Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 17:06
Behavioral task
behavioral1
Sample
JaffaCakes118_b62e0fca57ddd6462df8161820b99ac2e0541a35c0260cf7f54eace3f88d0577.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_b62e0fca57ddd6462df8161820b99ac2e0541a35c0260cf7f54eace3f88d0577.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_b62e0fca57ddd6462df8161820b99ac2e0541a35c0260cf7f54eace3f88d0577.exe
-
Size
1.3MB
-
MD5
e65e571c5ceb2b4ca6c44e4e88c957ef
-
SHA1
f9435f9dd1e9aeb2e26583103384644abcac6150
-
SHA256
b62e0fca57ddd6462df8161820b99ac2e0541a35c0260cf7f54eace3f88d0577
-
SHA512
ed40eee93411f9ed5803ce185567343c291c0355d3ea4891bcc72a45bad33f35722f2ba618472bb56b5d2db1340b13caea855a7a86eb2a824a8a6934224172e6
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 2836 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1440 2836 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x000800000001659b-11.dat dcrat behavioral1/memory/2760-13-0x00000000008A0000-0x00000000009B0000-memory.dmp dcrat behavioral1/memory/1796-45-0x0000000000390000-0x00000000004A0000-memory.dmp dcrat behavioral1/memory/2296-104-0x0000000000200000-0x0000000000310000-memory.dmp dcrat behavioral1/memory/2964-165-0x00000000003A0000-0x00000000004B0000-memory.dmp dcrat behavioral1/memory/1228-225-0x00000000000B0000-0x00000000001C0000-memory.dmp dcrat behavioral1/memory/836-285-0x0000000000BB0000-0x0000000000CC0000-memory.dmp dcrat behavioral1/memory/2908-345-0x0000000000EA0000-0x0000000000FB0000-memory.dmp dcrat behavioral1/memory/2640-405-0x0000000000210000-0x0000000000320000-memory.dmp dcrat behavioral1/memory/1904-465-0x0000000000D00000-0x0000000000E10000-memory.dmp dcrat behavioral1/memory/2968-646-0x00000000002C0000-0x00000000003D0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2300 powershell.exe 2592 powershell.exe 1156 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2760 DllCommonsvc.exe 1796 dllhost.exe 2296 dllhost.exe 2964 dllhost.exe 1228 dllhost.exe 836 dllhost.exe 2908 dllhost.exe 2640 dllhost.exe 1904 dllhost.exe 2344 dllhost.exe 2668 dllhost.exe 2968 dllhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2468 cmd.exe 2468 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 15 raw.githubusercontent.com 19 raw.githubusercontent.com 22 raw.githubusercontent.com 32 raw.githubusercontent.com 38 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 26 raw.githubusercontent.com 29 raw.githubusercontent.com 35 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b62e0fca57ddd6462df8161820b99ac2e0541a35c0260cf7f54eace3f88d0577.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2660 schtasks.exe 1700 schtasks.exe 2616 schtasks.exe 2684 schtasks.exe 1440 schtasks.exe 2800 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 2760 DllCommonsvc.exe 1156 powershell.exe 2592 powershell.exe 2300 powershell.exe 1796 dllhost.exe 2296 dllhost.exe 2964 dllhost.exe 1228 dllhost.exe 836 dllhost.exe 2908 dllhost.exe 2640 dllhost.exe 1904 dllhost.exe 2344 dllhost.exe 2668 dllhost.exe 2968 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 2760 DllCommonsvc.exe Token: SeDebugPrivilege 1156 powershell.exe Token: SeDebugPrivilege 2592 powershell.exe Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 1796 dllhost.exe Token: SeDebugPrivilege 2296 dllhost.exe Token: SeDebugPrivilege 2964 dllhost.exe Token: SeDebugPrivilege 1228 dllhost.exe Token: SeDebugPrivilege 836 dllhost.exe Token: SeDebugPrivilege 2908 dllhost.exe Token: SeDebugPrivilege 2640 dllhost.exe Token: SeDebugPrivilege 1904 dllhost.exe Token: SeDebugPrivilege 2344 dllhost.exe Token: SeDebugPrivilege 2668 dllhost.exe Token: SeDebugPrivilege 2968 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2148 wrote to memory of 2088 2148 JaffaCakes118_b62e0fca57ddd6462df8161820b99ac2e0541a35c0260cf7f54eace3f88d0577.exe 30 PID 2148 wrote to memory of 2088 2148 JaffaCakes118_b62e0fca57ddd6462df8161820b99ac2e0541a35c0260cf7f54eace3f88d0577.exe 30 PID 2148 wrote to memory of 2088 2148 JaffaCakes118_b62e0fca57ddd6462df8161820b99ac2e0541a35c0260cf7f54eace3f88d0577.exe 30 PID 2148 wrote to memory of 2088 2148 JaffaCakes118_b62e0fca57ddd6462df8161820b99ac2e0541a35c0260cf7f54eace3f88d0577.exe 30 PID 2088 wrote to memory of 2468 2088 WScript.exe 32 PID 2088 wrote to memory of 2468 2088 WScript.exe 32 PID 2088 wrote to memory of 2468 2088 WScript.exe 32 PID 2088 wrote to memory of 2468 2088 WScript.exe 32 PID 2468 wrote to memory of 2760 2468 cmd.exe 34 PID 2468 wrote to memory of 2760 2468 cmd.exe 34 PID 2468 wrote to memory of 2760 2468 cmd.exe 34 PID 2468 wrote to memory of 2760 2468 cmd.exe 34 PID 2760 wrote to memory of 2300 2760 DllCommonsvc.exe 42 PID 2760 wrote to memory of 2300 2760 DllCommonsvc.exe 42 PID 2760 wrote to memory of 2300 2760 DllCommonsvc.exe 42 PID 2760 wrote to memory of 1156 2760 DllCommonsvc.exe 43 PID 2760 wrote to memory of 1156 2760 DllCommonsvc.exe 43 PID 2760 wrote to memory of 1156 2760 DllCommonsvc.exe 43 PID 2760 wrote to memory of 2592 2760 DllCommonsvc.exe 44 PID 2760 wrote to memory of 2592 2760 DllCommonsvc.exe 44 PID 2760 wrote to memory of 2592 2760 DllCommonsvc.exe 44 PID 2760 wrote to memory of 1924 2760 DllCommonsvc.exe 48 PID 2760 wrote to memory of 1924 2760 DllCommonsvc.exe 48 PID 2760 wrote to memory of 1924 2760 DllCommonsvc.exe 48 PID 1924 wrote to memory of 1124 1924 cmd.exe 50 PID 1924 wrote to memory of 1124 1924 cmd.exe 50 PID 1924 wrote to memory of 1124 1924 cmd.exe 50 PID 1924 wrote to memory of 1796 1924 cmd.exe 51 PID 1924 wrote to memory of 1796 1924 cmd.exe 51 PID 1924 wrote to memory of 1796 1924 cmd.exe 51 PID 1796 wrote to memory of 1080 1796 dllhost.exe 52 PID 1796 wrote to memory of 1080 1796 dllhost.exe 52 PID 1796 wrote to memory of 1080 1796 dllhost.exe 52 PID 1080 wrote to memory of 576 1080 cmd.exe 54 PID 1080 wrote to memory of 576 1080 cmd.exe 54 PID 1080 wrote to memory of 576 1080 cmd.exe 54 PID 1080 wrote to memory of 2296 1080 cmd.exe 55 PID 1080 wrote to memory of 2296 1080 cmd.exe 55 PID 1080 wrote to memory of 2296 1080 cmd.exe 55 PID 2296 wrote to memory of 2804 2296 dllhost.exe 56 PID 2296 wrote to memory of 2804 2296 dllhost.exe 56 PID 2296 wrote to memory of 2804 2296 dllhost.exe 56 PID 2804 wrote to memory of 3032 2804 cmd.exe 58 PID 2804 wrote to memory of 3032 2804 cmd.exe 58 PID 2804 wrote to memory of 3032 2804 cmd.exe 58 PID 2804 wrote to memory of 2964 2804 cmd.exe 59 PID 2804 wrote to memory of 2964 2804 cmd.exe 59 PID 2804 wrote to memory of 2964 2804 cmd.exe 59 PID 2964 wrote to memory of 1064 2964 dllhost.exe 60 PID 2964 wrote to memory of 1064 2964 dllhost.exe 60 PID 2964 wrote to memory of 1064 2964 dllhost.exe 60 PID 1064 wrote to memory of 2688 1064 cmd.exe 62 PID 1064 wrote to memory of 2688 1064 cmd.exe 62 PID 1064 wrote to memory of 2688 1064 cmd.exe 62 PID 1064 wrote to memory of 1228 1064 cmd.exe 63 PID 1064 wrote to memory of 1228 1064 cmd.exe 63 PID 1064 wrote to memory of 1228 1064 cmd.exe 63 PID 1228 wrote to memory of 1816 1228 dllhost.exe 64 PID 1228 wrote to memory of 1816 1228 dllhost.exe 64 PID 1228 wrote to memory of 1816 1228 dllhost.exe 64 PID 1816 wrote to memory of 2368 1816 cmd.exe 66 PID 1816 wrote to memory of 2368 1816 cmd.exe 66 PID 1816 wrote to memory of 2368 1816 cmd.exe 66 PID 1816 wrote to memory of 836 1816 cmd.exe 67 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b62e0fca57ddd6462df8161820b99ac2e0541a35c0260cf7f54eace3f88d0577.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b62e0fca57ddd6462df8161820b99ac2e0541a35c0260cf7f54eace3f88d0577.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1156
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7RhMOLbPK5.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1124
-
-
C:\providercommon\dllhost.exe"C:\providercommon\dllhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JeZnuB4iL9.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:576
-
-
C:\providercommon\dllhost.exe"C:\providercommon\dllhost.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Mv8e4zbUuN.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:3032
-
-
C:\providercommon\dllhost.exe"C:\providercommon\dllhost.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mv5UKbIUPK.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2688
-
-
C:\providercommon\dllhost.exe"C:\providercommon\dllhost.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Iu2jWrKESR.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2368
-
-
C:\providercommon\dllhost.exe"C:\providercommon\dllhost.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:836 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat"15⤵PID:2540
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2148
-
-
C:\providercommon\dllhost.exe"C:\providercommon\dllhost.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pnRbx2xD7z.bat"17⤵PID:1696
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2424
-
-
C:\providercommon\dllhost.exe"C:\providercommon\dllhost.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g1eT93LUFj.bat"19⤵PID:1368
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1584
-
-
C:\providercommon\dllhost.exe"C:\providercommon\dllhost.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat"21⤵PID:2520
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1600
-
-
C:\providercommon\dllhost.exe"C:\providercommon\dllhost.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat"23⤵PID:2900
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1300
-
-
C:\providercommon\dllhost.exe"C:\providercommon\dllhost.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat"25⤵PID:1716
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2416
-
-
C:\providercommon\dllhost.exe"C:\providercommon\dllhost.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dCyIaH4v8D.bat"27⤵PID:936
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:1180
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\providercommon\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5380e7c8a2e1c2d3916ccf5bb64fa51b4
SHA1187df585e3fdff3b3b6a5bb73f85217c2d72ef51
SHA25644d93f534adcfdbd89b9d2f0b334aebb1cc1ac7a3407ed404256ac0a3003f926
SHA5125aaa8ef51c564443ed769d34af90e577dcc93343f97a6ab1dff901dec223896e69e95f81525cdde59f488b562cfb971c17086bdc7066f5ec9af594644eafa109
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5daeb8d2c256366090fb2f6ab596c4fe7
SHA16bce85dcc4fc932343ee9f279e75ac991e972f9f
SHA256da5c221dafc1311602263be3f905684fc8d7cffff5fafc918e4011b6e6a597f4
SHA512672a4678bba8f2cf92bfb487fe7826b2a4582df143b08f47f3cab64178007f8d3951db11cfc730679650f9c4f1b524b63fb0685128f4953fc6dbfdd4ce5d1782
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e81e3e43a3410b0f4d29bc7a65743405
SHA1170959420764d17494c2b813b87aa684bc961c36
SHA2564ca84328093c4560b0d1c6da4f585330d92e84e22e96e6875d0df2ce3504c726
SHA512fa0f2aa3ad0c88ec4136fa83af841cc07a47005a459da317d3a7885ead524c8a5883d618a29e431a6d538b1b424ae6568e0443af528caa229970e182e43ec4ac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fc312818e48cc6787766f3618f6d2c54
SHA18ff94b088a80dbef56c1358885c6b29f567764f4
SHA2569fce3aeffd0c308b8d52ca7f4096445aa73cd8f6dd7aa8a187d5906f203de637
SHA5125beb9ef863c4b2983aa10ec17e4249340a701ed277c488a2176200129257e00fef5b6692ef04c4bd5e2db29e8f99e113a270e3b5ad4c444a8246463b097fee4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54a8f38274e7ce1639d3a2327ca0a9e00
SHA17adc699c5666ae580cecd081c48d0be62e1fe23d
SHA2568ec528660f3700e997fa2cdf05135e3bf8209dac45306f707031ffc8cc975294
SHA512b06ebd67bd5424cdeb185dd40d6df064a256989311b2ac2244d2dae6cff007534a127c886d8d88329c9df9aebd632d63bb018d212d60081e956441af22811cf2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a84608d8c9502d94299aab1533da8e47
SHA1c621844d5ba232d5cf366d202586e4411e88d472
SHA25651bd2fe2e290a1953676a87d9d71af77cb7a3eb2856e5a313c6db4432d9cca0e
SHA5121025f401005d3dcd1dfff44e8ce99e48f3af24c0bd74e75651f4acde61c1b14b073af1f15ee172d0f4003354a5f9a8ccecba6b2d5f0ccab9dd7d1031dbea8bf5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58a407918bb6e1f7dbe1c4de6d36964f1
SHA10d4a30896692b452167d1ac778dd0253acb2f25e
SHA25653704f34a19d23ee0302ca502e24fa41c5a7e9ab145c6b2d8855f55b05a5a42a
SHA512f4979dd55911d3906d694311c83b52feae0ddb692a146ed3c977a07040ad58f45db2679aed1f61ca94978f68100ebf63fb700af8f45d5f8e9c0e24858e357ccb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53ecbdb5c935b502fd0868acfec152193
SHA1d5ade03e4f6fd5f5c4769955bfcf783e19708ca8
SHA2564056b43f9e6a9ea91024c70b2ba359e65fe9925f71ca382154ed6a25cd67938b
SHA5120344822abc72bde498bacddc1ff721c599abcc2a8739656b985b15a2a6ac84f37140b94db6e82b0938f3c36eeb161d8af9f3c37f6bd48351a71bd0a80587d9cc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c94ca66715929b5b3d3e387092ac253c
SHA13a1fd0765b920d38cbb940fd2708425ec4fcd572
SHA25666afae6c933058a9caec575931a10ed3c1aa64bab580567ba5c5b76f7a38c0e4
SHA51269fdcebbecbb801a5433788f10ef4e400179b95a7d3ef535a962598d146b99e07c1e42bcee32d344b3765515189036b922445ea5ddfa16f1c32f602e56c115e5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c5d0c463c2773ddba4d730ece2fb7edb
SHA164c78255542ddbd1f0dcd713fd045beefd2a1988
SHA256306beb8190e512b9b2efd52d0ed5223c3af14779ae758598a91ad10422fb468e
SHA512e140ec172f58e6518738466639704548afc6acc5d2a933ccc887d4439b2c93a83551126bc8835ff371bd676a895046f7ae132928288cb81c06d94f333196a33d
-
Filesize
194B
MD59ba52b9cae1c97f2c482ba4dbfcf7165
SHA1bce88b8a2ccbf160979047a41145ba8f922c8e7b
SHA256842c3f838c938f3e5127a0f6e83fbbe445c88c64a52cbf5d2f078528495ca52f
SHA51218e1f36e5259d41f2b9b377c5cbb96a3d4a3f82c197fc5c9c80d3524f93535628a5610ef311e86f37a9684df7e8b250a633a9153078684b031698a6d1bf22887
-
Filesize
194B
MD5f4669af324b46570fbf4d83ca4acea83
SHA110b96f2e90b138cf7ae781aeb33e132ca55ae8eb
SHA256681c93a05048ecc79e152d9d9bdfd27669920deb987c289bee25295a7d893cfd
SHA51201272b64109c5b58c34cc24b39aad629f7f9f413764de802a03e189cd70a1f6295dbc61350b81e85c090785ce79c562e5029310393fd380806de040fb12373d8
-
Filesize
194B
MD560acf73141b7a45a5237deeae9ad2090
SHA142af7a7caca4dfd04342d2c7b6212818f8c5769d
SHA256e3aaaa350d9d3e82d81c501d8b5d469afcfd7d164c08a0c5376dd0f3e1c12b74
SHA5120d46da4269db422a46d9d12fd2b932ba0ce428e8dc82762abef6b92a92806248b6b0cc0d1eaf1a8a3c5573627d85a205b379b3e9fd568fe8af97825104ac5621
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
194B
MD5237505ee427447c48ef7788a27837c57
SHA1c5351cecac2bb2b5b3660ccea19e809d964724da
SHA256ea97983a980afee53c970dcb7b9e94870378b113665732dd16a4362c3d5c29c9
SHA512108e9150949abfce767037c6b8c463b0f3bfc99b05c15a61753fa3031c5946437151895daa480364544d7fed7102b5283a736c87e86b55df9a14fab67b75fedd
-
Filesize
194B
MD56909fd3ad88facd0a040488022c6b489
SHA12c7971a95979f0fec874c6779f3cce79b4827a6e
SHA25690fecf89432a0ad89f11e3debc404f83e49570f6e020451068e12bcafc7b2d59
SHA5129aaf4810527c796a5817fc1f6dc3f6f600c03f480d10405799c3b4e05e4ddd16c2b9929f60de3104f5c7dfafaafd3fe9dc3c1dba482c558d094368cb06f5bfe9
-
Filesize
194B
MD59368ca6c02fc9feea1f9377b8c5bf7de
SHA1a6f386a6b93896dc033829dcdab08f18b7bb3de9
SHA256cac2b179d01731094b0635a3bc6189cf9a90e9605c209d94b282dd150446b9f8
SHA5126e83bed9116f1e63ef6f88289ceb4022aa0876d63f619b428e4ba36d2cea7cbe5eb5cc5e00e053cbfada2ac97505645555cea57ca1e25f2c2cea15655c229a82
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
194B
MD5645e2cc8a55831ae1dc70a7c44282e14
SHA1086c1217f45b0087a3a9719339afc8146955c48e
SHA2566347b69a4ca897bb0ddd528ad48873f6d00f95ae40b23b787094e6fb53db20e6
SHA512e7d053e10b558e871c232f62ffafd8669d9236e9b7868cd0b5962408006c606c2283119cdf7bd7f67ce89e2ee582b3c36427be2b0b28908456b2104259e38d5f
-
Filesize
194B
MD5a2e8374a69a9d8251450270df48fb531
SHA177b834e98f04467e9fad97dadf44a42628fb435b
SHA256a6f2c47a2c331921eff49759158af80bd68ab1a690251ac4e1872e41ab2e4f1e
SHA5124bf26cb73e9e0fb4f42b413190f04bbe11263a627e6199a2ea2b8475bd8dfe9fbf4c4cb01f11d9b741b1d361d77aea7e7e8b7bd18da0fa66b15bfc2d8560e3f5
-
Filesize
194B
MD5818052ac468fbd2a5959d2099f4635d3
SHA14ad8d71aa2894e8e0a1c5b8f37674efc681ca7cf
SHA2569b151544bb09b298ac48f081a68d9a759365c06e3d617226e97b467bf7c4ca5e
SHA512c0414b8da8e94c84b55ecaf4c2678b74e09c52937b74c58187339ceb9f2dbec00f614a732f6c3f3a5638bfd4731341bdf1fd269c1945edc052aaeeda00f976f6
-
Filesize
194B
MD5bcb37bf350988450f6897edd268431e2
SHA1c9277b5f430b0e65d3cd68ba5082e6e33a4dd3b0
SHA2561507a3b5c4d501aa4bc4d9d9c3d523ef05aa75d8fb641cd7816baddf36a75778
SHA51214360d32f26f28509ce3029223e0823f32c5d7c5c47070931beb79e85834b8f219c152ed3d38f062a622dad36e21103d6f54bf83c27c9a092d68c1f1b0836204
-
Filesize
194B
MD575cbfc4e53811814bc43d3baa562f24f
SHA1396856c09669aed0bafbd7886b1d41aab85c3b8c
SHA256b9bba37ff0f67e9adbc49eb22dbc561e6d71644b72d92409857d2f5886a2f2d6
SHA51286f7a0dd7a76ff58f6a59a4c5c68f4f7588c2d2abdfa657fdbbed6fb2661d4ed9d2e0cc4dc181082c276b3970ebf1f58010b8a4d168050000c48ba699cb925b1
-
Filesize
194B
MD504b6782edfc0a61138e06951e219fe95
SHA1cac07720c7c189b944f07aec772fe42dabda2251
SHA2568fd2ce08056351c1ef9d948eaf444ea2c6baddee8c23398887b72d8a768d8f63
SHA512e2c6be29919ee380325559ecbbcb13e40712e1160c0eca402dc53bbf191e11adc4e7631d77c21d972e8f107760345cafaa62a1dc2fff4121d204a54668dead2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3NPCSZXMDUH6859ZHF52.temp
Filesize7KB
MD5d781c3748c1fa2e590bf2dfd96ad9124
SHA1cfff52e02b59b897d7c8260a54accdfc9e8852cf
SHA256db3409f5e448e79ea9bce1d218b9219de406227b53f9d1dd50b60c7190634094
SHA512f1222fee062169283809bc03064bc6622df6465861027f76bb1f547208a35ccd1f48141d9ed31a8a1a1f3e5cb1b64325de41b1d5c12e106c011c4dbad24699da
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394