Analysis
-
max time kernel
145s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:21
Behavioral task
behavioral1
Sample
JaffaCakes118_c2f3e89a44f9fd3353c2ef68b77280937638a747b44305dbde714ac935861def.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c2f3e89a44f9fd3353c2ef68b77280937638a747b44305dbde714ac935861def.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_c2f3e89a44f9fd3353c2ef68b77280937638a747b44305dbde714ac935861def.exe
-
Size
1.3MB
-
MD5
387324709c0a9d8986ef46494a80ea24
-
SHA1
19d1271cd48e42a88ec2e02254efac61e2c2b64c
-
SHA256
c2f3e89a44f9fd3353c2ef68b77280937638a747b44305dbde714ac935861def
-
SHA512
f2a0ae08559c298b44d7e32ba3e4e56c609975ba02dd3de04c4a2253c6a13daeea7c5b56c95d524df9a54559ffd27a71cd78eb53a9ba89654286681629e82bab
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2812 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 796 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 284 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 268 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 340 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 872 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1128 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 272 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1608 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1236 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1824 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 752 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1412 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 564 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 972 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 3028 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 3028 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x000f000000018662-9.dat dcrat behavioral1/memory/2708-13-0x00000000011B0000-0x00000000012C0000-memory.dmp dcrat behavioral1/memory/1752-130-0x0000000001140000-0x0000000001250000-memory.dmp dcrat behavioral1/memory/1836-307-0x00000000013E0000-0x00000000014F0000-memory.dmp dcrat behavioral1/memory/2552-426-0x00000000003F0000-0x0000000000500000-memory.dmp dcrat behavioral1/memory/284-486-0x0000000000F80000-0x0000000001090000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 880 powershell.exe 864 powershell.exe 1576 powershell.exe 2184 powershell.exe 860 powershell.exe 2384 powershell.exe 2648 powershell.exe 1548 powershell.exe 1936 powershell.exe 2204 powershell.exe 376 powershell.exe 1764 powershell.exe 2360 powershell.exe 2308 powershell.exe 2132 powershell.exe 788 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2708 DllCommonsvc.exe 1752 System.exe 2336 System.exe 2340 System.exe 1836 System.exe 1788 System.exe 2552 System.exe 284 System.exe 3020 System.exe 1944 System.exe 1484 System.exe -
Loads dropped DLL 2 IoCs
pid Process 1464 cmd.exe 1464 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 16 raw.githubusercontent.com 19 raw.githubusercontent.com 26 raw.githubusercontent.com 9 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 22 raw.githubusercontent.com 29 raw.githubusercontent.com 32 raw.githubusercontent.com 4 raw.githubusercontent.com -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Defender\de-DE\lsass.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\de-DE\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\lsm.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\101b941d020240 DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\csrss.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\it-IT\spoolsv.exe DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\it-IT\f3b6ecef712a24 DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\DllCommonsvc.exe DllCommonsvc.exe File created C:\Windows\Tasks\a76d7bf15d8370 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c2f3e89a44f9fd3353c2ef68b77280937638a747b44305dbde714ac935861def.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2020 schtasks.exe 340 schtasks.exe 2240 schtasks.exe 284 schtasks.exe 1996 schtasks.exe 272 schtasks.exe 1728 schtasks.exe 1412 schtasks.exe 2868 schtasks.exe 796 schtasks.exe 2088 schtasks.exe 2124 schtasks.exe 752 schtasks.exe 2420 schtasks.exe 2912 schtasks.exe 2964 schtasks.exe 2280 schtasks.exe 1824 schtasks.exe 2744 schtasks.exe 1608 schtasks.exe 1236 schtasks.exe 2524 schtasks.exe 1956 schtasks.exe 2180 schtasks.exe 972 schtasks.exe 2856 schtasks.exe 2628 schtasks.exe 564 schtasks.exe 2312 schtasks.exe 2564 schtasks.exe 2632 schtasks.exe 2096 schtasks.exe 2948 schtasks.exe 2116 schtasks.exe 872 schtasks.exe 2444 schtasks.exe 2812 schtasks.exe 1528 schtasks.exe 1716 schtasks.exe 2296 schtasks.exe 268 schtasks.exe 1128 schtasks.exe 1676 schtasks.exe 2136 schtasks.exe 2736 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 2708 DllCommonsvc.exe 1576 powershell.exe 2360 powershell.exe 2132 powershell.exe 2384 powershell.exe 860 powershell.exe 864 powershell.exe 2184 powershell.exe 1548 powershell.exe 1936 powershell.exe 376 powershell.exe 1764 powershell.exe 2308 powershell.exe 2648 powershell.exe 2204 powershell.exe 788 powershell.exe 880 powershell.exe 1752 System.exe 2336 System.exe 2340 System.exe 1836 System.exe 1788 System.exe 2552 System.exe 284 System.exe 3020 System.exe 1944 System.exe 1484 System.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 2708 DllCommonsvc.exe Token: SeDebugPrivilege 1576 powershell.exe Token: SeDebugPrivilege 2360 powershell.exe Token: SeDebugPrivilege 2132 powershell.exe Token: SeDebugPrivilege 2384 powershell.exe Token: SeDebugPrivilege 860 powershell.exe Token: SeDebugPrivilege 864 powershell.exe Token: SeDebugPrivilege 2184 powershell.exe Token: SeDebugPrivilege 1548 powershell.exe Token: SeDebugPrivilege 1936 powershell.exe Token: SeDebugPrivilege 376 powershell.exe Token: SeDebugPrivilege 1764 powershell.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeDebugPrivilege 2648 powershell.exe Token: SeDebugPrivilege 2204 powershell.exe Token: SeDebugPrivilege 788 powershell.exe Token: SeDebugPrivilege 880 powershell.exe Token: SeDebugPrivilege 1752 System.exe Token: SeDebugPrivilege 2336 System.exe Token: SeDebugPrivilege 2340 System.exe Token: SeDebugPrivilege 1836 System.exe Token: SeDebugPrivilege 1788 System.exe Token: SeDebugPrivilege 2552 System.exe Token: SeDebugPrivilege 284 System.exe Token: SeDebugPrivilege 3020 System.exe Token: SeDebugPrivilege 1944 System.exe Token: SeDebugPrivilege 1484 System.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2196 wrote to memory of 1636 2196 JaffaCakes118_c2f3e89a44f9fd3353c2ef68b77280937638a747b44305dbde714ac935861def.exe 31 PID 2196 wrote to memory of 1636 2196 JaffaCakes118_c2f3e89a44f9fd3353c2ef68b77280937638a747b44305dbde714ac935861def.exe 31 PID 2196 wrote to memory of 1636 2196 JaffaCakes118_c2f3e89a44f9fd3353c2ef68b77280937638a747b44305dbde714ac935861def.exe 31 PID 2196 wrote to memory of 1636 2196 JaffaCakes118_c2f3e89a44f9fd3353c2ef68b77280937638a747b44305dbde714ac935861def.exe 31 PID 1636 wrote to memory of 1464 1636 WScript.exe 32 PID 1636 wrote to memory of 1464 1636 WScript.exe 32 PID 1636 wrote to memory of 1464 1636 WScript.exe 32 PID 1636 wrote to memory of 1464 1636 WScript.exe 32 PID 1464 wrote to memory of 2708 1464 cmd.exe 34 PID 1464 wrote to memory of 2708 1464 cmd.exe 34 PID 1464 wrote to memory of 2708 1464 cmd.exe 34 PID 1464 wrote to memory of 2708 1464 cmd.exe 34 PID 2708 wrote to memory of 2360 2708 DllCommonsvc.exe 81 PID 2708 wrote to memory of 2360 2708 DllCommonsvc.exe 81 PID 2708 wrote to memory of 2360 2708 DllCommonsvc.exe 81 PID 2708 wrote to memory of 880 2708 DllCommonsvc.exe 82 PID 2708 wrote to memory of 880 2708 DllCommonsvc.exe 82 PID 2708 wrote to memory of 880 2708 DllCommonsvc.exe 82 PID 2708 wrote to memory of 864 2708 DllCommonsvc.exe 84 PID 2708 wrote to memory of 864 2708 DllCommonsvc.exe 84 PID 2708 wrote to memory of 864 2708 DllCommonsvc.exe 84 PID 2708 wrote to memory of 860 2708 DllCommonsvc.exe 85 PID 2708 wrote to memory of 860 2708 DllCommonsvc.exe 85 PID 2708 wrote to memory of 860 2708 DllCommonsvc.exe 85 PID 2708 wrote to memory of 2308 2708 DllCommonsvc.exe 86 PID 2708 wrote to memory of 2308 2708 DllCommonsvc.exe 86 PID 2708 wrote to memory of 2308 2708 DllCommonsvc.exe 86 PID 2708 wrote to memory of 2132 2708 DllCommonsvc.exe 87 PID 2708 wrote to memory of 2132 2708 DllCommonsvc.exe 87 PID 2708 wrote to memory of 2132 2708 DllCommonsvc.exe 87 PID 2708 wrote to memory of 1548 2708 DllCommonsvc.exe 89 PID 2708 wrote to memory of 1548 2708 DllCommonsvc.exe 89 PID 2708 wrote to memory of 1548 2708 DllCommonsvc.exe 89 PID 2708 wrote to memory of 1576 2708 DllCommonsvc.exe 90 PID 2708 wrote to memory of 1576 2708 DllCommonsvc.exe 90 PID 2708 wrote to memory of 1576 2708 DllCommonsvc.exe 90 PID 2708 wrote to memory of 2184 2708 DllCommonsvc.exe 93 PID 2708 wrote to memory of 2184 2708 DllCommonsvc.exe 93 PID 2708 wrote to memory of 2184 2708 DllCommonsvc.exe 93 PID 2708 wrote to memory of 1936 2708 DllCommonsvc.exe 95 PID 2708 wrote to memory of 1936 2708 DllCommonsvc.exe 95 PID 2708 wrote to memory of 1936 2708 DllCommonsvc.exe 95 PID 2708 wrote to memory of 2204 2708 DllCommonsvc.exe 97 PID 2708 wrote to memory of 2204 2708 DllCommonsvc.exe 97 PID 2708 wrote to memory of 2204 2708 DllCommonsvc.exe 97 PID 2708 wrote to memory of 2648 2708 DllCommonsvc.exe 99 PID 2708 wrote to memory of 2648 2708 DllCommonsvc.exe 99 PID 2708 wrote to memory of 2648 2708 DllCommonsvc.exe 99 PID 2708 wrote to memory of 1764 2708 DllCommonsvc.exe 100 PID 2708 wrote to memory of 1764 2708 DllCommonsvc.exe 100 PID 2708 wrote to memory of 1764 2708 DllCommonsvc.exe 100 PID 2708 wrote to memory of 2384 2708 DllCommonsvc.exe 101 PID 2708 wrote to memory of 2384 2708 DllCommonsvc.exe 101 PID 2708 wrote to memory of 2384 2708 DllCommonsvc.exe 101 PID 2708 wrote to memory of 788 2708 DllCommonsvc.exe 102 PID 2708 wrote to memory of 788 2708 DllCommonsvc.exe 102 PID 2708 wrote to memory of 788 2708 DllCommonsvc.exe 102 PID 2708 wrote to memory of 376 2708 DllCommonsvc.exe 103 PID 2708 wrote to memory of 376 2708 DllCommonsvc.exe 103 PID 2708 wrote to memory of 376 2708 DllCommonsvc.exe 103 PID 2708 wrote to memory of 2448 2708 DllCommonsvc.exe 113 PID 2708 wrote to memory of 2448 2708 DllCommonsvc.exe 113 PID 2708 wrote to memory of 2448 2708 DllCommonsvc.exe 113 PID 2448 wrote to memory of 2500 2448 cmd.exe 115 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c2f3e89a44f9fd3353c2ef68b77280937638a747b44305dbde714ac935861def.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c2f3e89a44f9fd3353c2ef68b77280937638a747b44305dbde714ac935861def.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\it-IT\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\de-DE\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:376
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\twjiYCOL1g.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2500
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat"7⤵PID:2084
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1308
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat"9⤵PID:1956
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1764
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat"11⤵PID:2268
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2564
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat"13⤵PID:2780
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1516
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UxOjVeUiuv.bat"15⤵PID:2760
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1588
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\raSqT8qddO.bat"17⤵PID:2588
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2132
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:284 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tA3KztjMoN.bat"19⤵PID:568
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2352
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gWC6ojzqIZ.bat"21⤵PID:376
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2720
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat"23⤵PID:2012
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1216
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Favorites\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Favorites\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Favorites\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\providercommon\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Tasks\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Windows\Tasks\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\Temp\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Temp\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\Temp\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f7a45bd1b7e07e2f256ec9984caf202c
SHA18842e08f5a43a6c86b497485a4d21fed6f0ccdde
SHA2563f4d09b2bef361cdee545d806253f974419ba626ce1ade396f61125546d9cd1c
SHA5126664a7d7fbeefa8032fe98d53610f71a7e7daf36748a39cdf5fd8d20318f8451f94c89666980b2955b3264fc4f2a46126367f9217376817f55e53e014adb3262
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56637a1a6630579712a31dedac0a940b6
SHA10328b0e5f630b4c9a48bef37e375fb9ca1175a8e
SHA256930ce325c2eee6bb049f7ba307252f1a237d2b7d490ef100f5c8a3e74ba326b7
SHA512d3ab37ee67386cab561a2991d792728737524cdb75d52780f957e0a12a2815aba87743a9784777f38f17a267d3ea084e492d1ecbaef5a5e8c468fd8b58c03ab8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58511165c94cb57b2e7bdae07f3be2c87
SHA16c39e792394229883bfd57add26eadc12f4a9c29
SHA256ec48a7092b8e8021097998acca0ad0c805252ebed3ccd1fec5ccf85f18aab689
SHA512160b78fbb1588e9396db14976ebf8cd4a468bbf38e765fa2bb811ec4e82dc6b4917b3352ad76c3cfe285b99433e577c1db1392383a2f2347bee2f02257ff9170
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f13a06954a35af48aabe35384343db8f
SHA16f120c097c96fe8676cddcae6a0bfd6fda4fb70d
SHA256ee0e20a45bd264b5f307360e572ba97480d869818f30ee0d7523b7e3b9922ca6
SHA512663417098e93bfb4dc0f67020c6c95d5b50ad46539c38347f22a02abd075329c859a3c416d349de336203ec7de14c1e99dc20693b07b21b6451b0d6547d12cc7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c470ef76f65a11554a4874e37bc161bf
SHA14cd3e9ec9ef7137dfba59881dd51024c9d4d1c4b
SHA256fda26a542ed6e75894d6bd62a8bff8c55b5843d10e04e1d2147270b995c2f4e9
SHA5129e239913ced8403c9b03048002d3c4d5d7aab3aad99cebbf6cc9a6c71b8bb5e88e7d88795c341c077f80eba0e69af62682a155197ea4663727875d443c7490c6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51a37268821742d497e6175aae5592313
SHA17dc0acacaf935b6c071e7cfd44a02b8939c7e553
SHA256448bcc9cc1d3881b1d4a90e2fddd72558fc8d5f8a48a7e108a9cbca91e5cc21d
SHA512b407fb80c81c32e01dd06ce55f82d830b09679540af0d37ecd6630a4b1d4d1d59bb47f445e72713e4c5f2ead6cb44f0879647febffb8bdbb35b8a091d4b60be1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f159f427a78a2a6bcc0f11c763a446af
SHA1d64aaf39ab345b28a04db9268035397769966d03
SHA256070eb3dff7d5407fd27bf8c9a57dfcb03313e6740a3ee2166d945649e16eb270
SHA512f29fdaf737e080f4e9fc4f05c2add9b2425b15b3fc8622e0a6ef904948d6fb89a02aeedd956fb90e81e7e374210c32b137a1f91d76811b3e0011cc19aa5816e5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5949bbdd9f0596f149d83d4d9025e9ebc
SHA1c03abb21c0b408113de16ea388aab7b0f43210e7
SHA256d186657da0dd646084c969a15e2d66a4c243316cb2a4943fc101bc4763e9952a
SHA5123c23de1b9fd2a3c9395cf4c786a6f7f09fdb436a2268d4c594f9a95dc947c10f25be4cf494019e8fbab7942426e7d0a588f954b75ce48f25fd386598f6e8021b
-
Filesize
197B
MD53b2418f59a47016ea773eb4492e9a5c5
SHA1e1c5c1542ec0511d14b0b3b19a44f2ce797e8bc2
SHA256b1db49ba1af1d76069b27523d06b6a814957378ba7afd412c3900c07406e17f9
SHA5127b7c73c21a674292c54c27270149e5e163589c76c8e789c8c31ae301958b464b1b3a63ac06472162c71b028bd3afe7f94460c15480e1c9867a542d250973df76
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
197B
MD520dc8461d992db0114fdc1ee20854326
SHA1aff1b6cd9e6bb5854f2b5f195b04f0886db74e47
SHA25659621bf4f5b9a798f5826b71818ac66d1f9a968d2509b04e5a255730e0b19ceb
SHA5126a21b28ccb0baecddadff43a0d02ec9f0bd7870bfd31cee87ae62751eadaeb3d11df0291f45668b05cb7879d5c6b5d63bbda8638e7a857575df3bb3c5cfdd44b
-
Filesize
197B
MD5915b8fbef34331608657dbcaaca2e36e
SHA10a898194a1b35c38a517634201d5400e47bc7509
SHA25631c408675f6a9215f34561908aa714da6fd37bd8d30c367a5873a93135bceb50
SHA5124e899a1884f186e3033f6e655d3dd0e309b9434a2d7d6df6801fdb0c34aeed793278e6b680caf8e696c94f260766778f7a485bf94587292145527aa1d1391dbf
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
197B
MD54f16af83a7e44444a7e2466b1da1f285
SHA15652dcb31da82832ced9f05859668721c6e409f2
SHA256afed3b6f8c43ab38d1506009e05386d9e2cb3fb840b8c349d8ac2917fdee6992
SHA512b9ee1e0b267545eff87a9892c4425801d46e5e9b18d78824e707d278bbc1be19d8210305f12675f7d2350859c8ddaafd17ecdde3964993980945490f9f1731d0
-
Filesize
197B
MD5c7eb8e3da3cf503eb3ef39a7e7fc6268
SHA1bac7189ee60bcac8e9b59f51579e88b4ad11c3f8
SHA256b552ca5ca4a7dde27a43907d59561769b0f73935668c8fe1b0ffe5529fda33cd
SHA51283b63ed3ebf2a943965cf2369fd2ce50e59baba4c28c7e32bddbe25259261a8a0d40ca9d7127c8b55068966308cd9b221f74f2e52c2e6811f2268e3515c13377
-
Filesize
197B
MD509c4a27cd234fd3a14ed8bda6e4026c0
SHA1c354de76a65ee4736d4418ececcb35c9519167da
SHA256295fcf040abda43179a31ad580a0ad13d9969360fe85e5103a391ef1f1a46eba
SHA5123edbbffec76fc3ea176039feb81eee7c1a85f09220a20156c5e8b3144102867533355fbb940970eb7520ae27511e0b2215a63a4f85aaf59aaadbbab1b18277bc
-
Filesize
197B
MD50714a1f694fcbc84192bc180e05ab621
SHA1785feefa9c966e16c8e502dc3805789ecb12dd24
SHA25682ed1beea105835e1429f081ceaac6410d262095fdcf4b99d833d960fd4e50f4
SHA512771987941946cbb593dced7d6ee97ab1098d462c2a8d2497283a39fbed6fd4f424bd18c78611448e37d3364ff6f9e3f644d9f0440b0217b845699f81143dc719
-
Filesize
197B
MD551ef442bd92b27c6aba77ae0c80e10fd
SHA10145033651b791b7d9a5cb8fba6c73b2d68cef48
SHA256b6d286b390ab719fcff9c233c31aa3fbff5e467111d71e12465ac3de24fae366
SHA5121ce02d03db018b5bb1edec85f870caca6d116cab4094a873280ad02e10319883abdf3170bc8534d62ac4f56d7bb4681297e57c68f82619b0a4fa06e73c921382
-
Filesize
197B
MD5e391415892fec318bf7b6a3fd6006c9b
SHA100dc0294d706fb0ee3e88a69c68ec48ebf851415
SHA2563c6ac803798c072f8aa92f927677d53d4d1c047ca3194acd8b5498f4c238740c
SHA512db2bbf17e4b23053afd9b2a7732ecf5b211bef3f9139049ac65b202f256b9d04a0fdb6494ad3157ff270a8371990532005018e6edb0cadae7f406e55a5894fdb
-
Filesize
197B
MD57a173966039006c6e8305eafad71c712
SHA1045d23d073772645c1fc75952d0d11e39bfea06c
SHA256a9b236cf1bb407f71b3e0f1939ec6a96084b1dcabe84f1fe0f62f49583e7a3a8
SHA51248708d6ef3b6f7e605b4fd82eb5ed83dad783cda30ba8832147787dd8f6807efbe56665096f18d24fd2313a686c40d10815a5d2f2af95ed892b77f2952d4dc64
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5d17e23f02b6633501bca2a5ad7796d79
SHA114c2d5940d1d9c9d2843a94352d2bebaf4a50a13
SHA256309658de76cf98356dc0ca1f5e73effc38ee718a85654847c0ff69a312e57f38
SHA51201ead4bd93416ef35d7704637c60617279432a6d4ead9ea7d6eefbcddf15171ae4f6fabd246f3122f9cf3b683b82fcea543f3b4e4f82b6a237d518a6c213b24c
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394