Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 18:29
Behavioral task
behavioral1
Sample
JaffaCakes118_148628a65c9d0b7e3085682e6f6f175930eb292667560b125c9b15eb880fbc74.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_148628a65c9d0b7e3085682e6f6f175930eb292667560b125c9b15eb880fbc74.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_148628a65c9d0b7e3085682e6f6f175930eb292667560b125c9b15eb880fbc74.exe
-
Size
1.3MB
-
MD5
2a2f491aa6f9963908916033c9cedd3c
-
SHA1
fe26fa5085318afe6c8e35924c524906c410b075
-
SHA256
148628a65c9d0b7e3085682e6f6f175930eb292667560b125c9b15eb880fbc74
-
SHA512
27fa84df57c93eb04be0de81cf38322b0e454651a07599397441f178837b9112c2e8eadb7db43bf7aa5f557cd293c0a5f610b1da971fc02a1f5855112433cfd4
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2804 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2804 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2804 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2804 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2804 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2804 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2804 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 2804 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 2804 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 2804 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 556 2804 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 2804 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 932 2804 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 2804 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2804 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 2804 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 2804 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1264 2804 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 2804 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2804 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 2804 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 2804 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 2804 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2804 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 2804 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 916 2804 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 2804 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 2804 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 616 2804 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 2804 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000016cab-9.dat dcrat behavioral1/memory/2480-13-0x0000000000E10000-0x0000000000F20000-memory.dmp dcrat behavioral1/memory/1732-73-0x0000000000290000-0x00000000003A0000-memory.dmp dcrat behavioral1/memory/2028-159-0x00000000001E0000-0x00000000002F0000-memory.dmp dcrat behavioral1/memory/1236-220-0x0000000000920000-0x0000000000A30000-memory.dmp dcrat behavioral1/memory/1976-280-0x0000000001300000-0x0000000001410000-memory.dmp dcrat behavioral1/memory/1888-458-0x0000000000350000-0x0000000000460000-memory.dmp dcrat behavioral1/memory/2836-518-0x0000000000E80000-0x0000000000F90000-memory.dmp dcrat behavioral1/memory/1824-578-0x0000000000320000-0x0000000000430000-memory.dmp dcrat behavioral1/memory/2424-638-0x0000000001180000-0x0000000001290000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1048 powershell.exe 2008 powershell.exe 2624 powershell.exe 1788 powershell.exe 800 powershell.exe 960 powershell.exe 1340 powershell.exe 1872 powershell.exe 1164 powershell.exe 3000 powershell.exe 3012 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2480 DllCommonsvc.exe 1732 lsass.exe 2028 lsass.exe 1236 lsass.exe 1976 lsass.exe 832 lsass.exe 2908 lsass.exe 1888 lsass.exe 2836 lsass.exe 1824 lsass.exe 2424 lsass.exe -
Loads dropped DLL 2 IoCs
pid Process 2016 cmd.exe 2016 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 16 raw.githubusercontent.com 20 raw.githubusercontent.com 26 raw.githubusercontent.com 30 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 23 raw.githubusercontent.com 33 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Windows NT\Accessories\it-IT\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Program Files\Windows NT\Accessories\it-IT\explorer.exe DllCommonsvc.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\debug\WIA\lsass.exe DllCommonsvc.exe File opened for modification C:\Windows\debug\WIA\lsass.exe DllCommonsvc.exe File created C:\Windows\debug\WIA\6203df4a6bafc7 DllCommonsvc.exe File created C:\Windows\Globalization\ELS\dwm.exe DllCommonsvc.exe File created C:\Windows\Globalization\ELS\6cb0b6c459d5d3 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_148628a65c9d0b7e3085682e6f6f175930eb292667560b125c9b15eb880fbc74.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2948 schtasks.exe 2664 schtasks.exe 2728 schtasks.exe 1676 schtasks.exe 3028 schtasks.exe 2996 schtasks.exe 616 schtasks.exe 2932 schtasks.exe 2816 schtasks.exe 2296 schtasks.exe 556 schtasks.exe 1264 schtasks.exe 2040 schtasks.exe 932 schtasks.exe 1780 schtasks.exe 2516 schtasks.exe 2720 schtasks.exe 1944 schtasks.exe 2432 schtasks.exe 2256 schtasks.exe 2544 schtasks.exe 2740 schtasks.exe 1600 schtasks.exe 2088 schtasks.exe 2708 schtasks.exe 1604 schtasks.exe 2892 schtasks.exe 1152 schtasks.exe 2384 schtasks.exe 916 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2480 DllCommonsvc.exe 1732 lsass.exe 800 powershell.exe 1340 powershell.exe 1164 powershell.exe 960 powershell.exe 1788 powershell.exe 1048 powershell.exe 2624 powershell.exe 3012 powershell.exe 2008 powershell.exe 1872 powershell.exe 3000 powershell.exe 2028 lsass.exe 1236 lsass.exe 1976 lsass.exe 832 lsass.exe 2908 lsass.exe 1888 lsass.exe 2836 lsass.exe 1824 lsass.exe 2424 lsass.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 2480 DllCommonsvc.exe Token: SeDebugPrivilege 1732 lsass.exe Token: SeDebugPrivilege 800 powershell.exe Token: SeDebugPrivilege 1340 powershell.exe Token: SeDebugPrivilege 1164 powershell.exe Token: SeDebugPrivilege 960 powershell.exe Token: SeDebugPrivilege 1788 powershell.exe Token: SeDebugPrivilege 1048 powershell.exe Token: SeDebugPrivilege 2624 powershell.exe Token: SeDebugPrivilege 3012 powershell.exe Token: SeDebugPrivilege 2008 powershell.exe Token: SeDebugPrivilege 1872 powershell.exe Token: SeDebugPrivilege 3000 powershell.exe Token: SeDebugPrivilege 2028 lsass.exe Token: SeDebugPrivilege 1236 lsass.exe Token: SeDebugPrivilege 1976 lsass.exe Token: SeDebugPrivilege 832 lsass.exe Token: SeDebugPrivilege 2908 lsass.exe Token: SeDebugPrivilege 1888 lsass.exe Token: SeDebugPrivilege 2836 lsass.exe Token: SeDebugPrivilege 1824 lsass.exe Token: SeDebugPrivilege 2424 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2568 wrote to memory of 1936 2568 JaffaCakes118_148628a65c9d0b7e3085682e6f6f175930eb292667560b125c9b15eb880fbc74.exe 30 PID 2568 wrote to memory of 1936 2568 JaffaCakes118_148628a65c9d0b7e3085682e6f6f175930eb292667560b125c9b15eb880fbc74.exe 30 PID 2568 wrote to memory of 1936 2568 JaffaCakes118_148628a65c9d0b7e3085682e6f6f175930eb292667560b125c9b15eb880fbc74.exe 30 PID 2568 wrote to memory of 1936 2568 JaffaCakes118_148628a65c9d0b7e3085682e6f6f175930eb292667560b125c9b15eb880fbc74.exe 30 PID 1936 wrote to memory of 2016 1936 WScript.exe 31 PID 1936 wrote to memory of 2016 1936 WScript.exe 31 PID 1936 wrote to memory of 2016 1936 WScript.exe 31 PID 1936 wrote to memory of 2016 1936 WScript.exe 31 PID 2016 wrote to memory of 2480 2016 cmd.exe 33 PID 2016 wrote to memory of 2480 2016 cmd.exe 33 PID 2016 wrote to memory of 2480 2016 cmd.exe 33 PID 2016 wrote to memory of 2480 2016 cmd.exe 33 PID 2480 wrote to memory of 1788 2480 DllCommonsvc.exe 66 PID 2480 wrote to memory of 1788 2480 DllCommonsvc.exe 66 PID 2480 wrote to memory of 1788 2480 DllCommonsvc.exe 66 PID 2480 wrote to memory of 800 2480 DllCommonsvc.exe 67 PID 2480 wrote to memory of 800 2480 DllCommonsvc.exe 67 PID 2480 wrote to memory of 800 2480 DllCommonsvc.exe 67 PID 2480 wrote to memory of 1340 2480 DllCommonsvc.exe 68 PID 2480 wrote to memory of 1340 2480 DllCommonsvc.exe 68 PID 2480 wrote to memory of 1340 2480 DllCommonsvc.exe 68 PID 2480 wrote to memory of 960 2480 DllCommonsvc.exe 70 PID 2480 wrote to memory of 960 2480 DllCommonsvc.exe 70 PID 2480 wrote to memory of 960 2480 DllCommonsvc.exe 70 PID 2480 wrote to memory of 1872 2480 DllCommonsvc.exe 71 PID 2480 wrote to memory of 1872 2480 DllCommonsvc.exe 71 PID 2480 wrote to memory of 1872 2480 DllCommonsvc.exe 71 PID 2480 wrote to memory of 2624 2480 DllCommonsvc.exe 72 PID 2480 wrote to memory of 2624 2480 DllCommonsvc.exe 72 PID 2480 wrote to memory of 2624 2480 DllCommonsvc.exe 72 PID 2480 wrote to memory of 2008 2480 DllCommonsvc.exe 73 PID 2480 wrote to memory of 2008 2480 DllCommonsvc.exe 73 PID 2480 wrote to memory of 2008 2480 DllCommonsvc.exe 73 PID 2480 wrote to memory of 1048 2480 DllCommonsvc.exe 74 PID 2480 wrote to memory of 1048 2480 DllCommonsvc.exe 74 PID 2480 wrote to memory of 1048 2480 DllCommonsvc.exe 74 PID 2480 wrote to memory of 3012 2480 DllCommonsvc.exe 75 PID 2480 wrote to memory of 3012 2480 DllCommonsvc.exe 75 PID 2480 wrote to memory of 3012 2480 DllCommonsvc.exe 75 PID 2480 wrote to memory of 3000 2480 DllCommonsvc.exe 76 PID 2480 wrote to memory of 3000 2480 DllCommonsvc.exe 76 PID 2480 wrote to memory of 3000 2480 DllCommonsvc.exe 76 PID 2480 wrote to memory of 1164 2480 DllCommonsvc.exe 77 PID 2480 wrote to memory of 1164 2480 DllCommonsvc.exe 77 PID 2480 wrote to memory of 1164 2480 DllCommonsvc.exe 77 PID 2480 wrote to memory of 1732 2480 DllCommonsvc.exe 88 PID 2480 wrote to memory of 1732 2480 DllCommonsvc.exe 88 PID 2480 wrote to memory of 1732 2480 DllCommonsvc.exe 88 PID 1732 wrote to memory of 1700 1732 lsass.exe 89 PID 1732 wrote to memory of 1700 1732 lsass.exe 89 PID 1732 wrote to memory of 1700 1732 lsass.exe 89 PID 1700 wrote to memory of 2280 1700 cmd.exe 91 PID 1700 wrote to memory of 2280 1700 cmd.exe 91 PID 1700 wrote to memory of 2280 1700 cmd.exe 91 PID 1700 wrote to memory of 2028 1700 cmd.exe 92 PID 1700 wrote to memory of 2028 1700 cmd.exe 92 PID 1700 wrote to memory of 2028 1700 cmd.exe 92 PID 2028 wrote to memory of 2420 2028 lsass.exe 93 PID 2028 wrote to memory of 2420 2028 lsass.exe 93 PID 2028 wrote to memory of 2420 2028 lsass.exe 93 PID 2420 wrote to memory of 2352 2420 cmd.exe 95 PID 2420 wrote to memory of 2352 2420 cmd.exe 95 PID 2420 wrote to memory of 2352 2420 cmd.exe 95 PID 2420 wrote to memory of 1236 2420 cmd.exe 96 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_148628a65c9d0b7e3085682e6f6f175930eb292667560b125c9b15eb880fbc74.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_148628a65c9d0b7e3085682e6f6f175930eb292667560b125c9b15eb880fbc74.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\WIA\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\ELS\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Windows\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\it-IT\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
-
C:\Windows\debug\WIA\lsass.exe"C:\Windows\debug\WIA\lsass.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r7gOBUt9HL.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2280
-
-
C:\Windows\debug\WIA\lsass.exe"C:\Windows\debug\WIA\lsass.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iLsGNVHQP6.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2352
-
-
C:\Windows\debug\WIA\lsass.exe"C:\Windows\debug\WIA\lsass.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1236 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lBSBdtFHPx.bat"10⤵PID:2708
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1888
-
-
C:\Windows\debug\WIA\lsass.exe"C:\Windows\debug\WIA\lsass.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x8TIUMdSeB.bat"12⤵PID:2136
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2380
-
-
C:\Windows\debug\WIA\lsass.exe"C:\Windows\debug\WIA\lsass.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:832 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1XclINWiF.bat"14⤵PID:2900
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2028
-
-
C:\Windows\debug\WIA\lsass.exe"C:\Windows\debug\WIA\lsass.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat"16⤵PID:1356
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2620
-
-
C:\Windows\debug\WIA\lsass.exe"C:\Windows\debug\WIA\lsass.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gHfnS8a2p.bat"18⤵PID:1664
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1732
-
-
C:\Windows\debug\WIA\lsass.exe"C:\Windows\debug\WIA\lsass.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat"20⤵PID:2080
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1036
-
-
C:\Windows\debug\WIA\lsass.exe"C:\Windows\debug\WIA\lsass.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat"22⤵PID:1504
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:316
-
-
C:\Windows\debug\WIA\lsass.exe"C:\Windows\debug\WIA\lsass.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\debug\WIA\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\debug\WIA\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\debug\WIA\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Globalization\ELS\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Globalization\ELS\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\Globalization\ELS\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft\Windows\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Windows\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft\Windows\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\it-IT\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD590731f866602d225484057b1a07deac4
SHA14498061d37b155552d0f86a120d7f5ab75114f1e
SHA256b10df04962e3a83341f771d644315107a2f69c80c581925fc4048513e4bd3bb4
SHA51233a386851bfc59c56448eb06b5d6e640f794a59fc22053efc5063384cc55221666eea0085c831b048330d18a65920e25c8f31c8ddbc6b1e9bdfd68c419fa57ce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cf0e55bca4e7be4d33e9b523a9b4caee
SHA1ba8a6b316988d679b61d1dfbce5399bf00267745
SHA256cef77a9ac2b3d9b6218ab749d37f66ccfb9365959b0ce8addfe558c2855456e7
SHA512b0b7c5419bb7cbfbecd6e6cf97b34d6863ee5fcae587145ec2fe158c9d6b19d596bd5666d43738eae50237c6fe7a65e2c63178bc950580dc13a73210d3238beb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50ab551799cde6660da8b97bec40b3db3
SHA1f6fed4a9f1f22539d32486f47dcc02edaee7b986
SHA256711a7a78e5b4e5150bcbbd3ad52f4f491165da0d7eaa94fe9b3ce29d56ada085
SHA512eca6c07ebd9eca09caa4b656884831d94e4317f340d33b5737c55208a04862381eefa4d6aed764f12a832ddd211e6dd10c9855fa4c47891beb9f26d637c4b449
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5656d931e2f6f281dc24fa5bb9d44325f
SHA1e406a80a3d6deb8f617ac169ac2d397bef34f9e0
SHA25690e6fd77d823ab9d318ff93b632ed43e5a3c3a6674a8bd2f496db3a9e34c044e
SHA512d352a73125c73611221d9cac366563d9e442d3ac9d602ed5e454dbdadba60076700e98392248222ccdb693eda98eb925496a4a00901bf545f3aaca466a6c107a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a24d8d688d13a9e1e00c1900274167aa
SHA141a817a14e35b5c9293a3b2bef21dc0463aa72c5
SHA256e4669f6dda5190c2427c87ba2ce1ff6311ac20ab9baa3817cc1299e9e0d5c610
SHA512221c9b3efb9025cd2bb6aa871e43977ad4fcc11dc4170dad430baac38c770cbfcfb0f286a89a2cc74cc6bb9d642e2bb0358be8a4e3a01c1370e66e3965a7a3c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f07c87c01b7df8c4412116356ac68867
SHA11b59dadce61f1d792f5f056f968367acfa0920e9
SHA2563f170e360e3661fd2bc5a20c8e420d9f96a8cace9bf7958b447d2ab2b954846e
SHA5120f66e21bf5b5535a62642682990b3ecc729ee291d5bc380791da26d304089c81b585904f8495f797ef11ee88019cd86f8833f7043e7fc4f94fc7fdb54d72fae1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5114cccc6f1de72da1aeaf502a30820c7
SHA101669f2205f0db22e4e3b2c615177fa3c5030165
SHA256087eedb547a52c59559576e3168be85d9fe609f0134c2353e2d41acebd099d1b
SHA512bddd69d72defade0dd04cbb6b2fd3196fd55a6564afdab76d9f8a298a236f409e40b1f72f06b1d16986c290772dc8432b659b393d636fbc2db84b430835202a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD564dbe3ea26814b65d8e9a745bb848b11
SHA1b914309407e399eb42647141626f25ce81f2d528
SHA256cebc1805975d21febf055ca08171fa33bc37df7073b56cf1601eedf09499bf12
SHA5125e39fd58af218d4fbfae9b6ea842c001dd5c86edff2111b02ef984aac17d68f874f22554205fb987b094a430056be0441ec78b23167c2fd2764a60bce6588bd5
-
Filesize
195B
MD51f6b5b24b71ccc4f668a8917dc9309cd
SHA14a6d70c33e318ce53e9735649ed4e9e1cd9126be
SHA256cb5f772e54b688ba81a1081b5a15b1751cebbb09466d2d2274459e9b1987702e
SHA512fac923319d8e04a6dfded3262763d9b45430ede8aff9b4be3a47082f1a5d4e19c9d5db9b5c41865cae2a18b727201fa97e61b6a36371ec5f3d178524723906f4
-
Filesize
195B
MD53f14f59a487431610ed14f060fd42fdd
SHA1e2118e817c0291cb97ba60b269e75d373bc660f1
SHA256b4a47a2d66a7542089d8ce84acbda5ca53bce9f6f29d82f897cefa28ef9f03f8
SHA51295f3732e07eafaeb93ae8010e23b6d699ef1f40e24dc9637444ce16998141b5b332561760e36fb83ddefaf6ef676839652f534bed33a696ea1d4db9058c40ac9
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
195B
MD53c6aebbaee8d377f1e386c68c3172547
SHA1dfbeb1a5027da2c69245b45e3eb37b28694cd882
SHA2569af504070e6fb95c02f1dc44357f5076ff7e32718d7b7671e58c6672bda5b683
SHA5128e20bd4c48583f879a9ed34ba461557c3573a987f923502e21dceec7db69f488bc2f0b92f0b76dc6423de4c22d6c0734335c994b55adf94d45df944795577286
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
195B
MD5134851517af1e4142b1fb78aefaf552b
SHA18050eb092498f8d50576406eccde470944e91bcc
SHA256a825c126a6828a850760ff007c151e579f89c3abf2fea535dae5a5318f05a42c
SHA51213b588ac2b6e4ab2db77837241e44b7a2a8e92e24c4693cb21ed524ddfc64206a2797decdaf1b938b650351c76d1566af76bfd2fba0662ef92ca5c1cf96653b9
-
Filesize
195B
MD53f22479399fb8904f5e5ebc83fedf27f
SHA18eeb5963969905a29450b6c929cf9ce5b3249f71
SHA256a9eb6a733e482282f0184909e434d2dcaef56c6412ec4c42af53d3458c064944
SHA5127108943b62af2e2c28630b0d503fe5f276c34becf2d90ca7ac42aca4ff7dafb597fa56eb386acd87503c0cd990e01f951be03ad25c07bc125bdad80e278c4f60
-
Filesize
195B
MD51a12570d463d4dbe3237fe131cbf9c9f
SHA1a2cb65f80a184d7c042148e6d160bf48d889f81c
SHA256d8eef71421e007143166a0609ef8fdb7aa4994930f7b8452efcd2376b6df3684
SHA512c313c874e8f1b683dcc38c4888a1d008fd66f4cfe3c090160709f0ad47ab969d4d380682a4c83251a42bf404618d2228ed8ebe352066113a637de643b3eae130
-
Filesize
195B
MD58b3371150ebe370ff8f979cf338035d1
SHA1745cb7b645225d66da32f414cc432f92b17c9a17
SHA2564760186b3322d3950d1acc3d7aadbb23c2b5f2977e022b520459b20a2e994537
SHA51210aaf05eb2a455bf9c125d8e4d1341cf99970489587ee7f1314caf14c65397b384670bb7e4369de4d7dc629a5a84ffe00c7ced5d0c7cf29c65340aecc416a129
-
Filesize
195B
MD55f12efd5dafa1daf5e2846aebef9b4a6
SHA1d9ca620f63c2a5ca6ef33ad716e88f4f1077b11e
SHA2562faffaf5b5db9479c8c23e282a389236f86bb38deae5296d725c1e0d2238c82b
SHA512ccad081860145104613202d6624ff716b0afc495f3b0bed02cc1d530fe7a6b0f886c54ba03e919fff7980fe78bfd9d496b2c8c480d1f829d9a2a36890dd1f0d8
-
Filesize
195B
MD56404601e72380ee7457230d018b43f55
SHA17802deaad8e6e5f8c86c8d832fb4499a6e4cb51a
SHA2566a75bbf06f0f8cdd885c23efc0ba3b1b277aa2e1fdccc5b4188a3891cf3bc263
SHA512c560be0c1f5adfa22c6e15d52fbb37705c5103980e3eda8ecde974fb79a60e6f1a30da67da33d2889718d09a8a330d20fffd76acb859bd1ba19ad3c4aebd804d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c2dc57e472d9c0dd30cde85ed5a3fec4
SHA17d381958fc2efbf6d29b51aeb7a39def3fed13a6
SHA25690b4f32822fdc66abfe5b1038b5772c675a6dc4e8f1ef8714c65b7a74d394a22
SHA512fe2bedffb5866a807ec116afb1f1f62d748b17fb50a6cb483120d0566dd185f215de8c768cdc379a8a50346ddfaea5b0ac1636c76230f68c04e8d3d9ebd33511
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394