Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 19:36
Behavioral task
behavioral1
Sample
JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188.exe
-
Size
1.3MB
-
MD5
b309007b6a23a77c82518bb9ec9b0f98
-
SHA1
0ae15aabf16eb3db456221d4533db4e469fa8926
-
SHA256
6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188
-
SHA512
7694ce141e251417f745d7866d8d643882b93011f860605f3168595a91d9cedfdaea8e80e5fd547a96573e42df03187634008fa6cdd8a4444b5ee53b4952ac22
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 2064 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 2064 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2064 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2064 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2064 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 2064 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 2064 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2064 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 2064 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1124 2064 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 2064 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2064 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 2064 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 864 2064 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2064 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2064 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1272 2064 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1136 2064 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2064 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 2064 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 2064 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 2064 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2064 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 2064 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 2064 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 2064 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 2064 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2064 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 2064 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 764 2064 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000015cd1-12.dat dcrat behavioral1/memory/2704-13-0x00000000013C0000-0x00000000014D0000-memory.dmp dcrat behavioral1/memory/2684-101-0x0000000000ED0000-0x0000000000FE0000-memory.dmp dcrat behavioral1/memory/2652-160-0x0000000000F00000-0x0000000001010000-memory.dmp dcrat behavioral1/memory/2704-280-0x0000000000150000-0x0000000000260000-memory.dmp dcrat behavioral1/memory/3052-340-0x0000000000D20000-0x0000000000E30000-memory.dmp dcrat behavioral1/memory/1688-400-0x0000000000F40000-0x0000000001050000-memory.dmp dcrat behavioral1/memory/2864-460-0x0000000000120000-0x0000000000230000-memory.dmp dcrat behavioral1/memory/596-520-0x0000000000130000-0x0000000000240000-memory.dmp dcrat behavioral1/memory/2452-580-0x00000000010C0000-0x00000000011D0000-memory.dmp dcrat behavioral1/memory/772-640-0x0000000001120000-0x0000000001230000-memory.dmp dcrat behavioral1/memory/2968-759-0x00000000002B0000-0x00000000003C0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1144 powershell.exe 1900 powershell.exe 692 powershell.exe 1692 powershell.exe 1516 powershell.exe 772 powershell.exe 1540 powershell.exe 1364 powershell.exe 940 powershell.exe 1776 powershell.exe 620 powershell.exe -
Executes dropped EXE 13 IoCs
pid Process 2704 DllCommonsvc.exe 2684 Idle.exe 2652 Idle.exe 3044 Idle.exe 2704 Idle.exe 3052 Idle.exe 1688 Idle.exe 2864 Idle.exe 596 Idle.exe 2452 Idle.exe 772 Idle.exe 1724 Idle.exe 2968 Idle.exe -
Loads dropped DLL 2 IoCs
pid Process 2088 cmd.exe 2088 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 12 raw.githubusercontent.com 22 raw.githubusercontent.com 25 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 15 raw.githubusercontent.com 19 raw.githubusercontent.com 29 raw.githubusercontent.com 32 raw.githubusercontent.com 35 raw.githubusercontent.com 38 raw.githubusercontent.com 4 raw.githubusercontent.com -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files\Uninstall Information\csrss.exe DllCommonsvc.exe File created C:\Program Files\Uninstall Information\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\de-DE\f3b6ecef712a24 DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\OSPPSVC.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Program Files (x86)\Uninstall Information\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\cmd.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\de-DE\spoolsv.exe DllCommonsvc.exe File created C:\Program Files (x86)\Uninstall Information\Idle.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2816 schtasks.exe 2656 schtasks.exe 2608 schtasks.exe 1272 schtasks.exe 2308 schtasks.exe 1704 schtasks.exe 864 schtasks.exe 2920 schtasks.exe 2512 schtasks.exe 2212 schtasks.exe 2684 schtasks.exe 3052 schtasks.exe 1124 schtasks.exe 2852 schtasks.exe 2800 schtasks.exe 2192 schtasks.exe 1836 schtasks.exe 1944 schtasks.exe 2712 schtasks.exe 2236 schtasks.exe 2856 schtasks.exe 1892 schtasks.exe 2904 schtasks.exe 2444 schtasks.exe 1152 schtasks.exe 764 schtasks.exe 2092 schtasks.exe 2372 schtasks.exe 1136 schtasks.exe 2496 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 2704 DllCommonsvc.exe 2704 DllCommonsvc.exe 2704 DllCommonsvc.exe 1516 powershell.exe 620 powershell.exe 1144 powershell.exe 1776 powershell.exe 772 powershell.exe 1692 powershell.exe 1540 powershell.exe 1364 powershell.exe 940 powershell.exe 692 powershell.exe 1900 powershell.exe 2684 Idle.exe 2652 Idle.exe 3044 Idle.exe 2704 Idle.exe 3052 Idle.exe 1688 Idle.exe 2864 Idle.exe 596 Idle.exe 2452 Idle.exe 772 Idle.exe 1724 Idle.exe 2968 Idle.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2704 DllCommonsvc.exe Token: SeDebugPrivilege 1516 powershell.exe Token: SeDebugPrivilege 620 powershell.exe Token: SeDebugPrivilege 1144 powershell.exe Token: SeDebugPrivilege 1776 powershell.exe Token: SeDebugPrivilege 772 powershell.exe Token: SeDebugPrivilege 1692 powershell.exe Token: SeDebugPrivilege 1540 powershell.exe Token: SeDebugPrivilege 1364 powershell.exe Token: SeDebugPrivilege 940 powershell.exe Token: SeDebugPrivilege 692 powershell.exe Token: SeDebugPrivilege 1900 powershell.exe Token: SeDebugPrivilege 2684 Idle.exe Token: SeDebugPrivilege 2652 Idle.exe Token: SeDebugPrivilege 3044 Idle.exe Token: SeDebugPrivilege 2704 Idle.exe Token: SeDebugPrivilege 3052 Idle.exe Token: SeDebugPrivilege 1688 Idle.exe Token: SeDebugPrivilege 2864 Idle.exe Token: SeDebugPrivilege 596 Idle.exe Token: SeDebugPrivilege 2452 Idle.exe Token: SeDebugPrivilege 772 Idle.exe Token: SeDebugPrivilege 1724 Idle.exe Token: SeDebugPrivilege 2968 Idle.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2428 wrote to memory of 2256 2428 JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188.exe 30 PID 2428 wrote to memory of 2256 2428 JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188.exe 30 PID 2428 wrote to memory of 2256 2428 JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188.exe 30 PID 2428 wrote to memory of 2256 2428 JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188.exe 30 PID 2256 wrote to memory of 2088 2256 WScript.exe 31 PID 2256 wrote to memory of 2088 2256 WScript.exe 31 PID 2256 wrote to memory of 2088 2256 WScript.exe 31 PID 2256 wrote to memory of 2088 2256 WScript.exe 31 PID 2088 wrote to memory of 2704 2088 cmd.exe 33 PID 2088 wrote to memory of 2704 2088 cmd.exe 33 PID 2088 wrote to memory of 2704 2088 cmd.exe 33 PID 2088 wrote to memory of 2704 2088 cmd.exe 33 PID 2704 wrote to memory of 1516 2704 DllCommonsvc.exe 65 PID 2704 wrote to memory of 1516 2704 DllCommonsvc.exe 65 PID 2704 wrote to memory of 1516 2704 DllCommonsvc.exe 65 PID 2704 wrote to memory of 772 2704 DllCommonsvc.exe 66 PID 2704 wrote to memory of 772 2704 DllCommonsvc.exe 66 PID 2704 wrote to memory of 772 2704 DllCommonsvc.exe 66 PID 2704 wrote to memory of 1776 2704 DllCommonsvc.exe 67 PID 2704 wrote to memory of 1776 2704 DllCommonsvc.exe 67 PID 2704 wrote to memory of 1776 2704 DllCommonsvc.exe 67 PID 2704 wrote to memory of 620 2704 DllCommonsvc.exe 68 PID 2704 wrote to memory of 620 2704 DllCommonsvc.exe 68 PID 2704 wrote to memory of 620 2704 DllCommonsvc.exe 68 PID 2704 wrote to memory of 940 2704 DllCommonsvc.exe 69 PID 2704 wrote to memory of 940 2704 DllCommonsvc.exe 69 PID 2704 wrote to memory of 940 2704 DllCommonsvc.exe 69 PID 2704 wrote to memory of 1364 2704 DllCommonsvc.exe 70 PID 2704 wrote to memory of 1364 2704 DllCommonsvc.exe 70 PID 2704 wrote to memory of 1364 2704 DllCommonsvc.exe 70 PID 2704 wrote to memory of 1540 2704 DllCommonsvc.exe 71 PID 2704 wrote to memory of 1540 2704 DllCommonsvc.exe 71 PID 2704 wrote to memory of 1540 2704 DllCommonsvc.exe 71 PID 2704 wrote to memory of 1692 2704 DllCommonsvc.exe 72 PID 2704 wrote to memory of 1692 2704 DllCommonsvc.exe 72 PID 2704 wrote to memory of 1692 2704 DllCommonsvc.exe 72 PID 2704 wrote to memory of 692 2704 DllCommonsvc.exe 73 PID 2704 wrote to memory of 692 2704 DllCommonsvc.exe 73 PID 2704 wrote to memory of 692 2704 DllCommonsvc.exe 73 PID 2704 wrote to memory of 1900 2704 DllCommonsvc.exe 74 PID 2704 wrote to memory of 1900 2704 DllCommonsvc.exe 74 PID 2704 wrote to memory of 1900 2704 DllCommonsvc.exe 74 PID 2704 wrote to memory of 1144 2704 DllCommonsvc.exe 75 PID 2704 wrote to memory of 1144 2704 DllCommonsvc.exe 75 PID 2704 wrote to memory of 1144 2704 DllCommonsvc.exe 75 PID 2704 wrote to memory of 2988 2704 DllCommonsvc.exe 87 PID 2704 wrote to memory of 2988 2704 DllCommonsvc.exe 87 PID 2704 wrote to memory of 2988 2704 DllCommonsvc.exe 87 PID 2988 wrote to memory of 2908 2988 cmd.exe 90 PID 2988 wrote to memory of 2908 2988 cmd.exe 90 PID 2988 wrote to memory of 2908 2988 cmd.exe 90 PID 2988 wrote to memory of 2684 2988 cmd.exe 91 PID 2988 wrote to memory of 2684 2988 cmd.exe 91 PID 2988 wrote to memory of 2684 2988 cmd.exe 91 PID 2684 wrote to memory of 1128 2684 Idle.exe 92 PID 2684 wrote to memory of 1128 2684 Idle.exe 92 PID 2684 wrote to memory of 1128 2684 Idle.exe 92 PID 1128 wrote to memory of 2004 1128 cmd.exe 94 PID 1128 wrote to memory of 2004 1128 cmd.exe 94 PID 1128 wrote to memory of 2004 1128 cmd.exe 94 PID 1128 wrote to memory of 2652 1128 cmd.exe 95 PID 1128 wrote to memory of 2652 1128 cmd.exe 95 PID 1128 wrote to memory of 2652 1128 cmd.exe 95 PID 2652 wrote to memory of 656 2652 Idle.exe 96 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\ja-JP\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\de-DE\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tF0Pk8ddI5.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2908
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2004
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat"9⤵PID:656
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1144
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat"11⤵PID:2960
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1356
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat"13⤵PID:2844
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2140
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat"15⤵PID:2208
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1752
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat"17⤵PID:1744
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1848
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat"19⤵PID:1508
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2836
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:596 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat"21⤵PID:2672
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:760
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\34gW2xHJWZ.bat"23⤵PID:1052
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:3068
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:772 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Tcsv1v0qfT.bat"25⤵PID:800
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:476
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat"27⤵PID:2440
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:1892
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"28⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5584086fdf356051de3cb2d0c89661581
SHA15c41d1fcd6d2b535e9b5640fce9ec3ef67fc6209
SHA256efeae8cb2738a383e34e9c3619a01ca007b57f5e2b469d928e2437339ce8b49c
SHA512b2be492ecc38e3019b2c5c20fa508532293bdfafcb270b99aa14e3f3e10452d52441a103b50e811d089694a263fa37fa2f37a547a2a55a014a963df8ad74361e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5adc0c3e0b6cf4325c2ea17aa01bbb5a5
SHA1046e2c7be65dc94732b3f51baca6d15d78abbc2a
SHA256d7cd8ab7cffb7c920264389de4c8f89f3e31fff38d095cbc142099f9eb4f2ce8
SHA512a515a25a1d284bc331f7d31824116768fae05124a303b34c11bd2061abefd4c396d4e21a7de09df1646729c2a6357e72c3717b976898a14aa78b2448e548b17b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e10c7d45f691eb1e6c23bd3cb1cc9d20
SHA1752f076e9f89799735eea83f7fa5fcbd60f3da25
SHA25648a30a080abfa8f78b8c29b0678e825fb8793e811fad8516c8b3e8ca4a3d9976
SHA5123cca636218ad9bd918c0674d5f4fffbd7268341121c0b79a610a0f1f56de393c635ce065c227c07d2c2e537619aebc3f0145f7eedb1910a0cd0f21509b94169f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD588a8aaf82d63f99bce3b29d178ca0dc1
SHA1bee2ffe8e6667b7025c1eb07ffe0e22b531810ef
SHA256397eff7e1c8607357980ce01310a94f1453c02d91591801cdd1482e3550ccb65
SHA51228ff7bafe254570caca72439782ea24d4195e1ffa95d0094e3a256f5f2b92fad61fce9b93c0cc7f0dc01903f8a7e169bae23a4095b11ecd1914c6b5fda04bb32
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54398b1535c6430a52a4ff96184245a95
SHA129a00392ec259dfa55e6b4ba8db07a84431c0ac7
SHA256243a6c586193e7327f5b83a3b85f1562a81b07657ddaf5ec76694a91b3f33645
SHA5125130f9676968fafde601b325b67c5afaba8662998fae18c036d612565559fc629f16e2531fc6c2606acde5eaf2fece865548ea9d4d3bd29b797179d56372ad45
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57944fd491f504885a4d53e677e3d9994
SHA16be602c62fe0cc64802f954d4a73d95e70b0c7cf
SHA25699a06b06223ee1781590874cca2faa47700a611191634fcae7237ab9d87f4759
SHA5124c047dec4fd264a80becf68a032957c0cde8c145b8c46104d41798b5e94c903fda98c770dbbd2a3dfacd6af75551c1883bfea0cc10f00a14e68bc6c2c05dfb9c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5689266665021df8e703622fbab514d1a
SHA14d114dd9796bf1c40d7a46882e6bdf884236b5ea
SHA256bc3c7276d185726194552299ee78feea529829460e11ec1a1ad966de38603c1f
SHA51288683c0a245cf7785f942cc4d9ce1c9f7ede5c38fdfc65c251a16fd955d3e9357f45300a65c4aaada49a7d1bce084f50e43c0c86d8d67c8aa24a12e4be47ffbe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e9282b6905c727d52bfd73d36437520c
SHA126ab3351f0ac3edad5da5a6ae2413f1472dcb39e
SHA256f065642757fe07192b10aa7b61dcb06b02712bec070afe867fc67ca9620d65ef
SHA512b0483f5ab2cc86d2182d9049539d0282327eb0c2d94684251a15a059a8b75579289d7904c2bda81394a150bd52dc4f894682b1b7bdf04cbc1039d7862c9a2185
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d3b719a983f8189247637e6c5c4d3d34
SHA157660927bfab7416cf01d87b34263e20a727e7f4
SHA256165721b11c8ba505a6b5736fda56d50d8e75a602bed8f8497a66528e33c1e6ae
SHA5128e4acc8abf2cc17ca7b253132438b7503653b51b8ffa9e56d0b4f14785378447539130df048cb7920c310cd7232c30ee6ddfed2c8027748d79676cb92f844832
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f2d530af0d7f3263a819300b572d506a
SHA179925fa419c8cd6857056bcc226dc8df9f3d380d
SHA2560d2103584ae04261723e33511a9713dd960e7ca50b1aba02489e3a42aa3eb6de
SHA512dff76891c2353fbdd8805c0c3dd6e22dea5d18fa9203711c2b18fd9e4f94f81f9d49dc25832814c5755633f6d5d56bae8704b5b023d1fed87f334aabd673fd94
-
Filesize
222B
MD5937cc04a0ac857f309c675cc3f3d5e70
SHA199ed770b3078c53cfdce4f1a76f655318b5aa596
SHA25663666ab216ed392d1004f77e0465eab871cc72cb8fd3d778657a2ff2ebc36340
SHA51295c77d341fe7da44d9c9f3856614e4ddcf05b62ddf73a29282387b9e2eb1b85bc746388b678f64dc4eedf1c6f7aa9546846a4860c63a12069d0ccdafb30e192e
-
Filesize
222B
MD598676b47956787315fb0bbe7b6d73d6a
SHA10e7aaf44f1f121de529ca3005ff9b70760225ffd
SHA256a5dfaaee91837fb9f8d2950dcac1e2b87c3206791549ddee3bdaeb2f60cd685a
SHA512fdbaf2f0629897c33229aa005b70d468f33195abbc9e32698ac0e1f7b035ab10ffe68aa731a54012034a177bbd368706f0604313710062ba618fda721152aad8
-
Filesize
222B
MD5867731066b1d7f1f8502c866d676c08b
SHA190861a64c8ce9c7874ad6a653e7e421aeba29946
SHA2564ae4af97eb46cc57c753234987f2677562703509db0b42571bf89426a85ea09c
SHA512cf4aa6a4f770595088181df7a9381d92da5282455b095c262c4a832b2b2bd5b63e6847862fe30a721f16ba6bd72173efe3adb0cfb8d8653f8a5f6db465cdd426
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
222B
MD538c0a7a17d0a50bf7a85633dea3218e1
SHA1b49e147fac39bf2f1647756765f4e429c680d5b4
SHA2564b181487500f55eaf2a795d8e51ff3d66c477cfe522b2d468ffa3f73a791571b
SHA512e690dea26140e713d4bb947f8e511dcf660e9853137b53636b2a3635c5ba8b5f5daa498ac111362c5dd4a1f0639b083c5a5afd8ca843c74191b8de1c393d0f82
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
222B
MD561030d59ca0992cffcc24aaa5783f6e8
SHA18ff1a69fa00e4321c0cdb350cc5b5da5c359eaf9
SHA25685d236eb209db5350a49d1ec2b208994e0a18571476233d9923195179fd3595d
SHA5129a47915fe43655a3df4c320adca39a1a7507f6b72cc131260f4eceadf7561478260aacff66a1bf89668394c9ccefa7c2b0e962e82eb968e8357500441374db00
-
Filesize
222B
MD593983360ad047a14280fc3b1f20387c3
SHA1012f5e9649ddee97ce0d266180d7c2084896c248
SHA25698bdbe17473ca47e8ea2114eaf3501fb51d56a2c7aef64828e179f0a34f0cc03
SHA512c4983297471c3fa665b39fb02d923e39a11ddafb644636a3bc82afb81f755ea51153985e61b9f0f16d90509a90d90e326d210d36e1d03a03881164a33106eec6
-
Filesize
222B
MD50fd5b588fe14c851ac1c53f78212972a
SHA16bf021fbbd747e323d011c23666bf9186b8437fe
SHA25658bb71843cc010abf78c70e43b3578fb5529da68f35022064e83608b641d7f84
SHA512387328af74e4ba3f5b8772c661bc89fedb0c4ecb9be8731d4fba7e30883d60f3728212d69beb1a965d20efc70b7685ed9053ccbbd216a3f92c0728ba415da81d
-
Filesize
222B
MD52c05b95a0f03ce0cd24fd368f1cdf7af
SHA1038542d25e6275881da15a8530a8f13c04738263
SHA2562a0ea5f3c5588bbe501abf63fc9c787c6b7c37a6e4194609d50f5f9a8616272c
SHA51283ac30c04f00be5955ddc9cd9d6f34241eaec93ccdc448852e849de504d9410f7643e3220e29fb79a7daaa290f5e82de179c189da075a8f29b3c70b050ae9694
-
Filesize
222B
MD57902d54b3619f7249f588f2fa56f0799
SHA177151382efea2735ab7b514703a23c9b603c6ec9
SHA25669be0fb7cfc653467656eccec9636229c72e87ed3a5ec934ba5a55e2c499ee7b
SHA512d69ddb810135d43a603161a20765d17d2116524fbbb3a38817e24d0f14cb336788cedefe16abc60bbbbb29f022765a3680a7653b9993c8d94cd0c7253a850e1c
-
Filesize
222B
MD5a608bf029c6173e8b6c78cbcc28e2491
SHA1e5f26b4cfe1a69ae2c13e834a45ef2cd0da5c245
SHA256e2536cfd484b79b72adc6ef8c16ceef4d15605c11a32eaefd223c75a153edd2e
SHA512991c4ddd1ac33cc186faf711672e785ca61f051d224e61bb0f6b316a593b308c06cd6a77d0ae899020d40cda2370ea7d8b179bdd79d7583cd7a57e627ad46d84
-
Filesize
222B
MD573e5960f5efc76305cfe7f538b07812b
SHA1a8a0b4371bf1633e4ee0c3b8973feb01d2df1fa7
SHA256ff07bace6a1c8e2e336e773e73aa43f0694d0123fd9f68e2fe42ec50fc0e4941
SHA512430b0a4fe6334709e687f9fea6478033558c057dd909864fb532b7df32db195a98c6ef46d18ff22538399a908f8ae95e344b76d13a02fcd96994fbb4264bc53f
-
Filesize
222B
MD5108aed22b54854e0200aaa981963c08a
SHA156e2e874ebdac9ab4a67be1f9d571776caea3546
SHA2565158fed39ad33613bf46f505ae22c4056b0f4d9952c2c1ca0ea74494885900d9
SHA51208c02da2019907f43c993daa8b8b3d2e0944790e715a2a7d3ddd21e4850d9529729dc522ae661d3fe8cbabd1a5db42fbfdff85528d901c478f373236be294695
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5affbc0e6f923b67b278b87a79b2473cf
SHA1a14362d95299cf334ac07c8fe3ebc531cf7bae47
SHA2564948cffbfec96fd8b4090522ba5e878550866e68b084ffbc5ca056d8e736c315
SHA51298f4e3f1931cda32a23ec0ccdfbaf762e872b708e3fb434f04f73868c29a5a12b98a508a69e1114079f47f0d4c02c6fd61580d830e7a3a70bc98b55340f4159f
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478