Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 17:34
Behavioral task
behavioral1
Sample
JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649.exe
-
Size
1.3MB
-
MD5
e61eccdf0a05ef3fa73691d96fd0d34d
-
SHA1
cc80f9c112eb61e1c057bcc9b1a7aa97806a0926
-
SHA256
6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649
-
SHA512
118bb2a4e4047a0c46fb6dd3e22017e598194a13a74db403107af8b360d7477e264e954488403b38fbe3dc7771a83724948d82f5edb7405164d8ba5a187d27aa
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 660 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 308 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 604 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1496 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1268 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 760 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1060 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 624 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1100 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1200 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1000 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 108 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1520 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1372 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 2920 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 2920 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x000700000001949d-9.dat dcrat behavioral1/memory/2784-13-0x00000000003F0000-0x0000000000500000-memory.dmp dcrat behavioral1/memory/2748-52-0x00000000000E0000-0x00000000001F0000-memory.dmp dcrat behavioral1/memory/2268-188-0x0000000000FF0000-0x0000000001100000-memory.dmp dcrat behavioral1/memory/2820-248-0x00000000010A0000-0x00000000011B0000-memory.dmp dcrat behavioral1/memory/1224-428-0x0000000001320000-0x0000000001430000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2184 powershell.exe 2304 powershell.exe 2412 powershell.exe 2176 powershell.exe 1088 powershell.exe 996 powershell.exe 1876 powershell.exe 588 powershell.exe 2540 powershell.exe 568 powershell.exe 1824 powershell.exe 2220 powershell.exe 2392 powershell.exe 1644 powershell.exe 2536 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2784 DllCommonsvc.exe 2748 smss.exe 2268 smss.exe 2820 smss.exe 568 smss.exe 1772 smss.exe 1224 smss.exe 2764 smss.exe 2064 smss.exe 2016 smss.exe 1660 smss.exe 2608 smss.exe -
Loads dropped DLL 2 IoCs
pid Process 1868 cmd.exe 1868 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 26 raw.githubusercontent.com 30 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 23 raw.githubusercontent.com 33 raw.githubusercontent.com 37 raw.githubusercontent.com 40 raw.githubusercontent.com -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Media Player\ja-JP\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files\Windows NT\TableTextService\it-IT\WMIADAP.exe DllCommonsvc.exe File created C:\Program Files\Windows NT\TableTextService\it-IT\75a57c1bdf437c DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\sppsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\ja-JP\winlogon.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 308 schtasks.exe 2968 schtasks.exe 3048 schtasks.exe 760 schtasks.exe 1200 schtasks.exe 660 schtasks.exe 2456 schtasks.exe 1520 schtasks.exe 1372 schtasks.exe 2216 schtasks.exe 2224 schtasks.exe 2488 schtasks.exe 1508 schtasks.exe 1060 schtasks.exe 1156 schtasks.exe 1000 schtasks.exe 1732 schtasks.exe 2660 schtasks.exe 2756 schtasks.exe 3044 schtasks.exe 624 schtasks.exe 1100 schtasks.exe 1592 schtasks.exe 3028 schtasks.exe 2896 schtasks.exe 1996 schtasks.exe 2016 schtasks.exe 2632 schtasks.exe 2704 schtasks.exe 2996 schtasks.exe 1496 schtasks.exe 2620 schtasks.exe 1144 schtasks.exe 2664 schtasks.exe 1268 schtasks.exe 108 schtasks.exe 2236 schtasks.exe 1740 schtasks.exe 604 schtasks.exe 2964 schtasks.exe 1980 schtasks.exe 2736 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 2784 DllCommonsvc.exe 2784 DllCommonsvc.exe 2784 DllCommonsvc.exe 2784 DllCommonsvc.exe 2784 DllCommonsvc.exe 2784 DllCommonsvc.exe 2784 DllCommonsvc.exe 2784 DllCommonsvc.exe 2784 DllCommonsvc.exe 1088 powershell.exe 1644 powershell.exe 2304 powershell.exe 2540 powershell.exe 588 powershell.exe 1876 powershell.exe 2412 powershell.exe 1824 powershell.exe 2176 powershell.exe 2220 powershell.exe 2392 powershell.exe 2536 powershell.exe 996 powershell.exe 2748 smss.exe 2184 powershell.exe 568 powershell.exe 2268 smss.exe 2820 smss.exe 568 smss.exe 1772 smss.exe 1224 smss.exe 2764 smss.exe 2064 smss.exe 2016 smss.exe 1660 smss.exe 2608 smss.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 2784 DllCommonsvc.exe Token: SeDebugPrivilege 2748 smss.exe Token: SeDebugPrivilege 1088 powershell.exe Token: SeDebugPrivilege 1644 powershell.exe Token: SeDebugPrivilege 2304 powershell.exe Token: SeDebugPrivilege 2540 powershell.exe Token: SeDebugPrivilege 588 powershell.exe Token: SeDebugPrivilege 1876 powershell.exe Token: SeDebugPrivilege 2412 powershell.exe Token: SeDebugPrivilege 1824 powershell.exe Token: SeDebugPrivilege 2176 powershell.exe Token: SeDebugPrivilege 2220 powershell.exe Token: SeDebugPrivilege 2392 powershell.exe Token: SeDebugPrivilege 2536 powershell.exe Token: SeDebugPrivilege 996 powershell.exe Token: SeDebugPrivilege 2184 powershell.exe Token: SeDebugPrivilege 568 powershell.exe Token: SeDebugPrivilege 2268 smss.exe Token: SeDebugPrivilege 2820 smss.exe Token: SeDebugPrivilege 568 smss.exe Token: SeDebugPrivilege 1772 smss.exe Token: SeDebugPrivilege 1224 smss.exe Token: SeDebugPrivilege 2764 smss.exe Token: SeDebugPrivilege 2064 smss.exe Token: SeDebugPrivilege 2016 smss.exe Token: SeDebugPrivilege 1660 smss.exe Token: SeDebugPrivilege 2608 smss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2292 wrote to memory of 2300 2292 JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649.exe 31 PID 2292 wrote to memory of 2300 2292 JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649.exe 31 PID 2292 wrote to memory of 2300 2292 JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649.exe 31 PID 2292 wrote to memory of 2300 2292 JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649.exe 31 PID 2300 wrote to memory of 1868 2300 WScript.exe 32 PID 2300 wrote to memory of 1868 2300 WScript.exe 32 PID 2300 wrote to memory of 1868 2300 WScript.exe 32 PID 2300 wrote to memory of 1868 2300 WScript.exe 32 PID 1868 wrote to memory of 2784 1868 cmd.exe 34 PID 1868 wrote to memory of 2784 1868 cmd.exe 34 PID 1868 wrote to memory of 2784 1868 cmd.exe 34 PID 1868 wrote to memory of 2784 1868 cmd.exe 34 PID 2784 wrote to memory of 2412 2784 DllCommonsvc.exe 78 PID 2784 wrote to memory of 2412 2784 DllCommonsvc.exe 78 PID 2784 wrote to memory of 2412 2784 DllCommonsvc.exe 78 PID 2784 wrote to memory of 2184 2784 DllCommonsvc.exe 79 PID 2784 wrote to memory of 2184 2784 DllCommonsvc.exe 79 PID 2784 wrote to memory of 2184 2784 DllCommonsvc.exe 79 PID 2784 wrote to memory of 588 2784 DllCommonsvc.exe 80 PID 2784 wrote to memory of 588 2784 DllCommonsvc.exe 80 PID 2784 wrote to memory of 588 2784 DllCommonsvc.exe 80 PID 2784 wrote to memory of 2176 2784 DllCommonsvc.exe 81 PID 2784 wrote to memory of 2176 2784 DllCommonsvc.exe 81 PID 2784 wrote to memory of 2176 2784 DllCommonsvc.exe 81 PID 2784 wrote to memory of 2540 2784 DllCommonsvc.exe 82 PID 2784 wrote to memory of 2540 2784 DllCommonsvc.exe 82 PID 2784 wrote to memory of 2540 2784 DllCommonsvc.exe 82 PID 2784 wrote to memory of 2392 2784 DllCommonsvc.exe 83 PID 2784 wrote to memory of 2392 2784 DllCommonsvc.exe 83 PID 2784 wrote to memory of 2392 2784 DllCommonsvc.exe 83 PID 2784 wrote to memory of 1088 2784 DllCommonsvc.exe 85 PID 2784 wrote to memory of 1088 2784 DllCommonsvc.exe 85 PID 2784 wrote to memory of 1088 2784 DllCommonsvc.exe 85 PID 2784 wrote to memory of 996 2784 DllCommonsvc.exe 86 PID 2784 wrote to memory of 996 2784 DllCommonsvc.exe 86 PID 2784 wrote to memory of 996 2784 DllCommonsvc.exe 86 PID 2784 wrote to memory of 1876 2784 DllCommonsvc.exe 87 PID 2784 wrote to memory of 1876 2784 DllCommonsvc.exe 87 PID 2784 wrote to memory of 1876 2784 DllCommonsvc.exe 87 PID 2784 wrote to memory of 1644 2784 DllCommonsvc.exe 88 PID 2784 wrote to memory of 1644 2784 DllCommonsvc.exe 88 PID 2784 wrote to memory of 1644 2784 DllCommonsvc.exe 88 PID 2784 wrote to memory of 568 2784 DllCommonsvc.exe 89 PID 2784 wrote to memory of 568 2784 DllCommonsvc.exe 89 PID 2784 wrote to memory of 568 2784 DllCommonsvc.exe 89 PID 2784 wrote to memory of 1824 2784 DllCommonsvc.exe 90 PID 2784 wrote to memory of 1824 2784 DllCommonsvc.exe 90 PID 2784 wrote to memory of 1824 2784 DllCommonsvc.exe 90 PID 2784 wrote to memory of 2220 2784 DllCommonsvc.exe 91 PID 2784 wrote to memory of 2220 2784 DllCommonsvc.exe 91 PID 2784 wrote to memory of 2220 2784 DllCommonsvc.exe 91 PID 2784 wrote to memory of 2304 2784 DllCommonsvc.exe 92 PID 2784 wrote to memory of 2304 2784 DllCommonsvc.exe 92 PID 2784 wrote to memory of 2304 2784 DllCommonsvc.exe 92 PID 2784 wrote to memory of 2536 2784 DllCommonsvc.exe 93 PID 2784 wrote to memory of 2536 2784 DllCommonsvc.exe 93 PID 2784 wrote to memory of 2536 2784 DllCommonsvc.exe 93 PID 2784 wrote to memory of 2748 2784 DllCommonsvc.exe 108 PID 2784 wrote to memory of 2748 2784 DllCommonsvc.exe 108 PID 2784 wrote to memory of 2748 2784 DllCommonsvc.exe 108 PID 2748 wrote to memory of 2440 2748 smss.exe 109 PID 2748 wrote to memory of 2440 2748 smss.exe 109 PID 2748 wrote to memory of 2440 2748 smss.exe 109 PID 2440 wrote to memory of 2876 2440 cmd.exe 111 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\ja-JP\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\it-IT\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Music\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
C:\Users\Default\Music\smss.exe"C:\Users\Default\Music\smss.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2876
-
-
C:\Users\Default\Music\smss.exe"C:\Users\Default\Music\smss.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"8⤵PID:2684
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2488
-
-
C:\Users\Default\Music\smss.exe"C:\Users\Default\Music\smss.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G2aNa3Lme8.bat"10⤵PID:2908
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2056
-
-
C:\Users\Default\Music\smss.exe"C:\Users\Default\Music\smss.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat"12⤵PID:1276
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2120
-
-
C:\Users\Default\Music\smss.exe"C:\Users\Default\Music\smss.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7eFR6a9mI.bat"14⤵PID:108
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2812
-
-
C:\Users\Default\Music\smss.exe"C:\Users\Default\Music\smss.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1224 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat"16⤵PID:2820
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2056
-
-
C:\Users\Default\Music\smss.exe"C:\Users\Default\Music\smss.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat"18⤵PID:308
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2204
-
-
C:\Users\Default\Music\smss.exe"C:\Users\Default\Music\smss.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat"20⤵PID:2216
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:876
-
-
C:\Users\Default\Music\smss.exe"C:\Users\Default\Music\smss.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat"22⤵PID:996
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2348
-
-
C:\Users\Default\Music\smss.exe"C:\Users\Default\Music\smss.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat"24⤵PID:1080
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2308
-
-
C:\Users\Default\Music\smss.exe"C:\Users\Default\Music\smss.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j8BV8simza.bat"26⤵PID:2696
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:3000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\providercommon\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\providercommon\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\providercommon\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\it-IT\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\it-IT\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\it-IT\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\providercommon\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Music\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Music\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Music\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Music\Sample Music\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Music\Sample Music\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\providercommon\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c9db2b3f2f66075b3bd759a3b9d95518
SHA199d90e97463e48d285ffa3c750c901a09d0507ac
SHA2561db37d6b43b4319e8e0f3f4ddb30c39a5740a7b778e19fbb561ab162812bfbb9
SHA51251480000ddc5db6b1b8a216af7fa593a20afd7000c0326ac194c1724581cb1e9d30a6fa448d6e973ce75d5ee43bc3be89263e0239a6e95de38cb97796ea98e90
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54fd2a9a5d311e4aa1fb05de55715640c
SHA14e85edd7ada08913c369f10d41c664fc8717c9b6
SHA25685ada1798bae0a95fc9b4e166c1d097f7701e332ce0976659e671ebedfc3c719
SHA5122c3f9fb0328e5f3b1a6a039c3a34fe505389a75a5e9e57f06cdd65b078b28ee8d5dcaa150d9f4ce5d4d36cad7f48b3aed15e19ba32e1d7c51156c466d8f083e7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a9acab142f07489f3d3f35e2c4901ff1
SHA16abc081f90a84250d8c9bd0ff580269f61d1de4d
SHA25674b783d9bc6391977530cebb9841a89afc792c1063066d67b82141e2817178c6
SHA512ac270b64a975efa5f2d637136c9d6a49c48841b5b4264461816062a4b8a5f76ca3c2b21a2ed956ef77c7cf17b946ebbbac98289aa5ac05a4339ec6ea4e920d55
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53495146d54816ee6fbbb4a314645a980
SHA157e107822ea1326b2ad4771cd6e8f779f4a07e05
SHA256a4d76a0f2740f0585370641541de4defdb83706b0b04d984e69fb6efb33e4c33
SHA512fb1f73f50d924136fca9a5a50332f02e5178cc5fc444c873d29af6baec04d0862ccca3984385635ef403b4549f035e0d6ac595594f369ed343a1423019ed1b46
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD554f6df09f39fbfe16f0c2544254338a0
SHA108498cf7b152ed298e635c9b5d00ec0cf4a8cb21
SHA256c24569cb56dcdabb521a01c385c7d10e5be2f27869ab5b959011a20a8788edef
SHA512f8e1fb46daae74ba2b181d38a01fb59a45a1c8629fee31feab9ed629bc5b26939a85c98b086fe3dab04a7bd7dd5ddcae514a6a8450864e11dd37ca2b78a09437
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD564b67b7f8d021adfd200846add1da229
SHA1ec4f646cbd57b4234ad61f8f7c487dee62fa5789
SHA256ff0261bb95a062119a7ebc54040c836d05459d0d12efee9f1659047d83dc7f76
SHA512607791c3e3c4b81d3df81a9f7f62b8aee5890c5209b01901acd5a1586584e0bc9e9ccfc91cf80d54ed7302ad88f3612b5fe6ad6f57dd8221e2ba2fe04d2df674
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5311783d83ee243e7ba627226e74672a7
SHA177a5d413b0ccbf2028c1ef544c76a3d7e5d4ded1
SHA2561620e0627a9bb212dbdb705eefef4d3811d721eda44aeb0afda9e61e53cfad33
SHA512671132be8c054b0765638aa1e8cdbf0f04e342c7fe5ea28f175e86b90e25b27756d8f71e18ab72326fa39075b6c3235f4861a016bad7742643cc1a06694004d4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53ffbcc838e8f3d32dcdce2c607d92ecb
SHA1b0ce79890ab769b48a2e4327b9d6b5cf4e72a01b
SHA256edd1602ba77206e956aff4ae5c1c0cf40edb97722e9b97be18a9b20de221eb71
SHA512e19f29b0256eb347b2161db2e3c34579a7aa26846779deb998e99c9d2bc487128c1070c80cc9d5299cdcb23702e93fae9acf7a55a0146cd9280faf246837959e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51e28f25c55ccdc745340f841ba32aaee
SHA110e7df8faa9862079da450c161ad21ded78a77d5
SHA256d459c5a2c2bc1110a8c089266f99489322535dacc030f8e2060001cb2e1d4e8a
SHA5123c1eea7f0180c63a28c3fb5e87e6bb6c9b13df63f008f322260fc5785aeb5877eb889192834a405fbfac9850d90a1cba235939f6455ee6d83747af771b6aeb87
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD543bbb8d8bf5f125bfb49dddf633066b7
SHA18eac2551a14e4e015d0e5adba791738519ad81d2
SHA25621e64dcea0a4d1f1fbe338f97cf1e2f3828b40a5e1e57e80c10cf5e7b01eee48
SHA5128f49b6578d5de67ecd2bdf240ca86ce8fd41d73e45dc5338a26ea947caffe099d810c994c7669913a818da9bb6eba1bd071ff341f34cd2f863fa86d500bda2ff
-
Filesize
196B
MD5ae9ab9adc02718aba7036feab021d2fc
SHA12228cb1f3c0ecc51bf0f22b6ca5e6ffbfa854d37
SHA2568c146e662b16f2236dc8cd228ea3e00ca14cb3605d8b2530de6802713bd185d5
SHA512f0d9da8dcf069dc59b2917e36de6d4d9d3caa54fd7cae17b62b17cfebbd7c2f60f71d34bd9570d72a98717d2b17e06674575b29fa650743be361d48f12302418
-
Filesize
196B
MD50dec298a6de8fd5fdfd72f475855ff60
SHA1f9ec42e2514799aa165b7a54942d13ea67c3381d
SHA256329569f9eeff2a9463a3220a2480abf6a62730b9e9c614d48d1ecfef279b738c
SHA51206d0f5bd9c3522a6948a6c2f4b57ae85550237e5337ea970b85acbd9016cd8c1c92f3db7543463117241d98f1152329aab1bcae3c0b1ac6e1697703fd3391935
-
Filesize
196B
MD5971d20d9921a51e098c2c4c9d92e8d13
SHA152cc370d0c0012db87503292466c0ab184cdcf37
SHA256dcac3bf370d6604b819e41a924897ec93435f7af132c4936685c6377b752238d
SHA512bf438b676869d2da10c8bcdf68b2978ed48c2e2e1a377f88dc7adb759ed0ac722244f0bf7fb3e651332924095e679957b3ce590c672d54ab0bf196c1ce7c206e
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
196B
MD577a218b732581257d5b63d9ee885e0dc
SHA1cb2817b1ebf8714db34fc69e3a40ca0119c40ab3
SHA256ab2cb99993360eecce864a2247e3301a3b8330dffa132510c82441d217ed6877
SHA5122b92bba409d81d7a7f6be0e44695b6483a67739874a781e7b7bf2f58cd404da82f3b784a3218e1a3d78fbd6402c5d8478c83c22d742394907de245b25287f5c0
-
Filesize
196B
MD5990a7c62da5657209b5c55352b687c4e
SHA12dc42c87ae1a269b3b1dcf549f213b1f7cf8aaf6
SHA2569440cfc08e51cdc9cb0c4e3b045a7c85e40ec5a2984172d35b3750d8416ae5af
SHA51238c4b07d9d71ac3d0a4f000909781fc9cc4543c3a068eae65fe9bdeecd999d7d809e1c00a907d4be6d9efcca9d5ce7afd5a37ac40408598ced348ad815f98816
-
Filesize
196B
MD5fd57a942a6f6c34d30312d3bf95b9360
SHA117b8c5aa201222577403edae31771a725ac83540
SHA256801812208e493f240b952dbfa36f03c24c1d6cca4f58f57c29f2f020ac250450
SHA5121672f5cd9b6790fe314c279a921baf6b70870197dfdceff78925b958c921abc347327ec19f71c7ebe04205c028f72abc065fe25cfdc6c2737cb37550d7a8a24f
-
Filesize
196B
MD533ecaa8e7bb93f61534f87ee29b2ef15
SHA176462b4b379fe7a618784dba6c75d494d967da6b
SHA25605b774198d26f9f7c9fc433363a991c1056f148e3e6c3eb4766294d829c28c09
SHA5125987073e49c60ba97451ac542ccc2717337706bfdcab72fbd2f60d2c07ccc1900c0ce3537bb5e705fa998d66fdfc8ebd3d189a3c119b0a80fcb32e922f85d324
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
196B
MD5381a7e330a51e4fe15d37705ef05dd7f
SHA1b03540cf035fcb3900e75df5b643d7d08ba88bea
SHA256a637eacfab6b845056059032bf75cc026137942b3392d479cf4fc8a4290ac104
SHA512e67b4d3fc8641395d3e8fa722dd03f60f290c511aecb9d43cdeef972ad0e39e5aa4feffb4ec6433b80262ce2f1ece65e1246c766b8335fbf505f569140388fb9
-
Filesize
196B
MD5fbe3edd495c172a3aa2a6a6273ff9c03
SHA12a8f17f82f8abd58eee2f2c9988606947c2a4043
SHA2563bff811ca1eb38fff6ed7f125e98ccb0a03003bb742b801ab9084916475cc59f
SHA51290d104ef9898749b0304daf24df5ff0941c536136196c30212faaad779a7f933b71279c3a37ac9b8a8ebd4c900035a77a79924f0bddde0cac1dce0c10b7027aa
-
Filesize
196B
MD5f1aaace5729d77bb665ab5dbcc22c47d
SHA1b1cd8419af98c012bf781b27eb176fb03916cd19
SHA256bc8a4eb57ce9ee8a5f5cdc279f742bc1b01d8f313e39ed52cac77a592a51b0cb
SHA512a1c49186d4135ee6208f82c30d0d8784e35f0b09a9b5223bbaed016574d1fce9547fe970cbaeb75bab96480ac740959e6f84b52354ebf79500f5995790c87e0f
-
Filesize
196B
MD573be6968966a51477f6ea6a1d4123954
SHA1ac13791c42f74051ff68c794f585d94b6b55b790
SHA2562a370102b862e275269781c2cef55bb49141b0c0c4fa43145f73f23205486d9b
SHA5120b89f365ae8d0bdab0b9146ef0b0f2ffd5f73ee4e4dc86ee31bc9e7bcaee252c3e5201e8ba5427177f784863cc4f2395beb0f354ce087a34ece96c655c6ca850
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R5M4O1NB35SVFCG239TZ.temp
Filesize7KB
MD5614222d83d48fa35060ee4cdb15e16c8
SHA11b49b086d273b1302e99c3bd4a9ea73a0bef7c09
SHA256d0614b0dd65dd3ed1db9ecc8d11c27902d69eb48d2a930a3317e31f56aa7e8f1
SHA512ce3629d18cbf56da2ee7b8c8a328bdcf9b3a1e0f558ea570cf4a6a767a10fab7d487037b261921058539e0313bcf3ed6d3b90a10990e54bfe629d03817e20bca
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394