Analysis
-
max time kernel
146s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 17:29
Behavioral task
behavioral1
Sample
JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe
-
Size
1.3MB
-
MD5
58b2d1bb18da04e20a7276af992a3be4
-
SHA1
ad37f07d5ca74e0897ce214be71f69e789003354
-
SHA256
44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef
-
SHA512
5aeb06a974eb132285b92af0d80c71f36f35c137dd34e55428e0ce95364717bebb2a8a84c6ea8fab593cdd82010a368a00bd8b10b7725c51045c1feed11e1c18
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 768 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 688 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 580 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 568 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1112 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1428 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 668 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1300 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 748 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1504 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1128 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1272 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1532 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 332 1388 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 1388 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016621-9.dat dcrat behavioral1/memory/2852-13-0x0000000000C60000-0x0000000000D70000-memory.dmp dcrat behavioral1/memory/1044-87-0x0000000000AC0000-0x0000000000BD0000-memory.dmp dcrat behavioral1/memory/1520-303-0x0000000000B90000-0x0000000000CA0000-memory.dmp dcrat behavioral1/memory/3056-363-0x0000000000DF0000-0x0000000000F00000-memory.dmp dcrat behavioral1/memory/1944-423-0x0000000000110000-0x0000000000220000-memory.dmp dcrat behavioral1/memory/1676-484-0x0000000000870000-0x0000000000980000-memory.dmp dcrat behavioral1/memory/2468-544-0x0000000000980000-0x0000000000A90000-memory.dmp dcrat behavioral1/memory/1820-604-0x0000000000060000-0x0000000000170000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1776 powershell.exe 2356 powershell.exe 2908 powershell.exe 1512 powershell.exe 2392 powershell.exe 1816 powershell.exe 1520 powershell.exe 1432 powershell.exe 1048 powershell.exe 2044 powershell.exe 872 powershell.exe 2112 powershell.exe 2396 powershell.exe 2164 powershell.exe -
Executes dropped EXE 10 IoCs
pid Process 2852 DllCommonsvc.exe 1044 System.exe 2620 System.exe 828 System.exe 1520 System.exe 3056 System.exe 1944 System.exe 1676 System.exe 2468 System.exe 1820 System.exe -
Loads dropped DLL 2 IoCs
pid Process 2700 cmd.exe 2700 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
flow ioc 5 raw.githubusercontent.com 22 raw.githubusercontent.com 26 raw.githubusercontent.com 29 raw.githubusercontent.com 19 raw.githubusercontent.com 4 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Mail\56085415360792 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\dllhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\5940a34987c991 DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\Accessories\ja-JP\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\Accessories\ja-JP\24dbde2999530e DllCommonsvc.exe File created C:\Program Files\Windows Media Player\ja-JP\cmd.exe DllCommonsvc.exe File created C:\Program Files\Windows Media Player\ja-JP\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\wininit.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2620 schtasks.exe 1860 schtasks.exe 2488 schtasks.exe 668 schtasks.exe 2420 schtasks.exe 2292 schtasks.exe 3000 schtasks.exe 1504 schtasks.exe 580 schtasks.exe 2612 schtasks.exe 2764 schtasks.exe 3024 schtasks.exe 1684 schtasks.exe 1944 schtasks.exe 1300 schtasks.exe 1272 schtasks.exe 1532 schtasks.exe 2184 schtasks.exe 1128 schtasks.exe 332 schtasks.exe 1624 schtasks.exe 768 schtasks.exe 1112 schtasks.exe 2552 schtasks.exe 1676 schtasks.exe 2492 schtasks.exe 2380 schtasks.exe 2404 schtasks.exe 2144 schtasks.exe 2484 schtasks.exe 748 schtasks.exe 688 schtasks.exe 1796 schtasks.exe 2532 schtasks.exe 2516 schtasks.exe 2080 schtasks.exe 568 schtasks.exe 1916 schtasks.exe 1428 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2852 DllCommonsvc.exe 2396 powershell.exe 2908 powershell.exe 1512 powershell.exe 1816 powershell.exe 2112 powershell.exe 1048 powershell.exe 1432 powershell.exe 2044 powershell.exe 2392 powershell.exe 1044 System.exe 872 powershell.exe 1776 powershell.exe 2356 powershell.exe 2164 powershell.exe 1520 powershell.exe 2620 System.exe 828 System.exe 1520 System.exe 3056 System.exe 1944 System.exe 1676 System.exe 2468 System.exe 1820 System.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2852 DllCommonsvc.exe Token: SeDebugPrivilege 2396 powershell.exe Token: SeDebugPrivilege 1512 powershell.exe Token: SeDebugPrivilege 2908 powershell.exe Token: SeDebugPrivilege 1816 powershell.exe Token: SeDebugPrivilege 2112 powershell.exe Token: SeDebugPrivilege 1048 powershell.exe Token: SeDebugPrivilege 1432 powershell.exe Token: SeDebugPrivilege 2044 powershell.exe Token: SeDebugPrivilege 2392 powershell.exe Token: SeDebugPrivilege 1044 System.exe Token: SeDebugPrivilege 872 powershell.exe Token: SeDebugPrivilege 1776 powershell.exe Token: SeDebugPrivilege 2356 powershell.exe Token: SeDebugPrivilege 2164 powershell.exe Token: SeDebugPrivilege 1520 powershell.exe Token: SeDebugPrivilege 2620 System.exe Token: SeDebugPrivilege 828 System.exe Token: SeDebugPrivilege 1520 System.exe Token: SeDebugPrivilege 3056 System.exe Token: SeDebugPrivilege 1944 System.exe Token: SeDebugPrivilege 1676 System.exe Token: SeDebugPrivilege 2468 System.exe Token: SeDebugPrivilege 1820 System.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2884 wrote to memory of 2684 2884 JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe 30 PID 2884 wrote to memory of 2684 2884 JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe 30 PID 2884 wrote to memory of 2684 2884 JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe 30 PID 2884 wrote to memory of 2684 2884 JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe 30 PID 2684 wrote to memory of 2700 2684 WScript.exe 31 PID 2684 wrote to memory of 2700 2684 WScript.exe 31 PID 2684 wrote to memory of 2700 2684 WScript.exe 31 PID 2684 wrote to memory of 2700 2684 WScript.exe 31 PID 2700 wrote to memory of 2852 2700 cmd.exe 33 PID 2700 wrote to memory of 2852 2700 cmd.exe 33 PID 2700 wrote to memory of 2852 2700 cmd.exe 33 PID 2700 wrote to memory of 2852 2700 cmd.exe 33 PID 2852 wrote to memory of 2908 2852 DllCommonsvc.exe 74 PID 2852 wrote to memory of 2908 2852 DllCommonsvc.exe 74 PID 2852 wrote to memory of 2908 2852 DllCommonsvc.exe 74 PID 2852 wrote to memory of 2164 2852 DllCommonsvc.exe 75 PID 2852 wrote to memory of 2164 2852 DllCommonsvc.exe 75 PID 2852 wrote to memory of 2164 2852 DllCommonsvc.exe 75 PID 2852 wrote to memory of 1048 2852 DllCommonsvc.exe 76 PID 2852 wrote to memory of 1048 2852 DllCommonsvc.exe 76 PID 2852 wrote to memory of 1048 2852 DllCommonsvc.exe 76 PID 2852 wrote to memory of 2044 2852 DllCommonsvc.exe 78 PID 2852 wrote to memory of 2044 2852 DllCommonsvc.exe 78 PID 2852 wrote to memory of 2044 2852 DllCommonsvc.exe 78 PID 2852 wrote to memory of 1432 2852 DllCommonsvc.exe 80 PID 2852 wrote to memory of 1432 2852 DllCommonsvc.exe 80 PID 2852 wrote to memory of 1432 2852 DllCommonsvc.exe 80 PID 2852 wrote to memory of 2356 2852 DllCommonsvc.exe 83 PID 2852 wrote to memory of 2356 2852 DllCommonsvc.exe 83 PID 2852 wrote to memory of 2356 2852 DllCommonsvc.exe 83 PID 2852 wrote to memory of 2396 2852 DllCommonsvc.exe 84 PID 2852 wrote to memory of 2396 2852 DllCommonsvc.exe 84 PID 2852 wrote to memory of 2396 2852 DllCommonsvc.exe 84 PID 2852 wrote to memory of 2112 2852 DllCommonsvc.exe 85 PID 2852 wrote to memory of 2112 2852 DllCommonsvc.exe 85 PID 2852 wrote to memory of 2112 2852 DllCommonsvc.exe 85 PID 2852 wrote to memory of 2392 2852 DllCommonsvc.exe 86 PID 2852 wrote to memory of 2392 2852 DllCommonsvc.exe 86 PID 2852 wrote to memory of 2392 2852 DllCommonsvc.exe 86 PID 2852 wrote to memory of 1520 2852 DllCommonsvc.exe 87 PID 2852 wrote to memory of 1520 2852 DllCommonsvc.exe 87 PID 2852 wrote to memory of 1520 2852 DllCommonsvc.exe 87 PID 2852 wrote to memory of 872 2852 DllCommonsvc.exe 88 PID 2852 wrote to memory of 872 2852 DllCommonsvc.exe 88 PID 2852 wrote to memory of 872 2852 DllCommonsvc.exe 88 PID 2852 wrote to memory of 1512 2852 DllCommonsvc.exe 89 PID 2852 wrote to memory of 1512 2852 DllCommonsvc.exe 89 PID 2852 wrote to memory of 1512 2852 DllCommonsvc.exe 89 PID 2852 wrote to memory of 1816 2852 DllCommonsvc.exe 90 PID 2852 wrote to memory of 1816 2852 DllCommonsvc.exe 90 PID 2852 wrote to memory of 1816 2852 DllCommonsvc.exe 90 PID 2852 wrote to memory of 1776 2852 DllCommonsvc.exe 91 PID 2852 wrote to memory of 1776 2852 DllCommonsvc.exe 91 PID 2852 wrote to memory of 1776 2852 DllCommonsvc.exe 91 PID 2852 wrote to memory of 1044 2852 DllCommonsvc.exe 102 PID 2852 wrote to memory of 1044 2852 DllCommonsvc.exe 102 PID 2852 wrote to memory of 1044 2852 DllCommonsvc.exe 102 PID 1044 wrote to memory of 3016 1044 System.exe 103 PID 1044 wrote to memory of 3016 1044 System.exe 103 PID 1044 wrote to memory of 3016 1044 System.exe 103 PID 3016 wrote to memory of 332 3016 cmd.exe 105 PID 3016 wrote to memory of 332 3016 cmd.exe 105 PID 3016 wrote to memory of 332 3016 cmd.exe 105 PID 3016 wrote to memory of 2620 3016 cmd.exe 106 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\ja-JP\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:332
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat"8⤵PID:2728
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2900
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:828 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iqKdioc4MG.bat"10⤵PID:1772
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2852
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"12⤵PID:760
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1300
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat"14⤵PID:1792
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2148
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat"16⤵PID:1032
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2240
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat"18⤵PID:692
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2388
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat"20⤵PID:3052
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1624
-
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\ja-JP\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\ja-JP\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Libraries\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Default\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Users\Default\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Cookies\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Cookies\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b2613e69d782ddd46dfbe29064b12a57
SHA1bfb2e4d9642252815f93b942a2e81b406ba51c23
SHA25681f08438215c41f5a2b09da9e475fbb81fc953ce422745380518984cab7b1cc7
SHA51293c57f5e3c1cd73d2a0924b6e2541b2492a542c6f3ce2102069a0ba49495da1fe468b3df179ffda3fc51ae05df87659a9a521c71b0a9508bfebae257f3448cb3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD501b6960ddf80d59383e736cdfd4fb373
SHA1aa589ce363c860d58e0020d18d88d1efad1d3d6b
SHA25667a5795da382769ca9e9d733259d1a228a7bb9ddbce562f3f5e8a53fbced0a60
SHA5124c3c642ca38076b96bc48cd580aa4654c401e0476c912b8463569ccf2c09b32384793e96afce73d4086292f2445d85a2d314addda3f80723ac1936b20c8eb5c3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56d0933ea0a71c63e9952fbfed7bd5310
SHA12568eac50114741a3a55d3121c2f2c938356eeeb
SHA256ce1fe9b679e99c821ff4a302d39a734134380d305ae6025c1c511bf16bcccdf3
SHA5124a161dc5eb5dec72a8060a40166f6c8c3a8deee64a1f0283c72de06cfd71b252057744f90cc3e7fa4f15e134ce9102bd2db341f6d7b9eebcffbc637705eeed41
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51d24aecc4f81fa54e413b99d75756319
SHA1b70864a2cca33d7d45e02c026ebeb69f8bf9be25
SHA2564db7d1bb6b120d7d040028712ae6662cd5504c1c22ad15b6f95ba2e87cbe6921
SHA512c38219d1ef78be21927deaca1a6e96b2043d01bb19bdc06f76cb007adcc7146e1cb63a2d9723bfb6550c7bf8f4c9272bf52a2222a7a075f154fb722f5a17bbc7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f7b873202ee07de638d874e85de330f4
SHA1a659b8f57c228ca307b07f55686935a749c2353f
SHA25670babfa5e9a5186b49738d56bb7ef0c0e6dcbac3cb98a80b5358b03d6e0a7929
SHA512b9092b5298783b4ac486c4feed7dd23de2b7abf05c8e2e52c3db907bb0f1576db5aa149852af4cd025f0a31484f4873fdbc29457ba8b15dfa18321d2f518b772
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5251417e90e5cc9b6d691a607152b974c
SHA11a499878c9c3fae0369ce66c7459eee67c8ebd4e
SHA2564a52466385ff7dc02bb0c8adeb47508251918e78bffaed98fcbf3f386c64b201
SHA5123db706ae554b551b6aa409b42da6643a4d50c62190ce7c6bc09271320638993ba3cfbaabeb6872e30e307c0d8963da8ef68c09150111310ebb13e382b6a93a20
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b514929dcea8020e4e8a5acc83db88af
SHA180851821dd128b24a722de1a739c523be5ff4fc7
SHA256211e84f70c988e922e863b3d81917bf873c056932cf6177751664635b62d0a24
SHA51283a8a46a23a0a344deccf002c29158185c8c8e6aacde627f00e8031d2a20485c44c24529d924356a0f70f9c3c17832bacc4f4454de321af50fcfb145cd63dc7d
-
Filesize
238B
MD58f262c3afd07b732356a44508cc60ff7
SHA17542704dbbaccd3909a3627d9c4b808169b2be55
SHA256cb37de1ea77e4e2ab1db26021d145df27c8168ecdd5127e3702eaefe2780710f
SHA51270caf8c64bc9c680731f1c23b900f77e43b98c946dbd8baffd37247a6ade2dccd63c04f717da217c1e5b2a3faab3518571e21e3b3f738a98fe82ec97ee9995bd
-
Filesize
238B
MD52cfda50db47f47a0d2d56809acfa3bf6
SHA1f2e32f5bc3cd7e9d52a9f737c87236a8a5acec82
SHA256538ecd667fe16a070936f699c62d4e13d1b379375b946bae7f7bc5e09bb21087
SHA5124fa18c315c065bad0db10d32ab15258e3cf5d1957067a974fa62a67e7ea36e31e30236706142ac8e66c01b48fe434d14442613bda5930230755440c0d9a5cee1
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
238B
MD5d0a78f548cea8818012c58b3ad71bf0d
SHA12a5d39c055d58f025f597d9865fb290d2b0a75f5
SHA256f7a76b1fa16bc2ce8ea49e41c908281c4ed9616811b4772fc272a73b2ddbc605
SHA5128bad7f5dee398de3df8fc6e4203ca162a6820ee1d90ddafe088f5d64be0e272df410ab136a0a11ba4fcfdb6ef49c620ac0b8df4f31dd3c90292d24799d1500fe
-
Filesize
238B
MD5149d885fb8b40642002e0a1a2a9ae978
SHA1add8edb798cb6b21ade6390f9a117036eb8594ae
SHA256850f1b0b007a69b4fa94423b619ceef67f14fd8eac0a6dff03e4c4a00a7463a3
SHA512a2efd72cbb11ca3cd84099244cf0dc9873240b1f8e1aea495e878939047006bb9fffb5a71c7d9c31eb4ea3092d20c2957fc19351acded48ed79632031ffa5448
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
238B
MD591afc21aba9ffe93c4b0bb704a75ddce
SHA1e58029158b39777d8e2e1d64dbfa414661335629
SHA2560822b93070ac2603b07d9d113809969b019f3a2b0c53c1eb43df97a87f28b5c8
SHA51204623831a8fa42a097aac4e74519865053a5a858624089daf0d4b7aacd7b4aa2a6a11e087c11a2d0c8724d95bf2eaa9fc0995c930d6c0a9b45d6f110a06d3cb7
-
Filesize
238B
MD559f29fe13512cf56fe2da1dce7040594
SHA107c00e91c17114885e72e25afeb428c277616f30
SHA256c08f26e65b3d08804029432c84f31c14ffec231bd526eb8a7e258e39c115b723
SHA512bb34e5fe4643bbbcb28e46a09c25c2b869bc46ac95333d6e91bd18ab1deb1a997ce727740dfef2fe1c1d291b76df2932d411ce2a14e6954864bf662e5a89b0a6
-
Filesize
238B
MD5e0463372cc1f37e08ac45555288df396
SHA1e88d0d848bce627a946078ba28a17e5122f58521
SHA2564eb74ef2fb43bd7ee365aa19623b69d2f83e2a77a397811b2b5a8e21c3260c94
SHA512bd8d73999037e1af7358171c257a1a87512abb41259380a1b744d3c80a2c8b1f0cb7e43e0fc63e6ad2133c23755fce1bec1d1bd8a90ba7c104ba8b3f7e24f4ae
-
Filesize
238B
MD53453177817f5e48018e8c64235867bbb
SHA15b214bf61a0b8f7ffa5677a03b486a5671b60139
SHA2566c80f65959edbbedb0ab006e09527fc00bc8aa3c4fc6348b8cf1f81ffdc8017d
SHA5129ee8018b90bf622443ab99d12d61d072265d8fb97951545f9cd6f268610da33e8404fdb72d3b88a054d62b972650b96e50a9f2502cbf717dcdde3eb2018ed9f2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5d9ab908dd0ea8222bf36bda08d38c06a
SHA169d54fb59cab5608d4f857d669cc2ddd3266519a
SHA2569b79c6fe1f916342576574f417eec73f33888ff5db163a27ea09a069ccae4e53
SHA5121392367321698029833256b214441aaa55b8a57b96d2bff541402f0d9a6bb25c4482897560989e6d0c494849ea4612523c069db3796d58d2992082d556a89e69
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394