Analysis
-
max time kernel
144s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:14
Behavioral task
behavioral1
Sample
JaffaCakes118_b912e5b5486c7069718b52f0ed1a857a05f83f287f58205405d6bb77218642a0.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_b912e5b5486c7069718b52f0ed1a857a05f83f287f58205405d6bb77218642a0.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_b912e5b5486c7069718b52f0ed1a857a05f83f287f58205405d6bb77218642a0.exe
-
Size
1.3MB
-
MD5
d172aa4f6623dfe370b0786e38f92cfb
-
SHA1
07a5666f84bb475c39bbea4dc6b849bbda567e01
-
SHA256
b912e5b5486c7069718b52f0ed1a857a05f83f287f58205405d6bb77218642a0
-
SHA512
ba85afedc2e7a4cd207f5a50572a72c31ae6fb37a639985670092d3037b5509e55e8227e32388be99ead828a2930b660574d6f62e16ff2f36130e555b9701900
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2248 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 576 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 928 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 624 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 980 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1008 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 880 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1444 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1580 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 2612 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x000800000001686c-12.dat dcrat behavioral1/memory/2772-13-0x0000000000F30000-0x0000000001040000-memory.dmp dcrat behavioral1/memory/632-123-0x0000000000E10000-0x0000000000F20000-memory.dmp dcrat behavioral1/memory/888-182-0x0000000000260000-0x0000000000370000-memory.dmp dcrat behavioral1/memory/2820-242-0x0000000000920000-0x0000000000A30000-memory.dmp dcrat behavioral1/memory/2740-302-0x00000000012F0000-0x0000000001400000-memory.dmp dcrat behavioral1/memory/2084-721-0x00000000000F0000-0x0000000000200000-memory.dmp dcrat behavioral1/memory/1992-781-0x0000000000360000-0x0000000000470000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2452 powershell.exe 1972 powershell.exe 1632 powershell.exe 2020 powershell.exe 2596 powershell.exe 2616 powershell.exe 2228 powershell.exe 1976 powershell.exe 2864 powershell.exe 2688 powershell.exe 2876 powershell.exe 2568 powershell.exe 2564 powershell.exe 2584 powershell.exe -
Executes dropped EXE 14 IoCs
pid Process 2772 DllCommonsvc.exe 568 DllCommonsvc.exe 632 conhost.exe 888 conhost.exe 2820 conhost.exe 2740 conhost.exe 496 conhost.exe 2060 conhost.exe 2448 conhost.exe 2188 conhost.exe 2336 conhost.exe 3000 conhost.exe 2084 conhost.exe 1992 conhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2352 cmd.exe 2352 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 9 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 33 raw.githubusercontent.com 36 raw.githubusercontent.com 40 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 22 raw.githubusercontent.com 23 raw.githubusercontent.com 26 raw.githubusercontent.com 30 raw.githubusercontent.com -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files\7-Zip\e978f868350d50 DllCommonsvc.exe File created C:\Program Files\Windows Media Player\cmd.exe DllCommonsvc.exe File opened for modification C:\Program Files\Windows Media Player\cmd.exe DllCommonsvc.exe File created C:\Program Files\Windows Media Player\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\TableTextService\5940a34987c991 DllCommonsvc.exe File created C:\Program Files\7-Zip\powershell.exe DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\WmiPrvSE.exe DllCommonsvc.exe File created C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\24dbde2999530e DllCommonsvc.exe File created C:\Windows\Tasks\conhost.exe DllCommonsvc.exe File created C:\Windows\Tasks\088424020bedd6 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b912e5b5486c7069718b52f0ed1a857a05f83f287f58205405d6bb77218642a0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2820 schtasks.exe 2108 schtasks.exe 2268 schtasks.exe 880 schtasks.exe 3052 schtasks.exe 2716 schtasks.exe 2848 schtasks.exe 2556 schtasks.exe 1528 schtasks.exe 1936 schtasks.exe 1740 schtasks.exe 2676 schtasks.exe 1152 schtasks.exe 1660 schtasks.exe 1920 schtasks.exe 2024 schtasks.exe 2868 schtasks.exe 576 schtasks.exe 3040 schtasks.exe 2904 schtasks.exe 2248 schtasks.exe 1640 schtasks.exe 3008 schtasks.exe 1736 schtasks.exe 980 schtasks.exe 1580 schtasks.exe 1444 schtasks.exe 2640 schtasks.exe 928 schtasks.exe 624 schtasks.exe 2308 schtasks.exe 1700 schtasks.exe 1008 schtasks.exe 1856 schtasks.exe 1704 schtasks.exe 1672 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 2772 DllCommonsvc.exe 1976 powershell.exe 1632 powershell.exe 2452 powershell.exe 2020 powershell.exe 1972 powershell.exe 568 DllCommonsvc.exe 2568 powershell.exe 2688 powershell.exe 2584 powershell.exe 2228 powershell.exe 2876 powershell.exe 2864 powershell.exe 2616 powershell.exe 2564 powershell.exe 2596 powershell.exe 632 conhost.exe 888 conhost.exe 2820 conhost.exe 2740 conhost.exe 496 conhost.exe 2060 conhost.exe 2448 conhost.exe 2188 conhost.exe 2336 conhost.exe 3000 conhost.exe 2084 conhost.exe 1992 conhost.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 2772 DllCommonsvc.exe Token: SeDebugPrivilege 1976 powershell.exe Token: SeDebugPrivilege 1632 powershell.exe Token: SeDebugPrivilege 2452 powershell.exe Token: SeDebugPrivilege 2020 powershell.exe Token: SeDebugPrivilege 1972 powershell.exe Token: SeDebugPrivilege 568 DllCommonsvc.exe Token: SeDebugPrivilege 2568 powershell.exe Token: SeDebugPrivilege 2688 powershell.exe Token: SeDebugPrivilege 2584 powershell.exe Token: SeDebugPrivilege 2228 powershell.exe Token: SeDebugPrivilege 2876 powershell.exe Token: SeDebugPrivilege 2864 powershell.exe Token: SeDebugPrivilege 2616 powershell.exe Token: SeDebugPrivilege 2564 powershell.exe Token: SeDebugPrivilege 2596 powershell.exe Token: SeDebugPrivilege 632 conhost.exe Token: SeDebugPrivilege 888 conhost.exe Token: SeDebugPrivilege 2820 conhost.exe Token: SeDebugPrivilege 2740 conhost.exe Token: SeDebugPrivilege 496 conhost.exe Token: SeDebugPrivilege 2060 conhost.exe Token: SeDebugPrivilege 2448 conhost.exe Token: SeDebugPrivilege 2188 conhost.exe Token: SeDebugPrivilege 2336 conhost.exe Token: SeDebugPrivilege 3000 conhost.exe Token: SeDebugPrivilege 2084 conhost.exe Token: SeDebugPrivilege 1992 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2856 2092 JaffaCakes118_b912e5b5486c7069718b52f0ed1a857a05f83f287f58205405d6bb77218642a0.exe 30 PID 2092 wrote to memory of 2856 2092 JaffaCakes118_b912e5b5486c7069718b52f0ed1a857a05f83f287f58205405d6bb77218642a0.exe 30 PID 2092 wrote to memory of 2856 2092 JaffaCakes118_b912e5b5486c7069718b52f0ed1a857a05f83f287f58205405d6bb77218642a0.exe 30 PID 2092 wrote to memory of 2856 2092 JaffaCakes118_b912e5b5486c7069718b52f0ed1a857a05f83f287f58205405d6bb77218642a0.exe 30 PID 2856 wrote to memory of 2352 2856 WScript.exe 31 PID 2856 wrote to memory of 2352 2856 WScript.exe 31 PID 2856 wrote to memory of 2352 2856 WScript.exe 31 PID 2856 wrote to memory of 2352 2856 WScript.exe 31 PID 2352 wrote to memory of 2772 2352 cmd.exe 33 PID 2352 wrote to memory of 2772 2352 cmd.exe 33 PID 2352 wrote to memory of 2772 2352 cmd.exe 33 PID 2352 wrote to memory of 2772 2352 cmd.exe 33 PID 2772 wrote to memory of 2452 2772 DllCommonsvc.exe 47 PID 2772 wrote to memory of 2452 2772 DllCommonsvc.exe 47 PID 2772 wrote to memory of 2452 2772 DllCommonsvc.exe 47 PID 2772 wrote to memory of 1972 2772 DllCommonsvc.exe 48 PID 2772 wrote to memory of 1972 2772 DllCommonsvc.exe 48 PID 2772 wrote to memory of 1972 2772 DllCommonsvc.exe 48 PID 2772 wrote to memory of 1976 2772 DllCommonsvc.exe 49 PID 2772 wrote to memory of 1976 2772 DllCommonsvc.exe 49 PID 2772 wrote to memory of 1976 2772 DllCommonsvc.exe 49 PID 2772 wrote to memory of 1632 2772 DllCommonsvc.exe 50 PID 2772 wrote to memory of 1632 2772 DllCommonsvc.exe 50 PID 2772 wrote to memory of 1632 2772 DllCommonsvc.exe 50 PID 2772 wrote to memory of 2020 2772 DllCommonsvc.exe 51 PID 2772 wrote to memory of 2020 2772 DllCommonsvc.exe 51 PID 2772 wrote to memory of 2020 2772 DllCommonsvc.exe 51 PID 2772 wrote to memory of 568 2772 DllCommonsvc.exe 55 PID 2772 wrote to memory of 568 2772 DllCommonsvc.exe 55 PID 2772 wrote to memory of 568 2772 DllCommonsvc.exe 55 PID 568 wrote to memory of 2864 568 DllCommonsvc.exe 82 PID 568 wrote to memory of 2864 568 DllCommonsvc.exe 82 PID 568 wrote to memory of 2864 568 DllCommonsvc.exe 82 PID 568 wrote to memory of 2688 568 DllCommonsvc.exe 83 PID 568 wrote to memory of 2688 568 DllCommonsvc.exe 83 PID 568 wrote to memory of 2688 568 DllCommonsvc.exe 83 PID 568 wrote to memory of 2596 568 DllCommonsvc.exe 84 PID 568 wrote to memory of 2596 568 DllCommonsvc.exe 84 PID 568 wrote to memory of 2596 568 DllCommonsvc.exe 84 PID 568 wrote to memory of 2876 568 DllCommonsvc.exe 85 PID 568 wrote to memory of 2876 568 DllCommonsvc.exe 85 PID 568 wrote to memory of 2876 568 DllCommonsvc.exe 85 PID 568 wrote to memory of 2616 568 DllCommonsvc.exe 86 PID 568 wrote to memory of 2616 568 DllCommonsvc.exe 86 PID 568 wrote to memory of 2616 568 DllCommonsvc.exe 86 PID 568 wrote to memory of 2568 568 DllCommonsvc.exe 87 PID 568 wrote to memory of 2568 568 DllCommonsvc.exe 87 PID 568 wrote to memory of 2568 568 DllCommonsvc.exe 87 PID 568 wrote to memory of 2564 568 DllCommonsvc.exe 88 PID 568 wrote to memory of 2564 568 DllCommonsvc.exe 88 PID 568 wrote to memory of 2564 568 DllCommonsvc.exe 88 PID 568 wrote to memory of 2584 568 DllCommonsvc.exe 89 PID 568 wrote to memory of 2584 568 DllCommonsvc.exe 89 PID 568 wrote to memory of 2584 568 DllCommonsvc.exe 89 PID 568 wrote to memory of 2228 568 DllCommonsvc.exe 90 PID 568 wrote to memory of 2228 568 DllCommonsvc.exe 90 PID 568 wrote to memory of 2228 568 DllCommonsvc.exe 90 PID 568 wrote to memory of 2888 568 DllCommonsvc.exe 95 PID 568 wrote to memory of 2888 568 DllCommonsvc.exe 95 PID 568 wrote to memory of 2888 568 DllCommonsvc.exe 95 PID 2888 wrote to memory of 1716 2888 cmd.exe 102 PID 2888 wrote to memory of 1716 2888 cmd.exe 102 PID 2888 wrote to memory of 1716 2888 cmd.exe 102 PID 2888 wrote to memory of 632 2888 cmd.exe 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b912e5b5486c7069718b52f0ed1a857a05f83f287f58205405d6bb77218642a0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b912e5b5486c7069718b52f0ed1a857a05f83f287f58205405d6bb77218642a0.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\WmiPrvSE.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\services.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oiLsI5McyI.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1716
-
-
C:\Windows\Tasks\conhost.exe"C:\Windows\Tasks\conhost.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:632 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\raSqT8qddO.bat"8⤵PID:2832
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2544
-
-
C:\Windows\Tasks\conhost.exe"C:\Windows\Tasks\conhost.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:888 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat"10⤵PID:756
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1576
-
-
C:\Windows\Tasks\conhost.exe"C:\Windows\Tasks\conhost.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z7AIE64VZ5.bat"12⤵PID:2732
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:908
-
-
C:\Windows\Tasks\conhost.exe"C:\Windows\Tasks\conhost.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat"14⤵PID:1748
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1872
-
-
C:\Windows\Tasks\conhost.exe"C:\Windows\Tasks\conhost.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:496 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"16⤵PID:1148
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2176
-
-
C:\Windows\Tasks\conhost.exe"C:\Windows\Tasks\conhost.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat"18⤵PID:2868
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2756
-
-
C:\Windows\Tasks\conhost.exe"C:\Windows\Tasks\conhost.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat"20⤵PID:2492
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2396
-
-
C:\Windows\Tasks\conhost.exe"C:\Windows\Tasks\conhost.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat"22⤵PID:2388
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1920
-
-
C:\Windows\Tasks\conhost.exe"C:\Windows\Tasks\conhost.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat"24⤵PID:752
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1692
-
-
C:\Windows\Tasks\conhost.exe"C:\Windows\Tasks\conhost.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat"26⤵PID:776
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:1440
-
-
C:\Windows\Tasks\conhost.exe"C:\Windows\Tasks\conhost.exe"27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat"28⤵PID:624
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:976
-
-
C:\Windows\Tasks\conhost.exe"C:\Windows\Tasks\conhost.exe"29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default\NetHood\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\NetHood\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default\NetHood\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Tasks\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\7-Zip\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ac29dc62974a46408792a93072a9aabb
SHA1a754a4813af95c1b516eaf9dbed52602d226fc0b
SHA2566d177c3ba044182f4042b70096501b8b29df2bc1658f37483dbbdc0f09825f72
SHA512ff1edb2cab366c77c1d85613b1cbfe74567efbb77c6dad9ab0a4892082b2702d7ba38db4220d57ce3a625ed804eb7ae42902ef89275872b758a33c03bc59ad33
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5639054c03c7669c50e4a0d867b225282
SHA1270a5a0c7b8904516db7b84afc023318f0c37c80
SHA2569e8d1e168631b37a78a7f6c423e10cfbe9532655f8503d4d6b99ee5842e2073f
SHA5121a26b5469200c8090f18809e0668e104dbfe9d21f0f7d0e803f708ff8f356533ed863c92f0d06add63373b900e8a2479005f08a3d88d07d55a1775ef99e708f7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD547654a8493fefb428f52abda6d74afa0
SHA174b971640afa857207ab0a0d2634188811d0c0a9
SHA256563dea0cafcb0b533047f872ea3e6c7650d2a754831f6346aa1d9282e3d26b61
SHA512b0b6f90dced5382b02be5fa7dbc0acd674ede43d4e23c87d663ba52a2800b3306edb7895cf6f9d73d373cb1dc89e878be681771e7249ece66fcffa25764187cc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58a71ebcae2f4958c7b1316379d647899
SHA1b14bcebd07556b89c22d1848572fce72307a3f37
SHA25697b2e636738b891e875c75fa94b44f7be5b1504acf216a9187127cc45bd73586
SHA5126ef034aa3df95a98c0b25662d6ae2f3cc11438164bdcf36fc44f4b91066b79bbee15390235363e8f36592cb189b662c4a69b8e37f38429b1f71aba4599d92567
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cc75d7f89ec50b1b30710b9df99b93ce
SHA15e7a310a415e5a731b2ae39203bfcea5b9a7f806
SHA256d2dbd376f477913cdb3b768270bc2b5f803de6e0ef8382d6324e76550dd647a9
SHA512ab8cecbd8e48de0c5e49561fadd242e0c5094fc8fa46ba76b08e3a3ac4fc96da8814ec8c40b89bb65576ae5d94f1d1cef69fe3c565df6d75d43dd22ceb2a4ef0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54cada96f2f2530384cd9d9ea099389b5
SHA1845d7517b7676243cd0f46e0a58f4c7174a67f6a
SHA2568dfb21fafe863caba77e1bbbb25de2cf6038bac7496009ff80fe726b21990847
SHA512b96815fe84987bf3e9a56d51470b0e891bb35819b725633858fd57ab562004eff2b0f2a31e000cc014d3154e685cc9e53b8c766a637f706047404859764392a9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dc8b714c3cdb7ebb8821466d510a4f83
SHA1e15ede3bb0fa1c9ff275accd641fd378a376bb8c
SHA2569f4265e2678258e9f527d1a20dfd06705c2f494df00f329278c9ee6d122cea4c
SHA5122caa00d23048b564236ff2ee65dbaa3a374d71ae9e804f6c9dd43b2d3104d2b7a13f4f49665a57fea36ed60f9d893ae1bdd1e4ba0e5bf561365b0a5b0248d31c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD546f5eea86880bfc6bc71852be1b7a0fe
SHA14b824d2886f5c0734d683b16967e7101c85686f8
SHA256578a0cea70e6524dab39695546f872d818a45371819726413b3d68d807d1e913
SHA512689a943b8d188184366f4c0378ea13824b8989c5ee545eaf861e325ba3033136dab407c670b6826f1a72a8e72d4ecabd172d78d4c46cbacf11efcaa78e81d871
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD561ea5ee42951de8340d5c5859bf72e35
SHA16e19f9256bb476d8ebc3af479060bc4f2c198921
SHA256c76feb2330c1f12274e516e1954727e200404ee67e8e3d9b75e6fe8e5cd6b2a1
SHA51257ee5c4dc1955a172ff4f36e0af241d96e295e00e902245b5de06f31708d1a40c0e5467cc75e064c74ec262c931fe5ca54901b1e4d155a5217296fd42eea9ed5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c74ea9a31c44d1ed2fbef985724b1564
SHA136d3e584f7b33a1f7fcbf38590d85e00db06d099
SHA25684fab8c8d2d1f33b2e0b137010a1756c4adf51ad512f3c65201cb549f1b6970f
SHA5124d4fc13e2785e1209f3928c8479ba9362b8cd198df1b0384eda0d3a6be05079828c9208d9e092358c5f669f10314c1448e92d91f1909ceb6f16b058e73e3d648
-
Filesize
193B
MD5c29658f77cf4c9a90c8386f44e134043
SHA131448b35337beec91241fb2dffa450ff24ae98c0
SHA256cafcc0762edcb04f3050e857c1d4f07ae150a68fdc7e864bb3f50786a2b805de
SHA512c76bd80d4db1be4f654ea48f588b91ed008ae4c1c7cc98a82208d236639c6926c7a6c00b1fe4a1eb7dba9a3431b8fa1e07b0ea6213b56f7bb9ba51da42f6b567
-
Filesize
193B
MD528ce71b4715cd8f1be0a6942690d06f9
SHA12513b8925d78e53ebafa8b9c305f8a996d1cd4cc
SHA2564b8d3a2e063a44935a5f8ecdec8d2de22cea8c5458ecf8c155916b4bba2ab7b2
SHA512354fddb5c290b4c6dc39b79d53ee52abe915672993cac00f2aa0fdb22fd298d9b368756d6d0e8151c688d3704082fe3339b9a6666bb2f81d2e299dbe4fc86eb3
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
193B
MD5d524cc415175928398a6e342ea6bf986
SHA148875f684c655bbd45d885f482cdcde1b412d2c3
SHA256cecd87a77dabd38216695b67ebae4ec3bc3d4f77cf2ac3ecdfefc169de71a15e
SHA512edfeac2b4cdae37847ad326d364e9a0039c94778371537d6f2f7a2af854b52819e133a9bac9a46739cb9c64173dca6bf2012562fb1fc9b3b14a496287bc514b0
-
Filesize
193B
MD5617a257eeffb794f24bcc0289bb18721
SHA1e6ab3580e863e2ad680f6018efe189d2d4dd1d66
SHA25673476f563577581655fae373fedcc260428f3820bf0e439053cecde2f3fc2968
SHA512c1332aa48c7056ea34ee8f70dda9aedb42cdb34cd7ae4f9ef839dcd92839b96aca93718183434267a9f2f5285d0496ddee1764a21bbdd8d1585c3a681ee258f0
-
Filesize
193B
MD510fce3327ccc45097f0d82e4b7d6ac39
SHA1d538508dd88535e176d4156f947c692969c28c81
SHA256ab8054c73503e2fcf2f5d8477da117886a2556b98a3dbf8f024f9997fadca8d7
SHA5121d27d6b083dce8e1b13505fbaceabe62f52f4c26d1dd4a90a475e8d685bdab7f56a747490a0a9eb28cde22f9aa81c5bc0b0dd005817d56b65ed881589f6e1623
-
Filesize
193B
MD51c9ce1144777c4b5c4e2a3b6f1f67e70
SHA181430a656b4b542989705fdcc44da3d9670a9fd4
SHA256f15e295c8d06b8bad7575df8342e66b10d003600078bf35f01161ade93daa972
SHA512a90b1f437480c15434009ebd149f2100b34749bc589188b8d69d6efa8d810fa79cc763c88b946ecb99b574f6b48eb26bb127f0e97abc62ddf506f9b0710283fb
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
193B
MD598af29fab26806fbbe82f375a164ef86
SHA15eaa9bb1a72768ecee367a71189344cec2b7be97
SHA256197598a944d1ed1cc1926ec2c0226abc70853d8e7e5fe0a096fee387bab289fb
SHA51276b4742bcf3817a373465514192cd7e109d0616c3841aa48af484b56c8accd1c300823330f71a929e6e1a2b914e6ad6e7910b2a703414dad29bdca93c1ef1ee0
-
Filesize
193B
MD5b548a44a1bf5c7b5916b4d069da0184f
SHA14065267d7046352497ed4ac87a00a1cfd8769197
SHA25678eacfb90de18b4ad0cadff72243e981b2f9aea2752b799e4cff3d0149e11f8c
SHA512f7f0f078940e695aaa071aef0f59e3a59bcbaaa01afdb3c2d54581c04f41d6b340d6de9bba61483c55835578a70c305f276aeed9b193d0bf48bd7431123eff3b
-
Filesize
193B
MD53694d19fae04894cc44849d5dd5298a6
SHA185f647105984bf9cac0b279052b00e5ba380a7fb
SHA25612533a9ee649e8cf3e5b84ad79eab0addcebe53dc0fe85a38e53d2ca54e33771
SHA51288501706dabd2646df9219c90f9730046f5e16540ba999acdcb81eed373440911056f3fcfcaa7d85bd2770061ff5f4ade94ba56371f98aa6c9c465d870c926d7
-
Filesize
193B
MD516d3cdf819fb382f6c683381076724f8
SHA19f47aae25e4ed10d823f92c1b0779c23de0415da
SHA25656892492b289b0a3237d54cfdccf4f142e077b8eaf4e8560ce0e9cc34a755de8
SHA51286ac754c78b07e79b2bf2ef1e8d5d2575c3783eb19f023fa8569c5eb80c3b71b34e41e53adb50c4d89cdd4f1a1595a13ec4f1ab2bbf598a952fb69eaf2aec011
-
Filesize
193B
MD502b1b942132f258a8009c011fd791dcd
SHA124383b36a1598d420aa90a197b653104950e1303
SHA256830280d38ee2ba72e77cb2f53fd73b7117b9cd008f6e04c3b9920563199ce248
SHA512ccf1177d6d5d82727dee2718014f9055f151e9aa91b47975f1fa5c9c9c6e9c1a8770cf4cbdae84b5581413bd1c18153e8e6add1e0c1356a2bdd9a83ccbd4f07f
-
Filesize
193B
MD5affd190a4bb81353cdb1c5806cc384d0
SHA1cc6dea4abb949196b18778e08abae6aee970639c
SHA2566a29dcbac2b4cb31acbaa9ba369667c0f5e1ad4afbbbf5db2662789acd96e70f
SHA512cdae6ddcd8e5d9e7bb3b0df19f788c98301e1abe8f82ceefd86a55712042bf10dab9deb4eea44512ae41b7f534ce460da81ad384220a69bb2bd78d055e05e789
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD584c43e122c93dd25ec69d138c0fa5605
SHA156d44cf56a7efa1dc8cd4d4eea11c85f2441a88d
SHA2561df1215850a195be32d0c76ac2df5eab071a08b5e408bc5fabad89f191a292c9
SHA5121047f54c9218020fff38990f8a54ca8b14ddb9387060250fd5d1701ff8f2c8b191a06620195ee40a733cecd2f8e4c92cbc4fb9f6f52e8f999fa90789db5bf07b
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478