Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 17:41
Behavioral task
behavioral1
Sample
JaffaCakes118_5984ba0fba5910e05da433e9411f7314edfb0d264052264690136aa02e245694.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_5984ba0fba5910e05da433e9411f7314edfb0d264052264690136aa02e245694.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_5984ba0fba5910e05da433e9411f7314edfb0d264052264690136aa02e245694.exe
-
Size
1.3MB
-
MD5
8dcdf997cb48e2b4106d667557d8f819
-
SHA1
a046ecc1acd78be06c690d4e39cde3342c17dd45
-
SHA256
5984ba0fba5910e05da433e9411f7314edfb0d264052264690136aa02e245694
-
SHA512
c89a0e0a872cbbf4cf3f9722f91d4b001df6953b610c31a2d324d2e26809afc4e82915ca0bb05fa5e0a98b2d940b9bfa64effc9ecec4f484bcc562bca68c7646
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2220 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1488 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 664 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 352 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 308 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 568 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 580 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 964 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1244 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 2600 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2600 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016edc-9.dat dcrat behavioral1/memory/2712-13-0x00000000009D0000-0x0000000000AE0000-memory.dmp dcrat behavioral1/memory/1260-48-0x0000000000D20000-0x0000000000E30000-memory.dmp dcrat behavioral1/memory/2884-173-0x0000000000E70000-0x0000000000F80000-memory.dmp dcrat behavioral1/memory/2356-233-0x0000000001300000-0x0000000001410000-memory.dmp dcrat behavioral1/memory/320-411-0x0000000000240000-0x0000000000350000-memory.dmp dcrat behavioral1/memory/2732-472-0x0000000000010000-0x0000000000120000-memory.dmp dcrat behavioral1/memory/1596-532-0x0000000000FE0000-0x00000000010F0000-memory.dmp dcrat behavioral1/memory/2760-711-0x0000000001390000-0x00000000014A0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2272 powershell.exe 1716 powershell.exe 1652 powershell.exe 1328 powershell.exe 1720 powershell.exe 1584 powershell.exe 2968 powershell.exe 1728 powershell.exe 688 powershell.exe 612 powershell.exe 3008 powershell.exe 2636 powershell.exe 2464 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2712 DllCommonsvc.exe 1260 System.exe 2884 System.exe 2356 System.exe 2324 System.exe 1276 System.exe 320 System.exe 2732 System.exe 1596 System.exe 2400 System.exe 2876 System.exe 2760 System.exe -
Loads dropped DLL 2 IoCs
pid Process 2380 cmd.exe 2380 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 31 raw.githubusercontent.com 35 raw.githubusercontent.com 38 raw.githubusercontent.com 4 raw.githubusercontent.com 13 raw.githubusercontent.com 20 raw.githubusercontent.com 24 raw.githubusercontent.com 28 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 17 raw.githubusercontent.com -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\SpeechEngines\OSPPSVC.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\SpeechEngines\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\winlogon.exe DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files\Windows Mail\en-US\winlogon.exe DllCommonsvc.exe File created C:\Program Files\Windows Mail\en-US\cc11b995f2a76d DllCommonsvc.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\Speech\Common\fr-FR\dwm.exe DllCommonsvc.exe File created C:\Windows\Tasks\explorer.exe DllCommonsvc.exe File created C:\Windows\Tasks\7a0fd90576e088 DllCommonsvc.exe File created C:\Windows\Globalization\ELS\Transliteration\cmd.exe DllCommonsvc.exe File created C:\Windows\Globalization\ELS\Transliteration\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Windows\Microsoft.NET\authman\DllCommonsvc.exe DllCommonsvc.exe File created C:\Windows\Microsoft.NET\authman\a76d7bf15d8370 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5984ba0fba5910e05da433e9411f7314edfb0d264052264690136aa02e245694.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2252 schtasks.exe 2220 schtasks.exe 2884 schtasks.exe 1488 schtasks.exe 664 schtasks.exe 2172 schtasks.exe 2196 schtasks.exe 1968 schtasks.exe 2788 schtasks.exe 2060 schtasks.exe 2408 schtasks.exe 2104 schtasks.exe 2620 schtasks.exe 308 schtasks.exe 1528 schtasks.exe 1244 schtasks.exe 1744 schtasks.exe 2000 schtasks.exe 2772 schtasks.exe 1628 schtasks.exe 964 schtasks.exe 1992 schtasks.exe 1960 schtasks.exe 2348 schtasks.exe 1936 schtasks.exe 580 schtasks.exe 2072 schtasks.exe 1704 schtasks.exe 2004 schtasks.exe 2792 schtasks.exe 1036 schtasks.exe 352 schtasks.exe 568 schtasks.exe 2648 schtasks.exe 2532 schtasks.exe 2208 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 2712 DllCommonsvc.exe 2968 powershell.exe 3008 powershell.exe 1716 powershell.exe 2464 powershell.exe 1584 powershell.exe 1720 powershell.exe 2636 powershell.exe 1652 powershell.exe 612 powershell.exe 1728 powershell.exe 1328 powershell.exe 688 powershell.exe 2272 powershell.exe 1260 System.exe 2884 System.exe 2356 System.exe 2324 System.exe 1276 System.exe 320 System.exe 2732 System.exe 1596 System.exe 2400 System.exe 2876 System.exe 2760 System.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 2712 DllCommonsvc.exe Token: SeDebugPrivilege 1260 System.exe Token: SeDebugPrivilege 2968 powershell.exe Token: SeDebugPrivilege 3008 powershell.exe Token: SeDebugPrivilege 1716 powershell.exe Token: SeDebugPrivilege 2464 powershell.exe Token: SeDebugPrivilege 1584 powershell.exe Token: SeDebugPrivilege 1720 powershell.exe Token: SeDebugPrivilege 2636 powershell.exe Token: SeDebugPrivilege 1652 powershell.exe Token: SeDebugPrivilege 612 powershell.exe Token: SeDebugPrivilege 1728 powershell.exe Token: SeDebugPrivilege 1328 powershell.exe Token: SeDebugPrivilege 688 powershell.exe Token: SeDebugPrivilege 2272 powershell.exe Token: SeDebugPrivilege 2884 System.exe Token: SeDebugPrivilege 2356 System.exe Token: SeDebugPrivilege 2324 System.exe Token: SeDebugPrivilege 1276 System.exe Token: SeDebugPrivilege 320 System.exe Token: SeDebugPrivilege 2732 System.exe Token: SeDebugPrivilege 1596 System.exe Token: SeDebugPrivilege 2400 System.exe Token: SeDebugPrivilege 2876 System.exe Token: SeDebugPrivilege 2760 System.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2996 wrote to memory of 2752 2996 JaffaCakes118_5984ba0fba5910e05da433e9411f7314edfb0d264052264690136aa02e245694.exe 30 PID 2996 wrote to memory of 2752 2996 JaffaCakes118_5984ba0fba5910e05da433e9411f7314edfb0d264052264690136aa02e245694.exe 30 PID 2996 wrote to memory of 2752 2996 JaffaCakes118_5984ba0fba5910e05da433e9411f7314edfb0d264052264690136aa02e245694.exe 30 PID 2996 wrote to memory of 2752 2996 JaffaCakes118_5984ba0fba5910e05da433e9411f7314edfb0d264052264690136aa02e245694.exe 30 PID 2752 wrote to memory of 2380 2752 WScript.exe 31 PID 2752 wrote to memory of 2380 2752 WScript.exe 31 PID 2752 wrote to memory of 2380 2752 WScript.exe 31 PID 2752 wrote to memory of 2380 2752 WScript.exe 31 PID 2380 wrote to memory of 2712 2380 cmd.exe 33 PID 2380 wrote to memory of 2712 2380 cmd.exe 33 PID 2380 wrote to memory of 2712 2380 cmd.exe 33 PID 2380 wrote to memory of 2712 2380 cmd.exe 33 PID 2712 wrote to memory of 2272 2712 DllCommonsvc.exe 71 PID 2712 wrote to memory of 2272 2712 DllCommonsvc.exe 71 PID 2712 wrote to memory of 2272 2712 DllCommonsvc.exe 71 PID 2712 wrote to memory of 1584 2712 DllCommonsvc.exe 72 PID 2712 wrote to memory of 1584 2712 DllCommonsvc.exe 72 PID 2712 wrote to memory of 1584 2712 DllCommonsvc.exe 72 PID 2712 wrote to memory of 2968 2712 DllCommonsvc.exe 73 PID 2712 wrote to memory of 2968 2712 DllCommonsvc.exe 73 PID 2712 wrote to memory of 2968 2712 DllCommonsvc.exe 73 PID 2712 wrote to memory of 1716 2712 DllCommonsvc.exe 74 PID 2712 wrote to memory of 1716 2712 DllCommonsvc.exe 74 PID 2712 wrote to memory of 1716 2712 DllCommonsvc.exe 74 PID 2712 wrote to memory of 1728 2712 DllCommonsvc.exe 75 PID 2712 wrote to memory of 1728 2712 DllCommonsvc.exe 75 PID 2712 wrote to memory of 1728 2712 DllCommonsvc.exe 75 PID 2712 wrote to memory of 1720 2712 DllCommonsvc.exe 76 PID 2712 wrote to memory of 1720 2712 DllCommonsvc.exe 76 PID 2712 wrote to memory of 1720 2712 DllCommonsvc.exe 76 PID 2712 wrote to memory of 612 2712 DllCommonsvc.exe 77 PID 2712 wrote to memory of 612 2712 DllCommonsvc.exe 77 PID 2712 wrote to memory of 612 2712 DllCommonsvc.exe 77 PID 2712 wrote to memory of 688 2712 DllCommonsvc.exe 79 PID 2712 wrote to memory of 688 2712 DllCommonsvc.exe 79 PID 2712 wrote to memory of 688 2712 DllCommonsvc.exe 79 PID 2712 wrote to memory of 1652 2712 DllCommonsvc.exe 80 PID 2712 wrote to memory of 1652 2712 DllCommonsvc.exe 80 PID 2712 wrote to memory of 1652 2712 DllCommonsvc.exe 80 PID 2712 wrote to memory of 1328 2712 DllCommonsvc.exe 81 PID 2712 wrote to memory of 1328 2712 DllCommonsvc.exe 81 PID 2712 wrote to memory of 1328 2712 DllCommonsvc.exe 81 PID 2712 wrote to memory of 2464 2712 DllCommonsvc.exe 82 PID 2712 wrote to memory of 2464 2712 DllCommonsvc.exe 82 PID 2712 wrote to memory of 2464 2712 DllCommonsvc.exe 82 PID 2712 wrote to memory of 2636 2712 DllCommonsvc.exe 84 PID 2712 wrote to memory of 2636 2712 DllCommonsvc.exe 84 PID 2712 wrote to memory of 2636 2712 DllCommonsvc.exe 84 PID 2712 wrote to memory of 3008 2712 DllCommonsvc.exe 86 PID 2712 wrote to memory of 3008 2712 DllCommonsvc.exe 86 PID 2712 wrote to memory of 3008 2712 DllCommonsvc.exe 86 PID 2712 wrote to memory of 1260 2712 DllCommonsvc.exe 97 PID 2712 wrote to memory of 1260 2712 DllCommonsvc.exe 97 PID 2712 wrote to memory of 1260 2712 DllCommonsvc.exe 97 PID 1260 wrote to memory of 1620 1260 System.exe 98 PID 1260 wrote to memory of 1620 1260 System.exe 98 PID 1260 wrote to memory of 1620 1260 System.exe 98 PID 1620 wrote to memory of 2296 1620 cmd.exe 100 PID 1620 wrote to memory of 2296 1620 cmd.exe 100 PID 1620 wrote to memory of 2296 1620 cmd.exe 100 PID 1620 wrote to memory of 2884 1620 cmd.exe 101 PID 1620 wrote to memory of 2884 1620 cmd.exe 101 PID 1620 wrote to memory of 2884 1620 cmd.exe 101 PID 2884 wrote to memory of 1728 2884 System.exe 102 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5984ba0fba5910e05da433e9411f7314edfb0d264052264690136aa02e245694.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5984ba0fba5910e05da433e9411f7314edfb0d264052264690136aa02e245694.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\ELS\Transliteration\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\authman\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\SpeechEngines\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OPH1A2PBmS.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2296
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vFDRBKGR2C.bat"8⤵PID:1728
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2476
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat"10⤵PID:2636
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2548
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat"12⤵PID:1968
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2872
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat"14⤵PID:2748
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2544
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat"16⤵PID:1140
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2356
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat"18⤵PID:1600
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2144
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DegeIw2hse.bat"20⤵PID:2140
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2168
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pdW26R6SPG.bat"22⤵PID:612
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:380
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Bw8qtkvcA.bat"24⤵PID:2688
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2472
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\en-US\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\en-US\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Tasks\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\Globalization\ELS\Transliteration\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Globalization\ELS\Transliteration\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\ELS\Transliteration\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\authman\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\authman\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Windows\Microsoft.NET\authman\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5adec174ce45735801a5da4cb6cbe734d
SHA1fa39b4f40ea10192469c4a259713c143022dc205
SHA2565e50c5406387eaa48146c040fe6e6880ded2c8454a15f939e2251aaadb461480
SHA512298e574b1d19bbd2c188b5ae27b047a335bf1a6bd5ed05d927476e75a5e12d876db663d1c64141b67e25b291d53f32ad54fc3128266aa8bc299ca2d161af5c58
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56ccc4cb1bfe11d47745a85c388b6cd8e
SHA101049383bdcd6b3cc3895b3acbd0d311c4ad457b
SHA25690a83c769f2c81cf63ce53216f5748948fc1802c4193fe8cb12dff625a95c614
SHA512bf00744ef6b984375c1775ce4f3b08368c55a130fc185c1e08ffe16c2fe963e7857aef4934c42d8d2a1f3fba1a924565d7c289f4cb63719c0dec631cd35925fe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD564edb0ca369280bcc90f0fedb6dbce2e
SHA119e92563cc04132015ff3c5e8c72f0a3d1bda9a6
SHA256e49f2435d916bdd174debae6cae67919d4adb60cbd97eddde919dc9ad528d446
SHA51200e5c95f8d1e904e3e1f487af3c4cb2e5fb4d5a125ff482df83b51a350554b20be0fdba3edcb364e69de4b0bc0f317d5bb7ee57e248b18127b6fd95157c7004a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53f7e74b2f3146133e69c7bb5dac78689
SHA10a0453699bee26495db32cd95fe2009bbbf1b664
SHA25625e34b000fca5382dd4994d95ba991ab4a4728d3076ccb8ec4a171df4c40478c
SHA512b035fd49ddf486bc020007c35f24d032fb434038ac2690d425ce74531642c8a6298032247d6985c6477120e7e09d9b0d45bfadbdd74d4b7ac8de1d7fb1f4579a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b93fb8fd0906d8419ea6ae7814c1c90d
SHA1a55f54c321fed74ada30c879d800dd4da84b8faf
SHA25684c6ff21fe8207d7f949c619a2489784357232eda548e3a584bf0951bf018ee5
SHA512121f87eefbc1373c404f77f33aa94c508a96ebf40e0b1d6597ca523dd1c6dc1d903ed4296b61908899931276f21ec9fa8b9153e0179bfdf1ce800871d40b5f86
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD594fc706815bf60182ba6cabfba2a8724
SHA1bf069b06b7468d1fdb463d0f9e3306f52349bd23
SHA256cdbf3601ba51c6f04524f3bbc8620846dc3e089cb1c7e6f2ca02727b1de21976
SHA512aab0886ebab0b9a66066c224cc7b99974a74e0596288956da1f0151e19c2db9a67b7803026c2be97b0350110149a3f6b5974742a7563453e008e32ec7ab2e7bc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51fd916bcce6ff940c039be02bb52183c
SHA1d01c71a45aff97500fde3fc3f15caa137be1b9d9
SHA256f569155907d28554ab67341db41391845d354cb8e9e22fb3851f83eb64f39900
SHA5128e76fde4d2cc49295120ff1fab6dfe5c6bdd15eaa856d8da62e1861796ac5e7e17602d5ea18f0a86fc70013ed5b85a424fd441f8167bb8f6604618604d895c8b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD531cc08701216174cc29983bfb33685c4
SHA19dbbe66bd3d2a32b1f3b22119e87c399af584cc5
SHA2565dcbbc789d1d679705e718c46df9fa266580808d949710fbf809d1ebadc957f8
SHA512d2f46baa173e9b106a96d4d5a8f4a565d5009bd2dcb9fb723556c85278a93348ce19818ea90e6675484b88e3a5ed672a0daa322bfd64db6610aa4e0368f65577
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c71ab5f6193bac142ee6689de259c289
SHA1f0e753e002e46ae94751760fb256ca8e53d15240
SHA256e08123b906fb94ec81715bd2ad6cb3ecb27deba0e9e56a3fd2b85e8db13df449
SHA51282d64fde0f41b465ea4a3b3ecee270f5252c5ef2a56127005656f811a3fab4fa4300878311cec9c97d47aef0844d96da775fa9ee3385ad9102caaeb4d0955f6f
-
Filesize
238B
MD5d5dd0302419dbf9633ab3775fb7afa7c
SHA1391cdde12160d1976760e00d8b15eb0066a9a777
SHA256c3972a456c01e299ef098bb0f14570c10243ba4529efa93c7ae15c027e1a54fe
SHA512796d75bb76fe10aa05ce1cb8bf0653a89cb6f8d4f29b1238ed9f244d9c5d1369b23d8d95a24d5a1596bf98ff455b0dd78488b0ab4e27a00a7855bd42c5608a96
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
238B
MD5eee2c79c9100c00b17bc426d5e45c4a9
SHA16f9b34af0699bd6c9be2c1268e3c3045bc4ad977
SHA256805d757c34e92ba53a5b97848f7b535ae33de2d06bb3a86200932cc2bc27be12
SHA51285463806b3717000ac1c08a7133f14685e1a5e124fdc164444619b6fb79a1a07f0abf79f5672b2d0ec9ddc36389c2d56629bb3a4a477b89d381e23b583264914
-
Filesize
238B
MD559a191fdeafa355d801d2a62d523a798
SHA180a81c027c792078f1c3e84183613539fb66e16d
SHA2565b065365cafc8d55cd6d749da44bc9af323f2b94d562e6450928eccde243a425
SHA5128bf7053867d7711f05f3c13ea70f372589dbf209bac493a2f4afd2d4a82277b037a79d39630e8f428372e9481a4d8bc14fafdd732f473a6531d86114148e8c4c
-
Filesize
238B
MD5739f7783da461bebf2628072e573ce65
SHA102358e020a9429420f3773113b9f72776e702ab3
SHA256ed463b29c0c14dc6f5436d9d2539aba303d85db38c07dd88562ed39557280ce1
SHA512a22e3f81173c4eec21c360156f8af91c541348bf77e7c7c3330ad01596b5294b317d04b263075cea3b82cc8d6d85bb3bd5f6e4672637abe711423fb99175fdba
-
Filesize
238B
MD5b488894514bd2cc2e5f0d1b48944cbed
SHA186fbe2ff431b9331d6a1abd8e74e37a2893e364f
SHA2568261738460c5b2e51f2a22773a20c3a40dd872957f673c8f89d15104b6bf207b
SHA512f49da5942486d7dd50ada01fe335c81132c022993311d3894fc1ac43fed4ba395ba43f271c6d0ba21e36821ec48147dc0bcca3b49a843e7ecf7ddf833bf23832
-
Filesize
238B
MD59ce8a6653b8c0d8f437d15624725c0f2
SHA11e6ade7b344be57ec08598a5017ceee41b8a944b
SHA2569e86063fd403fbeb76f569db58d7ec16e72aa516c79a6d0f66b4e8ce78101f6a
SHA5126e9de0466e1b471b8bd9bee7c4e3797d7bd9bf5e12f26a220f5a4e26265add28e93513c5adb5ca3d7a6a4e017038875e7d06af0be63052bb2de7601bd7cf9993
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
238B
MD55843649fa43e75c30acdad38ab101eb0
SHA1fe8328919c24c3973ee4ea93410aef2c3393a013
SHA256ac9d31914c1e90802d87f177d33f8da8bfbe60d1468146d5ef576198299f66a5
SHA51220f1c2b806fa776db5869dba6b76ea5527c91ca36c3f78f83dab5dc37d3a680c4e8ce5e92b30dea7c26788df6bd0350f309bf5d9272b8d38fe428b43029ddb18
-
Filesize
238B
MD576745129b8d1cb52e3f304a63813caea
SHA1f54cfa6cf6b1403b0961c7ac0e67cf18513a2fb0
SHA256a59d335835c4573e5de008f017df082730d71f8d129be388dba2063afa98c0e2
SHA512cfee05faccbe29ef89f18baebce749a1fae2279147a9c7e7d423a287eb82f0678d484bc5b6d90c5c61243da689a59e8fe18eb1ea29cb2392006fa39e466247ea
-
Filesize
238B
MD541ca048615ec31e800c1a92aea8ce6e4
SHA17eb88107bee5321465855a20d7362a04d1489dbb
SHA256ccb6f08f869726daa1913cef99a5f8140e434fc50cf18a49b6d6f4d7ddda9c7d
SHA512f4a5c5adeb82448de2ec0e14ae52178749ca68c5158b76c9c5f93fd403df4a2c692e2bb467991f319e9234cb69e5f98e5ecfa14e71a15e80201fd051d364fa62
-
Filesize
238B
MD5671aa3fc829a8a95cfcc05ae12bf1d5d
SHA1bae7da6ccd5d8a744d89058adaa6de56fd4cb358
SHA256b1af7ed16bdaafe251709284f4db81205cef13ec3cd5ef9932f5f2926f1b1cbe
SHA5126c8b393794de3804fe852a9ac3b9650425d1b07f82be14fedc3860b99f189d5bb6a869a418bef0613ef511ea2baef87aca1116dd7ba5cfe3db1560a2c191bcbf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5cb1e42840a28a9e9435f14a5edac8e36
SHA1ef99b3ac6c7adf88dc8300957a8163a1ad0b40f5
SHA256bf449c19b8f541ed6ec64a4e5e479d6a70b00257e42f3f1424f58fcb928660db
SHA512676fac44794f2e8166fd62020d8ecdb4c1491601da0ab3f3f78d895f42253adf815ce4cd76f14e4abd0c252f9f5a167c24362720727ab861b1e6fba2553aae78
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394