Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 05:10
Behavioral task
behavioral1
Sample
JaffaCakes118_17f31e1e8571282d02bf2a2ca0817ec203607bf1ba0cd67ec1e26b41d0524416.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_17f31e1e8571282d02bf2a2ca0817ec203607bf1ba0cd67ec1e26b41d0524416.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_17f31e1e8571282d02bf2a2ca0817ec203607bf1ba0cd67ec1e26b41d0524416.exe
-
Size
1.3MB
-
MD5
89f236d35c0d2b0feba9e2dc1126b748
-
SHA1
8468de36e821a4bdb1007b1666e282227d25d31e
-
SHA256
17f31e1e8571282d02bf2a2ca0817ec203607bf1ba0cd67ec1e26b41d0524416
-
SHA512
81811b0596db8432a72a3867f5ce12e1c0c64426160a42bfcb74b888cee55094b6e853b9abdc34f48fbd281cafd89fe1bdb5ed21b8de55b132d4b1fc1cfae70a
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 564 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 328 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1880 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1904 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 628 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2264 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 752 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 704 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1392 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 2860 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 2860 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000016dbe-9.dat dcrat behavioral1/memory/2768-13-0x0000000000330000-0x0000000000440000-memory.dmp dcrat behavioral1/memory/2836-115-0x0000000000D90000-0x0000000000EA0000-memory.dmp dcrat behavioral1/memory/2600-175-0x0000000000DF0000-0x0000000000F00000-memory.dmp dcrat behavioral1/memory/2696-294-0x0000000000010000-0x0000000000120000-memory.dmp dcrat behavioral1/memory/2872-354-0x0000000000D50000-0x0000000000E60000-memory.dmp dcrat behavioral1/memory/2524-415-0x0000000000140000-0x0000000000250000-memory.dmp dcrat behavioral1/memory/2768-475-0x0000000001030000-0x0000000001140000-memory.dmp dcrat behavioral1/memory/2600-595-0x00000000002C0000-0x00000000003D0000-memory.dmp dcrat behavioral1/memory/2564-655-0x0000000000F80000-0x0000000001090000-memory.dmp dcrat behavioral1/memory/2828-715-0x0000000001180000-0x0000000001290000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1328 powershell.exe 2440 powershell.exe 984 powershell.exe 1716 powershell.exe 1656 powershell.exe 2252 powershell.exe 884 powershell.exe 2272 powershell.exe 2052 powershell.exe 2596 powershell.exe 1532 powershell.exe 964 powershell.exe 2532 powershell.exe -
Executes dropped EXE 13 IoCs
pid Process 2768 DllCommonsvc.exe 2836 dllhost.exe 2600 dllhost.exe 880 dllhost.exe 2696 dllhost.exe 2872 dllhost.exe 2524 dllhost.exe 2768 dllhost.exe 3032 dllhost.exe 2600 dllhost.exe 2564 dllhost.exe 2828 dllhost.exe 2244 dllhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2300 cmd.exe 2300 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 5 raw.githubusercontent.com 9 raw.githubusercontent.com 19 raw.githubusercontent.com 25 raw.githubusercontent.com 32 raw.githubusercontent.com 35 raw.githubusercontent.com 39 raw.githubusercontent.com 4 raw.githubusercontent.com 15 raw.githubusercontent.com 22 raw.githubusercontent.com 28 raw.githubusercontent.com 12 raw.githubusercontent.com -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\Reference Assemblies\Microsoft\sppsvc.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Office\Office14\explorer.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Office\Office14\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\ja-JP\lsm.exe DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\ja-JP\101b941d020240 DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\DigitalLocker\fr-FR\24dbde2999530e DllCommonsvc.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\OSPPSVC.exe DllCommonsvc.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Windows\DigitalLocker\fr-FR\WmiPrvSE.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_17f31e1e8571282d02bf2a2ca0817ec203607bf1ba0cd67ec1e26b41d0524416.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2028 schtasks.exe 1904 schtasks.exe 2992 schtasks.exe 2984 schtasks.exe 2264 schtasks.exe 704 schtasks.exe 1492 schtasks.exe 2856 schtasks.exe 2608 schtasks.exe 1392 schtasks.exe 1760 schtasks.exe 2096 schtasks.exe 2356 schtasks.exe 2696 schtasks.exe 328 schtasks.exe 1692 schtasks.exe 1660 schtasks.exe 1624 schtasks.exe 2796 schtasks.exe 2116 schtasks.exe 564 schtasks.exe 2952 schtasks.exe 1880 schtasks.exe 2664 schtasks.exe 2244 schtasks.exe 2640 schtasks.exe 2076 schtasks.exe 1032 schtasks.exe 2648 schtasks.exe 2384 schtasks.exe 1788 schtasks.exe 628 schtasks.exe 752 schtasks.exe 3004 schtasks.exe 1928 schtasks.exe 1596 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 2768 DllCommonsvc.exe 2768 DllCommonsvc.exe 2768 DllCommonsvc.exe 2768 DllCommonsvc.exe 2768 DllCommonsvc.exe 2768 DllCommonsvc.exe 2768 DllCommonsvc.exe 2768 DllCommonsvc.exe 2768 DllCommonsvc.exe 2768 DllCommonsvc.exe 2768 DllCommonsvc.exe 884 powershell.exe 1328 powershell.exe 2252 powershell.exe 2440 powershell.exe 1532 powershell.exe 984 powershell.exe 1656 powershell.exe 2596 powershell.exe 2052 powershell.exe 964 powershell.exe 1716 powershell.exe 2272 powershell.exe 2532 powershell.exe 2836 dllhost.exe 2600 dllhost.exe 880 dllhost.exe 2696 dllhost.exe 2872 dllhost.exe 2524 dllhost.exe 2768 dllhost.exe 3032 dllhost.exe 2600 dllhost.exe 2564 dllhost.exe 2828 dllhost.exe 2244 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 2768 DllCommonsvc.exe Token: SeDebugPrivilege 884 powershell.exe Token: SeDebugPrivilege 1328 powershell.exe Token: SeDebugPrivilege 2252 powershell.exe Token: SeDebugPrivilege 2440 powershell.exe Token: SeDebugPrivilege 1532 powershell.exe Token: SeDebugPrivilege 984 powershell.exe Token: SeDebugPrivilege 1656 powershell.exe Token: SeDebugPrivilege 2596 powershell.exe Token: SeDebugPrivilege 2052 powershell.exe Token: SeDebugPrivilege 964 powershell.exe Token: SeDebugPrivilege 1716 powershell.exe Token: SeDebugPrivilege 2272 powershell.exe Token: SeDebugPrivilege 2532 powershell.exe Token: SeDebugPrivilege 2836 dllhost.exe Token: SeDebugPrivilege 2600 dllhost.exe Token: SeDebugPrivilege 880 dllhost.exe Token: SeDebugPrivilege 2696 dllhost.exe Token: SeDebugPrivilege 2872 dllhost.exe Token: SeDebugPrivilege 2524 dllhost.exe Token: SeDebugPrivilege 2768 dllhost.exe Token: SeDebugPrivilege 3032 dllhost.exe Token: SeDebugPrivilege 2600 dllhost.exe Token: SeDebugPrivilege 2564 dllhost.exe Token: SeDebugPrivilege 2828 dllhost.exe Token: SeDebugPrivilege 2244 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1868 wrote to memory of 1848 1868 JaffaCakes118_17f31e1e8571282d02bf2a2ca0817ec203607bf1ba0cd67ec1e26b41d0524416.exe 30 PID 1868 wrote to memory of 1848 1868 JaffaCakes118_17f31e1e8571282d02bf2a2ca0817ec203607bf1ba0cd67ec1e26b41d0524416.exe 30 PID 1868 wrote to memory of 1848 1868 JaffaCakes118_17f31e1e8571282d02bf2a2ca0817ec203607bf1ba0cd67ec1e26b41d0524416.exe 30 PID 1868 wrote to memory of 1848 1868 JaffaCakes118_17f31e1e8571282d02bf2a2ca0817ec203607bf1ba0cd67ec1e26b41d0524416.exe 30 PID 1848 wrote to memory of 2300 1848 WScript.exe 31 PID 1848 wrote to memory of 2300 1848 WScript.exe 31 PID 1848 wrote to memory of 2300 1848 WScript.exe 31 PID 1848 wrote to memory of 2300 1848 WScript.exe 31 PID 2300 wrote to memory of 2768 2300 cmd.exe 33 PID 2300 wrote to memory of 2768 2300 cmd.exe 33 PID 2300 wrote to memory of 2768 2300 cmd.exe 33 PID 2300 wrote to memory of 2768 2300 cmd.exe 33 PID 2768 wrote to memory of 1716 2768 DllCommonsvc.exe 71 PID 2768 wrote to memory of 1716 2768 DllCommonsvc.exe 71 PID 2768 wrote to memory of 1716 2768 DllCommonsvc.exe 71 PID 2768 wrote to memory of 2052 2768 DllCommonsvc.exe 72 PID 2768 wrote to memory of 2052 2768 DllCommonsvc.exe 72 PID 2768 wrote to memory of 2052 2768 DllCommonsvc.exe 72 PID 2768 wrote to memory of 1656 2768 DllCommonsvc.exe 73 PID 2768 wrote to memory of 1656 2768 DllCommonsvc.exe 73 PID 2768 wrote to memory of 1656 2768 DllCommonsvc.exe 73 PID 2768 wrote to memory of 1328 2768 DllCommonsvc.exe 74 PID 2768 wrote to memory of 1328 2768 DllCommonsvc.exe 74 PID 2768 wrote to memory of 1328 2768 DllCommonsvc.exe 74 PID 2768 wrote to memory of 884 2768 DllCommonsvc.exe 75 PID 2768 wrote to memory of 884 2768 DllCommonsvc.exe 75 PID 2768 wrote to memory of 884 2768 DllCommonsvc.exe 75 PID 2768 wrote to memory of 1532 2768 DllCommonsvc.exe 76 PID 2768 wrote to memory of 1532 2768 DllCommonsvc.exe 76 PID 2768 wrote to memory of 1532 2768 DllCommonsvc.exe 76 PID 2768 wrote to memory of 2596 2768 DllCommonsvc.exe 77 PID 2768 wrote to memory of 2596 2768 DllCommonsvc.exe 77 PID 2768 wrote to memory of 2596 2768 DllCommonsvc.exe 77 PID 2768 wrote to memory of 2252 2768 DllCommonsvc.exe 78 PID 2768 wrote to memory of 2252 2768 DllCommonsvc.exe 78 PID 2768 wrote to memory of 2252 2768 DllCommonsvc.exe 78 PID 2768 wrote to memory of 2272 2768 DllCommonsvc.exe 79 PID 2768 wrote to memory of 2272 2768 DllCommonsvc.exe 79 PID 2768 wrote to memory of 2272 2768 DllCommonsvc.exe 79 PID 2768 wrote to memory of 2440 2768 DllCommonsvc.exe 80 PID 2768 wrote to memory of 2440 2768 DllCommonsvc.exe 80 PID 2768 wrote to memory of 2440 2768 DllCommonsvc.exe 80 PID 2768 wrote to memory of 964 2768 DllCommonsvc.exe 81 PID 2768 wrote to memory of 964 2768 DllCommonsvc.exe 81 PID 2768 wrote to memory of 964 2768 DllCommonsvc.exe 81 PID 2768 wrote to memory of 984 2768 DllCommonsvc.exe 82 PID 2768 wrote to memory of 984 2768 DllCommonsvc.exe 82 PID 2768 wrote to memory of 984 2768 DllCommonsvc.exe 82 PID 2768 wrote to memory of 2532 2768 DllCommonsvc.exe 83 PID 2768 wrote to memory of 2532 2768 DllCommonsvc.exe 83 PID 2768 wrote to memory of 2532 2768 DllCommonsvc.exe 83 PID 2768 wrote to memory of 2408 2768 DllCommonsvc.exe 93 PID 2768 wrote to memory of 2408 2768 DllCommonsvc.exe 93 PID 2768 wrote to memory of 2408 2768 DllCommonsvc.exe 93 PID 2408 wrote to memory of 2700 2408 cmd.exe 99 PID 2408 wrote to memory of 2700 2408 cmd.exe 99 PID 2408 wrote to memory of 2700 2408 cmd.exe 99 PID 2408 wrote to memory of 2836 2408 cmd.exe 101 PID 2408 wrote to memory of 2836 2408 cmd.exe 101 PID 2408 wrote to memory of 2836 2408 cmd.exe 101 PID 2836 wrote to memory of 3032 2836 dllhost.exe 102 PID 2836 wrote to memory of 3032 2836 dllhost.exe 102 PID 2836 wrote to memory of 3032 2836 dllhost.exe 102 PID 3032 wrote to memory of 2604 3032 cmd.exe 104 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_17f31e1e8571282d02bf2a2ca0817ec203607bf1ba0cd67ec1e26b41d0524416.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_17f31e1e8571282d02bf2a2ca0817ec203607bf1ba0cd67ec1e26b41d0524416.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Office14\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\fr-FR\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\ja-JP\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4iSnXMBO8P.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2700
-
-
C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2604
-
-
C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qUPyb5cGVE.bat"9⤵PID:2508
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:668
-
-
C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat"11⤵PID:2772
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:636
-
-
C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"13⤵PID:2992
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2060
-
-
C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat"15⤵PID:2728
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:3012
-
-
C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat"17⤵PID:2596
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:880
-
-
C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CV35gbisF1.bat"19⤵PID:596
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2096
-
-
C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat"21⤵PID:2872
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2556
-
-
C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBiR4PpyYA.bat"23⤵PID:904
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1556
-
-
C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat"25⤵PID:1752
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:480
-
-
C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat"27⤵PID:1496
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:2624
-
-
C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe"28⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2244
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Office14\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\DigitalLocker\fr-FR\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\DigitalLocker\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Local Settings\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Local Settings\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\providercommon\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5894344df3799da669f2abc7c8ae6ba59
SHA12608a14b85b922779ff99cf9ad6c14138a9026da
SHA256f26621cb25d1642687f65ff9922a981a479685137329719310d784b75cd28d62
SHA5122b1e2c7cfab54ccd2cae58f915209f2a679e657e92fadb9d2c5f87c4006ab0a04cec4fc711b31e02f830354f2e6a091ee6e3f90f93929471cd0b39964c00b4cd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59b8338f85868fcfac041951ad7c11f65
SHA1e799ebcc108992323f0f4b4fcda7a178a667718f
SHA2565781b75980472aefdb5fbd70ffe645f0d5a83f60bc6f44955d47d814f7cfec58
SHA512ea2a2ca0e995ad19c33027be72df80f76296305bbb5deaaead8cdf6a3f58f33086ba84990f4e611cdd6787954a8b3720d2ac106487ed8b0421f602ea17235a3a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c712bb12079bdd952887513d0cec3e61
SHA1ccc2edacbef9da29799e56b2397a508b4cc76cd0
SHA25625a76853e13c415716b06310a95a8688a3b625eedfe07f881d6161e03c0c340f
SHA5124a1624b0b880505ecd88e122b5cba91440873dd50104d207a76d60d8a127144dd31e7451961cf30df223e2392a3a77744746cd7b60198adc76c1d4c0146ad2c6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a635d9d7121a8f4ce14d82efadcbf98e
SHA1726ab92a54431c4387cf52fcd6c02215925128a6
SHA2566151af8bac7e86e7d30106bfed37d4b56c6f299ec32827d198029c10c3dbecfe
SHA51299a0570b7e833686ec42d0ec96ffc5d1dbb2aa618c364389949ce568a1eb8a45462a02f168b72eade1ecec1d7f704c54222fa09334d3cb656d9afd3c31145766
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5703eea09f867582f1f6ed0ef08ef944e
SHA116c69518bd787a57da5c8a40082655a20004cff0
SHA256bc49bc6d5501884c8b019a0b91cf66c45edb6d9c7c0c92ad3a6d61ef7583f3c5
SHA512d031022c49f0e76a91a7978437b68da8df498afd8bb4890286dcc05d3982bca81b2e8eccb06e48f2792a73be069bdf926e47abea230ad7042a2f7142620f750d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD573429cd9beb3cae403cf3357dac46c6c
SHA1d67c1d1dfafd23e74e3712e322e811123ce7302e
SHA25612ed323fca984f65d54b3027efbfc273885e95e66eaaf70d2a69396fba717b12
SHA51232fb19bc2b57bed9d0bfa9689bf1068e5615d0f092b06b2a746abd93532fa74d8b0cc3a401dbcfbd45a2e1fb86282f7fd741d64a813647ec8fbf6d799092fdca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f804430bbdbbeb953e80956cbccd94c0
SHA1dfb2df8b2ec2e219a4f6f184621b56a0b6006e79
SHA256a1b58f22c782ab427d2e54494d3ef294118d3797e45c0c93387c18768aa30877
SHA51205cc27973451f4bc89ddb395794302a9cf51d9c23580ebee406b26043ad84917790f0c60b9ee67d2fb3f18f89a963e55dfa5e5fc965406d755303e8e070ceb9d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD540f70e0b7cbd2afb23d736bcaa996f9a
SHA134a9be68affaeb58e5642e96ca4696c7eb1d900e
SHA2560c5fd2b9e9d9ea2727240116e10d7b9d228b1f944d85fd0350844919a3e2a8fc
SHA5127398507d6a46ee7891006985759a496b3dd21059e90b7fbdfae25092001937f41a6caa59abf5d2abe35a073aafe2501893344073ac40b2bfd0b17313153b99ca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57f09b4216ce25126bd040c58edc509e0
SHA11f435eac26a93d445d6096f9db688f632ef1d224
SHA25637c9b8b18a390e9f285b9b0775851f5458a9ad15562b5b0f1e505aa46de983fe
SHA5121581903823ec2c30e99eb6bbdc52abc4b9ac01497dbc22cadc81716faf354fe54c063f0e1893eb8d921c26439faf2fff76bbcfa84044a018ab0746c1de9f5c20
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c0ef2951288947f0dbfeab3ab3f7f716
SHA1b7bd4e05569840fa492c5ef5ebae58630737da7f
SHA256360f4fa856438f2cc7c8bc06c9d044df9f8b066a7fb4e6feb3072e8f0838bac8
SHA51268e9aa6c76ffea4e8ca43d95fc6e636fcfee01b586f09e5a49840a6886023eef27fdc16176c8c8cfa8ed80f5ae171bc81cab8bcd0cc2535223b3c15555ae1b75
-
Filesize
240B
MD57fac1377f2dc31dc3609c10d3698ea95
SHA1bd3a2f717e47ff859c4ec6c0e5a5ae3e5d0419e9
SHA2564dd6391d93709e6fe1a9f01a839c478ae5dcb969d0ad6b0e80ecddb4e9cd1013
SHA5124736529641a17fb6a26aa32ffae8fa093007333c2116b653829a4f370d675eb260f35d8ffc435cfa046dc5d0eac08cc226b266a465f69b8a342b12a47fb2d7ad
-
Filesize
240B
MD53c576b40439eace0ce7c501a67e5dd8e
SHA10c0374f12ec1d238550e68f1f3772c10223abb74
SHA256ef49ab8cbf0b9d170d256ce8538ecf2b4597c6afc48c35834a726528a6dd1e4b
SHA5125f0ebda9544103d747321447a5f82662a4033f643a3d202a6645a226a7ca998a8f179f4d581d7c62417b5a5522ee4800ac13309468cb268665302ab6a5de88ad
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
240B
MD55032dcd83f1e5f1d8bcf193cba303dc9
SHA1793c812808c644f3cf72409a4e328d4d8e3c4c65
SHA256967f59ca9354cf1eaf11e396ec2800b03a00259c598efa8258e98d439d035d0f
SHA512f55486403622f648c718f94aab200a7bcf3897c3e831351e635b331071a25230d8822c5520b30132d54d180bf9a3ea77acc9282e49b6a960a605f86050b3fd5f
-
Filesize
240B
MD5accac74011db9354a2d652f60b3e24e8
SHA13a56a016232bf0c9ad9363dd045284f56e16d776
SHA256b10f505e29a90907d816b2e118b06cb7e5b784af3f42459a81d8364799467420
SHA51207cd1833314a51fcaa0da6587d49a7101e2958a20c6e33f2676c8e8f3b9f42d98c0a18a38c4e263412bc85d389c05470f760eac002e0c10b03cb31db08768483
-
Filesize
240B
MD534cbd6b262aa89351e8942fb4531203c
SHA1a2632b24dc088b29b6fa0f1db77ca4eb783a4420
SHA256ec1eb7886bf48cc42a42437854f11dce7ed66293a2587c39499ac5e84f9f18b1
SHA5125f21cb223a58b1d6cb94a9dc1d7e958234a7c99ddda7f5027f26dd7d22379a6a2e2b92bb91e69883b602378779ae27aa8a3f104d689b401cb45d2208b5a9d1e2
-
Filesize
240B
MD59f963a9b6cfe107a35181dda4c73278c
SHA1e5b89bc359140efc37a738682cf748a13ba214d2
SHA256455fec89f33e38c378239c09ce8123c6916a6157d092885f869fae5eaf4d38bb
SHA512ec37342f05e49ca29bade7096c7c8087d33e99623eb445094d6c3e6e045156ddf665eb0e6d15c66e0e0f657d2068cb6afd5de9c59684121f96e61daedc65f9a1
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
240B
MD5718e53a6c860e1ab84488c5417c857f1
SHA1b6567e3c40f7b8cedcb823e7d05c6d7d50c1ecdd
SHA256860b1cd013f7b721ffbd190e74bc4cdc72121327309196c25eb2a8c0e80ccb1d
SHA5121299463f618ce1c7b86572251b64fadee7f6a658bb081322a4e641c6302887e60ca0a12e6e51bf450fa49806abec32023a101219d82144b968aa99e2e90736e8
-
Filesize
240B
MD59d247180b19fefa85c7c19913bb4b10b
SHA13a99e7eef0f4b55f34cad9deb8926cd0224fe718
SHA2561a93e8a8418614b4fffd8b34861edc60b4675f4ca2b763b106ffa084587d00c3
SHA512df4f61132ae34665d5d160ad3c60f5a1267d98729bce6a460d9e8a7d438a81c026133d563cf13eb84d46db74255840a2eccc0f09cd3a1315b03675103426d2f6
-
Filesize
240B
MD53cadd7a3f4dbf26d81ff59a9c88b5e41
SHA1baffeba343d9482761bff99daa8c2946c2afefc5
SHA2563b393705520f8fc0e810b64fae9c2e5f7f6e9606f5180ef85e7c9dede0cccc5a
SHA51242e68ea3d5c2b0905077d4f385124756516270d64369a75c48c49213320f751e984329e2c64893f8be42bd26b7ed04155e31b16d048d721239ffdb085f1dcb3a
-
Filesize
240B
MD5692c682eeca51e2d3f37f531988bd038
SHA1cce317898bc727e6296223a42c08a01dc438f514
SHA25653916f9cc52cd39c13f8d3257d6d6e4a364d19c325640a732dd5f52a2e43bc77
SHA51225448b7542bfab4d13e6f58dfcc6ebe1aab43d1957507ced49f66def942670d6b3bd964f714f440e44a117691118571ea18c5d98f74662be2c4b444c2772dfa1
-
Filesize
240B
MD5778a4cbfa93ba7df36032fa63d82a3ae
SHA12d15f0a29b3dda31273112bf67c64b62f34e2732
SHA256fc138dae9439171017593adf5937b7365366d1ae63c6dab5818153adb6c659f1
SHA512077cca84acab34e05b7442b6535a415884e31830ee4c1517cd450f80f826418dd5959edcc76bbbdc41201bfcf9b36635fc0975ae0c923e862fc3d42aa32a8742
-
Filesize
240B
MD5f92d98d58925e6c394deb2e19c3b4595
SHA18c2929b985c1bfdf755ce42ea37262527205a264
SHA25673773da3958a840ff526b1e26838bfa1417f1275aa53e54ad8164a935b3bbfe9
SHA51290a5cca3e72d9c4f39eae6cb7f0aa1b8bc57a018eadd852025a4f8cceb6b0e43c58aae159ba405e2cba841d9ffb615a2243ba5561ac8e3aac76f63be89f03c78
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RJY8BPSGI4WC7HE2Q5LM.temp
Filesize7KB
MD5b164ae815a35daa19468451ae951e2e4
SHA1e249897a9962623a3a561764bf6cf5ac0883a353
SHA25650670d9d8b12e5b1883a4ac69cc714b62112fff0ab745842d1ea077f198b47ae
SHA512658e1007a6241e062b7858c09e70b4e2880d8eaccecd93d1f6594c8d5d5ce7e9071176daa8fba8960b59df4e03b97c3e1fa2d9e79a154e8e0382bc512561e747
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394