Analysis
-
max time kernel
142s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:03
Behavioral task
behavioral1
Sample
JaffaCakes118_bcf048384781099cbf7333dba8d51985908a33cdb1dfbb315a33ff8af92c4a99.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_bcf048384781099cbf7333dba8d51985908a33cdb1dfbb315a33ff8af92c4a99.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_bcf048384781099cbf7333dba8d51985908a33cdb1dfbb315a33ff8af92c4a99.exe
-
Size
1.3MB
-
MD5
2a1f4d34ad5c44906d6fec7584afb5e9
-
SHA1
54cc1a9fe88281490bb5c3336a505a16d88e2e02
-
SHA256
bcf048384781099cbf7333dba8d51985908a33cdb1dfbb315a33ff8af92c4a99
-
SHA512
341a3dead26b8be2374d25f9cdfc28c662ffb2d76ee1ef4ac59e79df7deef11c1155216565b527d5f9aaaa2a24c8f53839ef51417c30d7c4b0d29c6df667e1f3
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 528 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 612 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1368 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1772 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1212 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1136 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 660 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 788 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 944 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1180 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2816 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 740 2816 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000016c62-11.dat dcrat behavioral1/memory/540-13-0x0000000000C60000-0x0000000000D70000-memory.dmp dcrat behavioral1/memory/1532-48-0x0000000001040000-0x0000000001150000-memory.dmp dcrat behavioral1/memory/2540-352-0x00000000011E0000-0x00000000012F0000-memory.dmp dcrat behavioral1/memory/2276-412-0x0000000000220000-0x0000000000330000-memory.dmp dcrat behavioral1/memory/972-473-0x0000000000A60000-0x0000000000B70000-memory.dmp dcrat behavioral1/memory/1180-533-0x00000000003D0000-0x00000000004E0000-memory.dmp dcrat behavioral1/memory/988-593-0x0000000001020000-0x0000000001130000-memory.dmp dcrat behavioral1/memory/2908-653-0x0000000001130000-0x0000000001240000-memory.dmp dcrat behavioral1/memory/2876-713-0x0000000001350000-0x0000000001460000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1520 powershell.exe 1648 powershell.exe 592 powershell.exe 552 powershell.exe 2228 powershell.exe 1332 powershell.exe 284 powershell.exe 2224 powershell.exe 2340 powershell.exe 2908 powershell.exe 1620 powershell.exe 2504 powershell.exe 2188 powershell.exe -
Executes dropped EXE 13 IoCs
pid Process 540 DllCommonsvc.exe 1532 winlogon.exe 740 winlogon.exe 1584 winlogon.exe 2824 winlogon.exe 2540 winlogon.exe 2276 winlogon.exe 972 winlogon.exe 1180 winlogon.exe 988 winlogon.exe 2908 winlogon.exe 2876 winlogon.exe 1996 winlogon.exe -
Loads dropped DLL 2 IoCs
pid Process 308 cmd.exe 308 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 36 raw.githubusercontent.com 39 raw.githubusercontent.com 9 raw.githubusercontent.com 16 raw.githubusercontent.com 29 raw.githubusercontent.com 32 raw.githubusercontent.com 23 raw.githubusercontent.com 26 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 13 raw.githubusercontent.com 19 raw.githubusercontent.com -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files\7-Zip\Lang\dllhost.exe DllCommonsvc.exe File created C:\Program Files\7-Zip\Lang\5940a34987c991 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\ja-JP\wininit.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\ja-JP\56085415360792 DllCommonsvc.exe File created C:\Program Files\Windows NT\TableTextService\sppsvc.exe DllCommonsvc.exe File created C:\Program Files\Windows NT\TableTextService\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\lsm.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\101b941d020240 DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\IME\imekr8\help\WMIADAP.exe DllCommonsvc.exe File created C:\Windows\IME\imekr8\help\75a57c1bdf437c DllCommonsvc.exe File created C:\Windows\Microsoft.NET\Framework\1036\lsass.exe DllCommonsvc.exe File created C:\Windows\Microsoft.NET\Framework\1036\6203df4a6bafc7 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bcf048384781099cbf7333dba8d51985908a33cdb1dfbb315a33ff8af92c4a99.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2828 schtasks.exe 2884 schtasks.exe 1636 schtasks.exe 2016 schtasks.exe 2612 schtasks.exe 612 schtasks.exe 2372 schtasks.exe 2620 schtasks.exe 2424 schtasks.exe 2580 schtasks.exe 2324 schtasks.exe 660 schtasks.exe 1180 schtasks.exe 1724 schtasks.exe 740 schtasks.exe 2704 schtasks.exe 528 schtasks.exe 1560 schtasks.exe 2000 schtasks.exe 1740 schtasks.exe 1848 schtasks.exe 1972 schtasks.exe 2124 schtasks.exe 1212 schtasks.exe 2892 schtasks.exe 944 schtasks.exe 1716 schtasks.exe 2800 schtasks.exe 2384 schtasks.exe 1664 schtasks.exe 1368 schtasks.exe 1772 schtasks.exe 2856 schtasks.exe 2444 schtasks.exe 1136 schtasks.exe 788 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 540 DllCommonsvc.exe 2224 powershell.exe 1620 powershell.exe 1332 powershell.exe 2228 powershell.exe 1520 powershell.exe 2188 powershell.exe 1648 powershell.exe 552 powershell.exe 2504 powershell.exe 2340 powershell.exe 592 powershell.exe 1532 winlogon.exe 2908 powershell.exe 284 powershell.exe 740 winlogon.exe 1584 winlogon.exe 2824 winlogon.exe 2540 winlogon.exe 2276 winlogon.exe 972 winlogon.exe 1180 winlogon.exe 988 winlogon.exe 2908 winlogon.exe 2876 winlogon.exe 1996 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 540 DllCommonsvc.exe Token: SeDebugPrivilege 1532 winlogon.exe Token: SeDebugPrivilege 2224 powershell.exe Token: SeDebugPrivilege 1620 powershell.exe Token: SeDebugPrivilege 1332 powershell.exe Token: SeDebugPrivilege 2228 powershell.exe Token: SeDebugPrivilege 1520 powershell.exe Token: SeDebugPrivilege 2188 powershell.exe Token: SeDebugPrivilege 1648 powershell.exe Token: SeDebugPrivilege 552 powershell.exe Token: SeDebugPrivilege 2504 powershell.exe Token: SeDebugPrivilege 2340 powershell.exe Token: SeDebugPrivilege 592 powershell.exe Token: SeDebugPrivilege 2908 powershell.exe Token: SeDebugPrivilege 284 powershell.exe Token: SeDebugPrivilege 740 winlogon.exe Token: SeDebugPrivilege 1584 winlogon.exe Token: SeDebugPrivilege 2824 winlogon.exe Token: SeDebugPrivilege 2540 winlogon.exe Token: SeDebugPrivilege 2276 winlogon.exe Token: SeDebugPrivilege 972 winlogon.exe Token: SeDebugPrivilege 1180 winlogon.exe Token: SeDebugPrivilege 988 winlogon.exe Token: SeDebugPrivilege 2908 winlogon.exe Token: SeDebugPrivilege 2876 winlogon.exe Token: SeDebugPrivilege 1996 winlogon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2960 wrote to memory of 2004 2960 JaffaCakes118_bcf048384781099cbf7333dba8d51985908a33cdb1dfbb315a33ff8af92c4a99.exe 30 PID 2960 wrote to memory of 2004 2960 JaffaCakes118_bcf048384781099cbf7333dba8d51985908a33cdb1dfbb315a33ff8af92c4a99.exe 30 PID 2960 wrote to memory of 2004 2960 JaffaCakes118_bcf048384781099cbf7333dba8d51985908a33cdb1dfbb315a33ff8af92c4a99.exe 30 PID 2960 wrote to memory of 2004 2960 JaffaCakes118_bcf048384781099cbf7333dba8d51985908a33cdb1dfbb315a33ff8af92c4a99.exe 30 PID 2004 wrote to memory of 308 2004 WScript.exe 31 PID 2004 wrote to memory of 308 2004 WScript.exe 31 PID 2004 wrote to memory of 308 2004 WScript.exe 31 PID 2004 wrote to memory of 308 2004 WScript.exe 31 PID 308 wrote to memory of 540 308 cmd.exe 33 PID 308 wrote to memory of 540 308 cmd.exe 33 PID 308 wrote to memory of 540 308 cmd.exe 33 PID 308 wrote to memory of 540 308 cmd.exe 33 PID 540 wrote to memory of 1520 540 DllCommonsvc.exe 72 PID 540 wrote to memory of 1520 540 DllCommonsvc.exe 72 PID 540 wrote to memory of 1520 540 DllCommonsvc.exe 72 PID 540 wrote to memory of 1648 540 DllCommonsvc.exe 73 PID 540 wrote to memory of 1648 540 DllCommonsvc.exe 73 PID 540 wrote to memory of 1648 540 DllCommonsvc.exe 73 PID 540 wrote to memory of 592 540 DllCommonsvc.exe 74 PID 540 wrote to memory of 592 540 DllCommonsvc.exe 74 PID 540 wrote to memory of 592 540 DllCommonsvc.exe 74 PID 540 wrote to memory of 1620 540 DllCommonsvc.exe 75 PID 540 wrote to memory of 1620 540 DllCommonsvc.exe 75 PID 540 wrote to memory of 1620 540 DllCommonsvc.exe 75 PID 540 wrote to memory of 2504 540 DllCommonsvc.exe 76 PID 540 wrote to memory of 2504 540 DllCommonsvc.exe 76 PID 540 wrote to memory of 2504 540 DllCommonsvc.exe 76 PID 540 wrote to memory of 552 540 DllCommonsvc.exe 77 PID 540 wrote to memory of 552 540 DllCommonsvc.exe 77 PID 540 wrote to memory of 552 540 DllCommonsvc.exe 77 PID 540 wrote to memory of 2228 540 DllCommonsvc.exe 78 PID 540 wrote to memory of 2228 540 DllCommonsvc.exe 78 PID 540 wrote to memory of 2228 540 DllCommonsvc.exe 78 PID 540 wrote to memory of 1332 540 DllCommonsvc.exe 79 PID 540 wrote to memory of 1332 540 DllCommonsvc.exe 79 PID 540 wrote to memory of 1332 540 DllCommonsvc.exe 79 PID 540 wrote to memory of 284 540 DllCommonsvc.exe 80 PID 540 wrote to memory of 284 540 DllCommonsvc.exe 80 PID 540 wrote to memory of 284 540 DllCommonsvc.exe 80 PID 540 wrote to memory of 2224 540 DllCommonsvc.exe 81 PID 540 wrote to memory of 2224 540 DllCommonsvc.exe 81 PID 540 wrote to memory of 2224 540 DllCommonsvc.exe 81 PID 540 wrote to memory of 2188 540 DllCommonsvc.exe 82 PID 540 wrote to memory of 2188 540 DllCommonsvc.exe 82 PID 540 wrote to memory of 2188 540 DllCommonsvc.exe 82 PID 540 wrote to memory of 2340 540 DllCommonsvc.exe 83 PID 540 wrote to memory of 2340 540 DllCommonsvc.exe 83 PID 540 wrote to memory of 2340 540 DllCommonsvc.exe 83 PID 540 wrote to memory of 2908 540 DllCommonsvc.exe 84 PID 540 wrote to memory of 2908 540 DllCommonsvc.exe 84 PID 540 wrote to memory of 2908 540 DllCommonsvc.exe 84 PID 540 wrote to memory of 1532 540 DllCommonsvc.exe 92 PID 540 wrote to memory of 1532 540 DllCommonsvc.exe 92 PID 540 wrote to memory of 1532 540 DllCommonsvc.exe 92 PID 1532 wrote to memory of 1712 1532 winlogon.exe 99 PID 1532 wrote to memory of 1712 1532 winlogon.exe 99 PID 1532 wrote to memory of 1712 1532 winlogon.exe 99 PID 1712 wrote to memory of 2820 1712 cmd.exe 101 PID 1712 wrote to memory of 2820 1712 cmd.exe 101 PID 1712 wrote to memory of 2820 1712 cmd.exe 101 PID 1712 wrote to memory of 740 1712 cmd.exe 102 PID 1712 wrote to memory of 740 1712 cmd.exe 102 PID 1712 wrote to memory of 740 1712 cmd.exe 102 PID 740 wrote to memory of 2508 740 winlogon.exe 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bcf048384781099cbf7333dba8d51985908a33cdb1dfbb315a33ff8af92c4a99.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bcf048384781099cbf7333dba8d51985908a33cdb1dfbb315a33ff8af92c4a99.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:308 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\1036\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\ja-JP\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\imekr8\help\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:284
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\18eSMsDQCm.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2820
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Mw1PlbJmoj.bat"8⤵PID:2508
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:864
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat"10⤵PID:2504
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2880
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat"12⤵PID:1504
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1072
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IxigaWiN4Z.bat"14⤵PID:264
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2144
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PGGCz4Ehy5.bat"16⤵PID:2760
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1332
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:972 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8tyQ25hERL.bat"18⤵PID:2596
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1748
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1180 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kRqsvBC5Qb.bat"20⤵PID:2632
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1992
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VCTPXfsZqS.bat"22⤵PID:1620
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2228
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat"24⤵PID:1628
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:472
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3gUlVaPHfz.bat"26⤵PID:1136
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:2288
-
-
C:\providercommon\winlogon.exe"C:\providercommon\winlogon.exe"27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\providercommon\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\Microsoft.NET\Framework\1036\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework\1036\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\Microsoft.NET\Framework\1036\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Windows\IME\imekr8\help\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\IME\imekr8\help\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Windows\IME\imekr8\help\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ea7d04c7b69b0a65342c14c5b5e5b497
SHA17d23385cea1c9e4f8f4c774618b7a64d06c9d6c3
SHA2568a577a00f2a8d66f89339d62a895bb639ea9d427ba0734382d25cde647987144
SHA51236e791f69f583a58cd9e699f73e0201c90cd369ebf98b2960d95aca8bb644708d3bd4bcc5f6a6aa2cc7036c010b33e61f214170344bac31ccb9ffe1f68afeb4c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD558090feacdfc84b1b24cb1cd697be7e2
SHA1fa68b7c417a2b66b4aa8b931ef6648fec5112f0c
SHA25614c69bbfa93ba9f88214ed8c68ecb53f4a9f81a1033bb35a45f0c0daf831b6d7
SHA512aa7bb56ae7ffabb86dd8efb9ce22dceb1e839b0c3ea0f47b69293a0cd2d23d3c79dd25b0714c684e6588362f3a9a252dc073ed6c6c5e1dc11f584d7cff3fb4d5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58e61f15616c55feb2cca70680a597fc2
SHA10bf7b4c81fbf90cdebc69b65e7d3b8110e164811
SHA2569833f27f951db992550e925790825289090dd962496de222f4b077251570c989
SHA51211ffcbc40411d8dc180c48180a136e7a45192824eecd6486b10432199d72c68c20fd9872581e1d4dae16e39ee6e2ca46932a29fefbae8fc44266fbb0cc56aa09
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54bd12e39ee08c04d7741d053ba629268
SHA11ad636034d15a203ee8dc7bc578ccd2c0ddbf844
SHA2564a56722caa4fc9f6509a692dc05efd33d604577a9b391cbb1bcba7ba6b63ce9f
SHA512fec39b47e00461b74ae17061ff448901ba4cb195572efd803b9e1818db36f60b663fc39cfe2c4367b5eaf6a06b1ba2113ed5b49c4ab15ae32ff1d0b4d1e1ac84
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51b63fba492e0df2cc93c94e54c92eeea
SHA1b597b9d94832fe4bd8e877d702ff17ac8c1c34c3
SHA256da22ece8794ed17298bcc0b67d2dd6173237c1ecc152db1c690aeda781270c4b
SHA51230a0119af27d148080a700230b2863caa9bedf45fd236fca2d94abb0302bade4e1958b7c1c10f8344bfc302b6d310eef61a0d22a5a68ba52081d4538e423c3cc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD586b5dbf0336bf0d2622b39d6f67f0f9e
SHA1c0dccb2980f65080d32b9b20cab5d2d67a2aed26
SHA25638fcceb96b61a6c45891c6521e20bb572a28f754221bc069c095a2db5aa7c0a5
SHA512bd36e0edebd1a0aff9493d71bf8ef2a93566c88f7f269443ce5851d6af976f915176cb1c19c74d281df74665a3a809ceb230f53969c470cd59828f38cb4b093f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD549ace0ea3ba7a6a28c1c5c9b7c6eb20e
SHA1eae39f3da65c4adc3b8a87e12698fd819f663ca3
SHA256902358bd7e0dcf7d847a562280a4ed79fb2680370b5165658ea4d473c10a3f3f
SHA512a08d2eb595bac4d1616557153da78d5203ce33c5602ac4bf6655aa149620b652372fd89594786da8ac646a1c6327757a5bf109dbe05f56c3b618dd936f3d3625
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56bd420cf08e335db2d564f7609d7b4b4
SHA1464dfb6cd98720a214ed0d135f5cdfec9551fe41
SHA2564740b24213bd272358d0b5da1f3165a91eaed023f24a37dcee313df197a917cd
SHA512ff2ca7ca708aebafc4732590f53ad92936393cfb6eedc98387590a60d434ca5c9262161099bff9fd67cf68cc26749eac3cfeafa4f775132359c61b9ff497ec86
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54c46cc24ca6e1091f5e3ae878419a39f
SHA185548c4c1eea39714f3448b21f97f60e528c6290
SHA256a32eead7a92dc6b6ad77cbffd3de9aaa43a0d6e15b35ee4e8c6a9ef2d00ce533
SHA512e4713b349b1b9c1e05ee8d59ca2bcc113e8ea2487dad7bd11fa4de6c15647ade4172bda18c17863e78cc921f7cca8812dcf8a25b52ce9e309e56239fc0cba23a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58954c5fecfbcc4e78a6569d9a8ff385b
SHA1ea71f31f169af649586b78d72ff1b180c2af3ccd
SHA256a6111b638b91af6c5f41fcd41abb557a7f4c93e085bd9c9b6c29ea07f1435e44
SHA5120dba83d7d966336e58fc49620a059c8446e05b3aed6cb06e71ecbec347c8edc41e03045b1a4f50e2134bd05369035582cdb5bb2e219bd65db17829be49cebd03
-
Filesize
195B
MD5e34a153ea436a2fe70d2e6b159e15858
SHA16e3cb82308ef19e98dd96dcf712132aa5c7c4c2a
SHA256ef793054196a780148fa9ff6b091412207dd3cb98d71f9d35ebc2febf48c855f
SHA51268d9c18de08d8d20dca3fd4cd556be119fc996b888ae40bdaa5497eb557dca29489a590ca8f75220f8cc5aaf3d12a98f27c19306135cfa4e9455a071bb61c08c
-
Filesize
195B
MD5f0a287b4ecd0d4f5cc04b0c8e601381b
SHA18c6675dd332dbc1ad6ace58f04a13faaec2b7867
SHA25619eca36f80b7b3bac7652f8faa5dc625b1573e389ceb431ee752161da7b49660
SHA512d40164091976978c9461bf2fec4c8fa2c65604906b5a1bbee7b805cb0bb06a65733daa6fbb0f6142544a91afdd0f1bdeb006ab9dd18b432d89a754e970c7c42a
-
Filesize
195B
MD514acb80a79f937c78b16e230bcc9f815
SHA14a93570174370535b1f4198630675ec1217effd7
SHA256897f3ab95c2fdbde009eb5eb1496356dda603c4e115097b7342440a64202b762
SHA512032cc118a116e61aa622d5cafe708ac31148ae4041136be93c8b9ca517d44d97b89c1fe225d1de5df9cea5097c049d97bb693d676fc8195dcacafe50011af464
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
195B
MD5ce7abdb617b029709a4f3c896960d0b4
SHA19a41483fc64cf5c27f821e1803b1d9c579f72c79
SHA2566c3af4c94727d2a123db8472d2a5494ea237b6a7e7bfb61cae66482805ab78f6
SHA512343784959bac43ad87b3c51830068d8686e1af1db156382bcc723ee6be64c73e6318791316011c4e933aeca96fcd6e0fdfb341313ee39255a637cc2d10ea3f6d
-
Filesize
195B
MD5bfbb11f9df8606921177fbda76dba9e2
SHA10bdbcbb79e27275b38b26db01a6c1a78cdfdb83e
SHA2563b5766fe872c07abe0bbd9e5352af92ba45601777964d694ed12f052c3b9c43d
SHA5126a28b3b9214c5a287fc021396a963870592fcf3eac142fd04968bd56d82f736b0b6e2cd4a96e0f15fb439050fe6111bdf715783f327e9b871b06abb8fbfd3f68
-
Filesize
195B
MD5aad591ec1405c3011b63accc72d35377
SHA13c5ecd0fa45ab0003718661ea410053b9985068c
SHA2561f119b6e8d6dce88aa5d7f7549986c77cf92f00e024a2e924658314bea8474cc
SHA512d8a1de1cb7e236f5ee64ca751e9fadfd53d10b980b2cb575367db920573f9f4a8ec5711d88778871cffa1a2d4b3f8542eec196daa370e09ae6759273b1384cfc
-
Filesize
195B
MD5fbdf36b392af15647212c873ada7bc39
SHA124988236fde44d2bc25ffaacfb7ab7c6d666ad9a
SHA256afa3320af51fc71611d475e3a0d224fe20fc2f6214238c378a16ca4cb437081b
SHA512993b77aacc2de31431c3110ad84a6a65676e812d4168d37eb2485adbd64c459020ebbeb23ca94f20df89ae94bc593a86a8571f06efcac0396c4aedd66e0b1e20
-
Filesize
195B
MD5b0844e1e376ccbeb092c9b92c7d9503a
SHA1e55bfa6dd349dd49ea35bdfc4ca9c6b0b8b987b5
SHA256a6ba061dd62f15822999e7238acb109ed098bfc650d4c30dd7a6ca851e7a8f6d
SHA51289a42d97915ea86e8d135e53a26bd75efd0953ccd7752937a9ff56199fe335253c5a6997f10a5994940cf43fb0c0568a3ec16e3fda1f249b153931e7200c0100
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
195B
MD5d9cdd9c8789bff7617c661c67d6b6e85
SHA1b994474ab6699b8655aea0091df4b3dc49dae0d4
SHA2567da9264fe846bfef35d4ce9346889c79b6b306d19b92671c58036be0ab52dcb9
SHA512c93ee9c4bf27e5e5492a829a9113ce52f5ebe15a53a756ea827ec92f3a05bda767176b5bbae7ebf51f7d332dcab269682db65515d9089b323278e1fbe8556f0b
-
Filesize
195B
MD545f09a58796cd8776bee07f2bf18bf64
SHA17c8eac062302404f8935edd1c5aeb59e97bd88cc
SHA2567684cd93c3f7c10c8fd9ffc5155dda01397f0420b015c06710094a4e35b6ced0
SHA512dfeb94fbd2ac803ede63d432dab80a02f0c08d4261057620c4b100df5e46bce86020fa6d1f9d31de5e821bfdaa75e6584de39b5356f5c57fb31ee837e701eb15
-
Filesize
195B
MD56fd0184f3a025965dadcd5ab5a26fbac
SHA1de7adbb1c33fb8eea85b3c82db411d8ee92662b8
SHA2567c11527fe4dc1ff6cd1d02f2c23b91b62aea46e379a72e95189f7bb65c9c01ad
SHA512a754ff272b9dce7a3bebc35768da742fb49d95544b5895150c873431c15004fc43eb93fabfeb8c4e737f114ea51bbe38432ae41678ea3ff38dc0c011a8388c65
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5e3e5bacd16cd24a0b8a676ac01550ae9
SHA176cbf1817c099c4181bfcee7dfc41c97d5ffa0ef
SHA2560ec60800d116cdbdf7a25106c1bedd6a394ecf31d0478c24efd556766cb91ca7
SHA512ece7660150d03a4f03819003798802c13899058ac4d277b3ea73906f66114be47fe50756c53c35110e427bc815f1264d1b70f1c6289245243f3f1fa495a579b8
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394