Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 21:46
Behavioral task
behavioral1
Sample
JaffaCakes118_20aba09a3266759e8b0e2c8868082a31f541cbc0b6b233b18e24face77320461.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_20aba09a3266759e8b0e2c8868082a31f541cbc0b6b233b18e24face77320461.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_20aba09a3266759e8b0e2c8868082a31f541cbc0b6b233b18e24face77320461.exe
-
Size
1.3MB
-
MD5
0880167e5ec03a35ec7e473d933337c2
-
SHA1
e722babb9516e2104a996fc349f68be4d386d246
-
SHA256
20aba09a3266759e8b0e2c8868082a31f541cbc0b6b233b18e24face77320461
-
SHA512
27df89a4af55fedc53ab98916b1fc67908e5caab307971d303c4cf9a081c97c4e55a6398e620ec4eecbfccb35334a3368821f25b109db04ce7851efbdbcbc65c
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 356 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 584 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1504 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1336 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1488 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1004 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1316 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1000 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 960 2616 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000016dbe-12.dat dcrat behavioral1/memory/2580-13-0x0000000001200000-0x0000000001310000-memory.dmp dcrat behavioral1/memory/484-110-0x00000000000D0000-0x00000000001E0000-memory.dmp dcrat behavioral1/memory/2240-169-0x0000000000800000-0x0000000000910000-memory.dmp dcrat behavioral1/memory/556-229-0x0000000000850000-0x0000000000960000-memory.dmp dcrat behavioral1/memory/2320-348-0x0000000000C70000-0x0000000000D80000-memory.dmp dcrat behavioral1/memory/2440-408-0x0000000001100000-0x0000000001210000-memory.dmp dcrat behavioral1/memory/864-528-0x0000000001120000-0x0000000001230000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1388 powershell.exe 2332 powershell.exe 1684 powershell.exe 1532 powershell.exe 1540 powershell.exe 896 powershell.exe 1752 powershell.exe 1772 powershell.exe 3068 powershell.exe 2000 powershell.exe 2452 powershell.exe 2180 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2580 DllCommonsvc.exe 484 conhost.exe 2240 conhost.exe 556 conhost.exe 1364 conhost.exe 2320 conhost.exe 2440 conhost.exe 1064 conhost.exe 864 conhost.exe 1328 conhost.exe 2296 conhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2172 cmd.exe 2172 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 20 raw.githubusercontent.com 23 raw.githubusercontent.com 30 raw.githubusercontent.com 38 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 27 raw.githubusercontent.com 34 raw.githubusercontent.com -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\services.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\services.exe DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\conhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\088424020bedd6 DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\OSPPSVC.exe DllCommonsvc.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\Cursors\OSPPSVC.exe DllCommonsvc.exe File created C:\Windows\Cursors\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Windows\Speech\Engines\SR\es-ES\csrss.exe DllCommonsvc.exe File created C:\Windows\Branding\ShellBrd\explorer.exe DllCommonsvc.exe File created C:\Windows\Branding\ShellBrd\7a0fd90576e088 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_20aba09a3266759e8b0e2c8868082a31f541cbc0b6b233b18e24face77320461.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 584 schtasks.exe 2208 schtasks.exe 1316 schtasks.exe 1616 schtasks.exe 2408 schtasks.exe 356 schtasks.exe 1664 schtasks.exe 1488 schtasks.exe 1932 schtasks.exe 1092 schtasks.exe 2980 schtasks.exe 2988 schtasks.exe 2348 schtasks.exe 1336 schtasks.exe 1000 schtasks.exe 1992 schtasks.exe 1516 schtasks.exe 2880 schtasks.exe 1612 schtasks.exe 2104 schtasks.exe 2080 schtasks.exe 1004 schtasks.exe 2924 schtasks.exe 448 schtasks.exe 1536 schtasks.exe 1504 schtasks.exe 2404 schtasks.exe 1500 schtasks.exe 2060 schtasks.exe 2012 schtasks.exe 2848 schtasks.exe 1652 schtasks.exe 960 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 2580 DllCommonsvc.exe 1388 powershell.exe 2452 powershell.exe 1540 powershell.exe 1684 powershell.exe 2332 powershell.exe 1772 powershell.exe 896 powershell.exe 3068 powershell.exe 2000 powershell.exe 1532 powershell.exe 2180 powershell.exe 1752 powershell.exe 484 conhost.exe 2240 conhost.exe 556 conhost.exe 1364 conhost.exe 2320 conhost.exe 2440 conhost.exe 1064 conhost.exe 864 conhost.exe 1328 conhost.exe 2296 conhost.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 2580 DllCommonsvc.exe Token: SeDebugPrivilege 2452 powershell.exe Token: SeDebugPrivilege 1388 powershell.exe Token: SeDebugPrivilege 1540 powershell.exe Token: SeDebugPrivilege 1684 powershell.exe Token: SeDebugPrivilege 2332 powershell.exe Token: SeDebugPrivilege 1772 powershell.exe Token: SeDebugPrivilege 896 powershell.exe Token: SeDebugPrivilege 3068 powershell.exe Token: SeDebugPrivilege 2000 powershell.exe Token: SeDebugPrivilege 1532 powershell.exe Token: SeDebugPrivilege 2180 powershell.exe Token: SeDebugPrivilege 1752 powershell.exe Token: SeDebugPrivilege 484 conhost.exe Token: SeDebugPrivilege 2240 conhost.exe Token: SeDebugPrivilege 556 conhost.exe Token: SeDebugPrivilege 1364 conhost.exe Token: SeDebugPrivilege 2320 conhost.exe Token: SeDebugPrivilege 2440 conhost.exe Token: SeDebugPrivilege 1064 conhost.exe Token: SeDebugPrivilege 864 conhost.exe Token: SeDebugPrivilege 1328 conhost.exe Token: SeDebugPrivilege 2296 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2636 wrote to memory of 2760 2636 JaffaCakes118_20aba09a3266759e8b0e2c8868082a31f541cbc0b6b233b18e24face77320461.exe 31 PID 2636 wrote to memory of 2760 2636 JaffaCakes118_20aba09a3266759e8b0e2c8868082a31f541cbc0b6b233b18e24face77320461.exe 31 PID 2636 wrote to memory of 2760 2636 JaffaCakes118_20aba09a3266759e8b0e2c8868082a31f541cbc0b6b233b18e24face77320461.exe 31 PID 2636 wrote to memory of 2760 2636 JaffaCakes118_20aba09a3266759e8b0e2c8868082a31f541cbc0b6b233b18e24face77320461.exe 31 PID 2760 wrote to memory of 2172 2760 WScript.exe 32 PID 2760 wrote to memory of 2172 2760 WScript.exe 32 PID 2760 wrote to memory of 2172 2760 WScript.exe 32 PID 2760 wrote to memory of 2172 2760 WScript.exe 32 PID 2172 wrote to memory of 2580 2172 cmd.exe 34 PID 2172 wrote to memory of 2580 2172 cmd.exe 34 PID 2172 wrote to memory of 2580 2172 cmd.exe 34 PID 2172 wrote to memory of 2580 2172 cmd.exe 34 PID 2580 wrote to memory of 1388 2580 DllCommonsvc.exe 69 PID 2580 wrote to memory of 1388 2580 DllCommonsvc.exe 69 PID 2580 wrote to memory of 1388 2580 DllCommonsvc.exe 69 PID 2580 wrote to memory of 2332 2580 DllCommonsvc.exe 70 PID 2580 wrote to memory of 2332 2580 DllCommonsvc.exe 70 PID 2580 wrote to memory of 2332 2580 DllCommonsvc.exe 70 PID 2580 wrote to memory of 3068 2580 DllCommonsvc.exe 71 PID 2580 wrote to memory of 3068 2580 DllCommonsvc.exe 71 PID 2580 wrote to memory of 3068 2580 DllCommonsvc.exe 71 PID 2580 wrote to memory of 1684 2580 DllCommonsvc.exe 72 PID 2580 wrote to memory of 1684 2580 DllCommonsvc.exe 72 PID 2580 wrote to memory of 1684 2580 DllCommonsvc.exe 72 PID 2580 wrote to memory of 1532 2580 DllCommonsvc.exe 73 PID 2580 wrote to memory of 1532 2580 DllCommonsvc.exe 73 PID 2580 wrote to memory of 1532 2580 DllCommonsvc.exe 73 PID 2580 wrote to memory of 1540 2580 DllCommonsvc.exe 74 PID 2580 wrote to memory of 1540 2580 DllCommonsvc.exe 74 PID 2580 wrote to memory of 1540 2580 DllCommonsvc.exe 74 PID 2580 wrote to memory of 896 2580 DllCommonsvc.exe 75 PID 2580 wrote to memory of 896 2580 DllCommonsvc.exe 75 PID 2580 wrote to memory of 896 2580 DllCommonsvc.exe 75 PID 2580 wrote to memory of 2000 2580 DllCommonsvc.exe 76 PID 2580 wrote to memory of 2000 2580 DllCommonsvc.exe 76 PID 2580 wrote to memory of 2000 2580 DllCommonsvc.exe 76 PID 2580 wrote to memory of 1752 2580 DllCommonsvc.exe 77 PID 2580 wrote to memory of 1752 2580 DllCommonsvc.exe 77 PID 2580 wrote to memory of 1752 2580 DllCommonsvc.exe 77 PID 2580 wrote to memory of 2452 2580 DllCommonsvc.exe 78 PID 2580 wrote to memory of 2452 2580 DllCommonsvc.exe 78 PID 2580 wrote to memory of 2452 2580 DllCommonsvc.exe 78 PID 2580 wrote to memory of 1772 2580 DllCommonsvc.exe 79 PID 2580 wrote to memory of 1772 2580 DllCommonsvc.exe 79 PID 2580 wrote to memory of 1772 2580 DllCommonsvc.exe 79 PID 2580 wrote to memory of 2180 2580 DllCommonsvc.exe 80 PID 2580 wrote to memory of 2180 2580 DllCommonsvc.exe 80 PID 2580 wrote to memory of 2180 2580 DllCommonsvc.exe 80 PID 2580 wrote to memory of 2936 2580 DllCommonsvc.exe 88 PID 2580 wrote to memory of 2936 2580 DllCommonsvc.exe 88 PID 2580 wrote to memory of 2936 2580 DllCommonsvc.exe 88 PID 2936 wrote to memory of 3000 2936 cmd.exe 95 PID 2936 wrote to memory of 3000 2936 cmd.exe 95 PID 2936 wrote to memory of 3000 2936 cmd.exe 95 PID 2936 wrote to memory of 484 2936 cmd.exe 96 PID 2936 wrote to memory of 484 2936 cmd.exe 96 PID 2936 wrote to memory of 484 2936 cmd.exe 96 PID 484 wrote to memory of 580 484 conhost.exe 97 PID 484 wrote to memory of 580 484 conhost.exe 97 PID 484 wrote to memory of 580 484 conhost.exe 97 PID 580 wrote to memory of 2104 580 cmd.exe 99 PID 580 wrote to memory of 2104 580 cmd.exe 99 PID 580 wrote to memory of 2104 580 cmd.exe 99 PID 580 wrote to memory of 2240 580 cmd.exe 100 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20aba09a3266759e8b0e2c8868082a31f541cbc0b6b233b18e24face77320461.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20aba09a3266759e8b0e2c8868082a31f541cbc0b6b233b18e24face77320461.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\ShellBrd\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6ossFTShKU.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:3000
-
-
C:\Program Files (x86)\Windows Portable Devices\conhost.exe"C:\Program Files (x86)\Windows Portable Devices\conhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cU7BGbiaqd.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2104
-
-
C:\Program Files (x86)\Windows Portable Devices\conhost.exe"C:\Program Files (x86)\Windows Portable Devices\conhost.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z9xTb8lNHs.bat"9⤵PID:1912
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1864
-
-
C:\Program Files (x86)\Windows Portable Devices\conhost.exe"C:\Program Files (x86)\Windows Portable Devices\conhost.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:556 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gMBHdlpNUB.bat"11⤵PID:2268
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2060
-
-
C:\Program Files (x86)\Windows Portable Devices\conhost.exe"C:\Program Files (x86)\Windows Portable Devices\conhost.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat"13⤵PID:2164
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1456
-
-
C:\Program Files (x86)\Windows Portable Devices\conhost.exe"C:\Program Files (x86)\Windows Portable Devices\conhost.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat"15⤵PID:2884
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1380
-
-
C:\Program Files (x86)\Windows Portable Devices\conhost.exe"C:\Program Files (x86)\Windows Portable Devices\conhost.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kbrh69MYEy.bat"17⤵PID:556
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2060
-
-
C:\Program Files (x86)\Windows Portable Devices\conhost.exe"C:\Program Files (x86)\Windows Portable Devices\conhost.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vlZZCFJNsh.bat"19⤵PID:2744
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2148
-
-
C:\Program Files (x86)\Windows Portable Devices\conhost.exe"C:\Program Files (x86)\Windows Portable Devices\conhost.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:864 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zY3yp8Lh1n.bat"21⤵PID:1708
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2100
-
-
C:\Program Files (x86)\Windows Portable Devices\conhost.exe"C:\Program Files (x86)\Windows Portable Devices\conhost.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat"23⤵PID:2528
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1196
-
-
C:\Program Files (x86)\Windows Portable Devices\conhost.exe"C:\Program Files (x86)\Windows Portable Devices\conhost.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"25⤵PID:2648
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2112
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\Branding\ShellBrd\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\Branding\ShellBrd\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Cursors\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Recent\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\Recent\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Recent\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Favorites\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58589915ee61a28b43a8ee05913748d58
SHA13a4a792bef671336a4ee3478bb21acd17852f46d
SHA256f46d5de6927d5bbca420874a3d9520a5bbebed41110743e2c6e5707781b3b111
SHA5125e97a6e57b66d5063b2d115315c242d3a3cf6c765f3df43e21141382085062aa5bfcb6c874cbf8b402e060375dfe06889fbf24d55955e9bfbe34c7bc976d5d54
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58613dc71c978866197202f609cb066d4
SHA1c2e678810dd5a2ccace762d761c1adacb6674ba9
SHA25671336ee6c1a03a429b8e69949fcc1e1f332622912bea74149c5a85c9edea0cbe
SHA51234063faf893229dd20585b4716a3c14b1981812755f719691a106de0d3239179c37b07d52d1c2499909ed8c4f86101d4c640a6818606aa4992f01110b41e0104
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50a0ec45c4b203ff290fc910130da09ba
SHA13f6cdc5fffc1216563271c37ca81bd0ea2a8d7ff
SHA2568c199fdef21a43d4673b036ef3b1fee1ba5d68777b6bbbbcc3c6b0c3b1c9f5ca
SHA512690af86e2c3889dbf4c3dc715071cf89c5c01f35166e090d14c53f0b06ce6803aa4b8b23aa502c85f3b2bf3726c0adcf7cf59b5e27c60a11ded19e9335712d94
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e8504f8e3a48a74ff9367f31a2d9a822
SHA1857c5bf30069db016bf1a3a86d9379bf6f49309d
SHA256830c2c8d1ad42bdd0233b4873776273cc8349009cb84ef73f5bf40d4eaba0eb8
SHA512d9767b847d4e10313f640f967784a68d06d12fa92ff0698d1abb692c4ef68747b3b00db5a769c3c72b7a2080812045978a974546fe86742ac1e934b5560435c0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59783cd5a7dd92fb62579b500c486ad07
SHA182003b081231ae112f2758accb0cfa385028e52f
SHA256265c95f5e9c0e0e2ec0f6c0de94fe883f983dc020b76f5da5e0fd6888e984778
SHA512ca02a8e8c5a9e038f7af65679d3c13e939131b284b39c28aba82efff87687f7ad21aeb05ee7a38e534f014e42818952c99650b8193d1b93cfefda66e4b187740
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d5db22e3ba5c7a95482fecbabe61305d
SHA12c01e18b179ead8cbd10fa6253d2d4946a062a84
SHA2563eb2dd52cbf417cdbeb5d04a9d76e2aee40eb412cb64b3081b59550c0ef1f1f7
SHA512f6f0e510e1d5fd5d41a188a3d61833a550a823d2642083c35a487a6b52b25de744855b4a53744490d92df3913e0e85f5f2441e61bf1f5bfc6c0dce1514b2ddfe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57dcc832619d1b8fe2c76dd04b4426f3f
SHA1ebd73f7a720526ea033eff8dfe0f791a23d450d6
SHA2562a02cfedef196c732b0f76912e9d8f3b197a89530752434d88135ac16ab00368
SHA51242bac88c750b37db92141055da3803880d4657525ac7989163178176028090ca37c588db8cac9e03ed494b6085ad21a7fd98dcf404748644e7314c8277759b56
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD515adf464b4fa1a2e709552c63ca9bfc9
SHA1abd282c7533fd05e82f0bc8ad49800f8f78468cc
SHA2560d1d514113c2af58ad497483f61c35e022a22d77c8e20b152e8d7a2816063e0a
SHA5120786e26cdb3fbe0f9f0d416e96e9ea80b47063ab50a4b99421f6b7b04b75f39a000b52982baf294b37d0c0b18ea0161c85249a762a188ea925c7cfbbd0545560
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58b6c6737e86b48a5e52d60ef405d75fa
SHA1c0317b1ed4b896d7951c8b05df957fa9648ab89d
SHA256597a9f7d4814e607a505e76a9909d01b6be061b4e7eab71e2fd9bc7e7bd5a3f3
SHA5129e447be08f76c458340c400efb438d08786b662dc164510a44844d5fa3eec217b70e9c055948ac6f67afb7e3302c593222fb9ae81b85450f92c9ea6bc3c345f6
-
Filesize
224B
MD5cb61b9741224884c1ed00b195f303bd7
SHA1649b73f09c0c2cc2454443b166680f9a21cbec8e
SHA256cd95e67e4ea25f0b259857d23541224f5c7bebcd602b4868c4f98224f24f4bb0
SHA5123be309c81bd2faaae42276fc08a8a2f9f3e28e9794d41f241642ae12edabee56de2d3a158b5b359faef01b96d69ac43c7f4a18e5c8b5324c2367f2e2eba09fb6
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
224B
MD5efa4df56183c157907366d7d36a25741
SHA1b3af5ecd9ed101cf16d5c1d2c652436e693371d0
SHA25693dbab4aea60233b631008e3711a433a13267ab510c2a737b0b8220e0b844798
SHA5123c161c0a940525b421ef9e4a57d782dbc800ac50110bc5c445521466d3cfdb454eca0ef6cfbbd75686b83ce8928c896f39238ed3b554467c598d411d3dfa6d7d
-
Filesize
224B
MD59199850201a716e184d33689d427a645
SHA1f36d465828f0c53c394b9fb6fd9262e0f4f5be1e
SHA2563d2dc28b3e319c627beb85fc9e0a99d60c7fcd993b2312be66f5c95b1eaf4d99
SHA5120117b1ca0ff4a5f0e1cca4fe2b8b6a2b5f59ad6b8066eb98afe1bbe882ee6aba48a0c07418c9fd3c9c29b9887eda2e25f57e50b6d4218b17952f5bd1889dc9b7
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
224B
MD543f6ced0f879fff47f1b0dac619c9732
SHA192087f521f7b0885479c9e87e4a085b670b22ec2
SHA2563eb43bdcf35b868840a2d20a939d2ba553d81ae607f06824c80c872b92fbd72c
SHA512a921e95f9f3f48b958fe6dd6861155f628d5433433ffb07213654f1f48854e9858b80db9e34e69f2956b9173cdbb3cdcc030cd3c1c2c91bd37ab89abd6642f9c
-
Filesize
224B
MD5540b0d902e394db1bb87ff27e7e84711
SHA17abbd46a053b4194b127b86508f8780749490f44
SHA256c982bc6d5583cc395ee699b7928983256f0fe66d1e32bb0e68026687bccf394a
SHA512bc60e3051c56d2690e92fab3a15daf2f3b5d0f9c3e299db30232fe0cc5aeffd016bfa57f97466d154642f4917039033d4c9d070d6a91300fa4b92e8e6f75d53b
-
Filesize
224B
MD5b680ae0b46d3b864eb14fab403f7ef83
SHA11864450203b0f83006bd7a83837d39fb38be443f
SHA2566bf3e48f66b225298cf17fe2f631157f87e7370f2b235455d3980944b846a1d5
SHA512622f1d1d918b73ae7403bafcaf2e8daddc7bb655b9f2aa3134b07eee1602b34136b787a18c889cbb2e574e8d0fe1cae162c7c5c17d1d6c5adfa61eea8dbe4cc3
-
Filesize
224B
MD5d3bbc0664bd06716cfaee523166bd061
SHA11d0ba89cdfeadb1d1b1420f9b2deda6bba513105
SHA2562e75fdc4b9acb12bfcf82cb05448277b71f23c7672134f994abb04adaa2326e8
SHA512dcddeacae3b7befaeb1eb64a9c13e269d3e1942c6848c3622da8d2d8176dd4351825fc557a4cd34367cb80923f063c32e36f14caf86d98765a3b57b533d857a6
-
Filesize
224B
MD52d8b519bc5881d50ada4601635c57e67
SHA1cabbd52e8dd4126dc5f1adfc951ab57be7f3b3d5
SHA2565ea606b1c82a0da0ca749e56d4d82980f635bc5c283a1aef77a8c098935e306e
SHA5120b33bfc97fad7c8ce4655b300c44720c741dc727bba7c0e07877ea74025b5431189a6af703755b06570f762f45e5ec098ec4d2bb7d09b4a41ed9a5596ff4d0cc
-
Filesize
224B
MD5ec8f682efa23fbaf68ef9d55cbf867e8
SHA17f8b0ddea9fa0e1bbab3312ecd1fbc4ebd87a217
SHA2568633082eb6771bb139bb04b7be6d9401788ec26b5be998bf2d5d3f9747696025
SHA512ea717f64a2badc2f49f7543caefe2b9ab51435818d29b41917e99f4a1f5b7e998e80be84d1782a352e0641a494c44fb82a3107c1b1088be1e1b4d4b8c2b748e8
-
Filesize
224B
MD5c1ba726c0ef39c8b8367ae0974a60cc0
SHA1adc9f5dc68ced5a8193d97910ffc5cb1b37d23ec
SHA256f8678d77d5854fe65720cecf8ca9a1b94bc000fa700ba15c1ba9fe595a9b5949
SHA5125137dfecf85376aa654c82d0bb76ec289c0118066c1fc89e938064c7f79d0897880170c59dfd12c763446fb9cc2d6798d5bb2c856fe0a5f10e81c6750543c32d
-
Filesize
224B
MD517cb328085d6a58b6e06ac3b5f20d629
SHA164c86f468b02f29d717be2997b5cb08402f5794a
SHA256e3c61c2096b4c49882c1aa411af97eb5d9a386d6ab8de1565fc976fccffaf260
SHA512ce7a90d86b3ccf02d2f68bb336f272ab862a44b61764d225fe1643705d5fcf16a24cb31aea17ee36c985ea44ad90cbc0609a043dd952a3e7ec312880316fda0f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AK2Z63FW49FNHJW78EKO.temp
Filesize7KB
MD580f2ebd8de3ccfce738846fb61783c67
SHA1df6675ebe58b1775b6a10ec496d742717f9688a7
SHA25675d1a072164b78ec781f69f9e329cb457d62b662c9250c64f53ff2e52cfb4f6e
SHA512805c247a49268c052a44ea6a74cc07ddc37c48ebb57b510e7a0e600934401c8b30db768262481fe2994605396c5274cb35b94a57ab94537e2ada274f459726f5
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478