd61c127c6d0f7a0ff4da6b1fc0422cceb9b826e96913847d766c5049
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394