Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 19:01
Behavioral task
behavioral1
Sample
JaffaCakes118_5e3d224eaacd3dc4249cbc75f7e795b0332c8cb328515963413483a85a19f953.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_5e3d224eaacd3dc4249cbc75f7e795b0332c8cb328515963413483a85a19f953.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_5e3d224eaacd3dc4249cbc75f7e795b0332c8cb328515963413483a85a19f953.exe
-
Size
1.3MB
-
MD5
e646f9464557838393e0637065e0c1fa
-
SHA1
09eacb5b59064dd42b3e241959fa55a9ad2f2f90
-
SHA256
5e3d224eaacd3dc4249cbc75f7e795b0332c8cb328515963413483a85a19f953
-
SHA512
a597866b73f46dbcc0f34880d2e0f96cac19c482d0fa3cc14a49bd3344feadb0db3dc30ec55a574790c495ad23292399b8077f1dfa1d290f6f3472a8b8118620
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 1728 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 1728 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 1728 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2808 1728 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 1728 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 1728 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 1728 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 1728 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 1728 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 1728 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 1728 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 1728 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1400 1728 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1548 1728 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 1728 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 1728 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 1728 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 296 1728 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1016 1728 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 888 1728 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1444 1728 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 352 1728 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 844 1728 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 752 1728 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 1728 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 1728 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 1728 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000019242-9.dat dcrat behavioral1/memory/2492-13-0x0000000000E30000-0x0000000000F40000-memory.dmp dcrat behavioral1/memory/2800-53-0x0000000000F50000-0x0000000001060000-memory.dmp dcrat behavioral1/memory/624-152-0x0000000000330000-0x0000000000440000-memory.dmp dcrat behavioral1/memory/2620-213-0x00000000000F0000-0x0000000000200000-memory.dmp dcrat behavioral1/memory/2996-273-0x0000000000A80000-0x0000000000B90000-memory.dmp dcrat behavioral1/memory/2212-333-0x0000000000C50000-0x0000000000D60000-memory.dmp dcrat behavioral1/memory/2204-453-0x0000000001010000-0x0000000001120000-memory.dmp dcrat behavioral1/memory/2024-514-0x0000000000270000-0x0000000000380000-memory.dmp dcrat behavioral1/memory/2988-574-0x00000000012A0000-0x00000000013B0000-memory.dmp dcrat behavioral1/memory/1584-634-0x00000000000A0000-0x00000000001B0000-memory.dmp dcrat behavioral1/memory/3020-694-0x0000000000AD0000-0x0000000000BE0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2984 powershell.exe 2892 powershell.exe 3000 powershell.exe 2912 powershell.exe 2976 powershell.exe 2960 powershell.exe 1712 powershell.exe 3004 powershell.exe 2936 powershell.exe 2896 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2492 DllCommonsvc.exe 2800 explorer.exe 624 explorer.exe 2620 explorer.exe 2996 explorer.exe 2212 explorer.exe 1972 explorer.exe 2204 explorer.exe 2024 explorer.exe 2988 explorer.exe 1584 explorer.exe 3020 explorer.exe -
Loads dropped DLL 2 IoCs
pid Process 2052 cmd.exe 2052 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 5 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 33 raw.githubusercontent.com 37 raw.githubusercontent.com 4 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 23 raw.githubusercontent.com 26 raw.githubusercontent.com 30 raw.githubusercontent.com -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\smss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\69ddcba757bf72 DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\dllhost.exe DllCommonsvc.exe File created C:\Windows\Tasks\5940a34987c991 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5e3d224eaacd3dc4249cbc75f7e795b0332c8cb328515963413483a85a19f953.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 844 schtasks.exe 2680 schtasks.exe 1016 schtasks.exe 2988 schtasks.exe 1548 schtasks.exe 1680 schtasks.exe 2820 schtasks.exe 2908 schtasks.exe 2636 schtasks.exe 1400 schtasks.exe 1804 schtasks.exe 2652 schtasks.exe 1444 schtasks.exe 752 schtasks.exe 2840 schtasks.exe 2856 schtasks.exe 2596 schtasks.exe 1676 schtasks.exe 888 schtasks.exe 2808 schtasks.exe 2744 schtasks.exe 2860 schtasks.exe 296 schtasks.exe 352 schtasks.exe 1144 schtasks.exe 2076 schtasks.exe 2816 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2492 DllCommonsvc.exe 2892 powershell.exe 2960 powershell.exe 2936 powershell.exe 2896 powershell.exe 2984 powershell.exe 1712 powershell.exe 3004 powershell.exe 2912 powershell.exe 3000 powershell.exe 2976 powershell.exe 2800 explorer.exe 624 explorer.exe 2620 explorer.exe 2996 explorer.exe 2212 explorer.exe 1972 explorer.exe 2204 explorer.exe 2024 explorer.exe 2988 explorer.exe 1584 explorer.exe 3020 explorer.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 2492 DllCommonsvc.exe Token: SeDebugPrivilege 2892 powershell.exe Token: SeDebugPrivilege 2960 powershell.exe Token: SeDebugPrivilege 2936 powershell.exe Token: SeDebugPrivilege 2896 powershell.exe Token: SeDebugPrivilege 2984 powershell.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeDebugPrivilege 3004 powershell.exe Token: SeDebugPrivilege 2800 explorer.exe Token: SeDebugPrivilege 2912 powershell.exe Token: SeDebugPrivilege 3000 powershell.exe Token: SeDebugPrivilege 2976 powershell.exe Token: SeDebugPrivilege 624 explorer.exe Token: SeDebugPrivilege 2620 explorer.exe Token: SeDebugPrivilege 2996 explorer.exe Token: SeDebugPrivilege 2212 explorer.exe Token: SeDebugPrivilege 1972 explorer.exe Token: SeDebugPrivilege 2204 explorer.exe Token: SeDebugPrivilege 2024 explorer.exe Token: SeDebugPrivilege 2988 explorer.exe Token: SeDebugPrivilege 1584 explorer.exe Token: SeDebugPrivilege 3020 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2536 2092 JaffaCakes118_5e3d224eaacd3dc4249cbc75f7e795b0332c8cb328515963413483a85a19f953.exe 28 PID 2092 wrote to memory of 2536 2092 JaffaCakes118_5e3d224eaacd3dc4249cbc75f7e795b0332c8cb328515963413483a85a19f953.exe 28 PID 2092 wrote to memory of 2536 2092 JaffaCakes118_5e3d224eaacd3dc4249cbc75f7e795b0332c8cb328515963413483a85a19f953.exe 28 PID 2092 wrote to memory of 2536 2092 JaffaCakes118_5e3d224eaacd3dc4249cbc75f7e795b0332c8cb328515963413483a85a19f953.exe 28 PID 2536 wrote to memory of 2052 2536 WScript.exe 31 PID 2536 wrote to memory of 2052 2536 WScript.exe 31 PID 2536 wrote to memory of 2052 2536 WScript.exe 31 PID 2536 wrote to memory of 2052 2536 WScript.exe 31 PID 2052 wrote to memory of 2492 2052 cmd.exe 33 PID 2052 wrote to memory of 2492 2052 cmd.exe 33 PID 2052 wrote to memory of 2492 2052 cmd.exe 33 PID 2052 wrote to memory of 2492 2052 cmd.exe 33 PID 2492 wrote to memory of 2912 2492 DllCommonsvc.exe 62 PID 2492 wrote to memory of 2912 2492 DllCommonsvc.exe 62 PID 2492 wrote to memory of 2912 2492 DllCommonsvc.exe 62 PID 2492 wrote to memory of 2984 2492 DllCommonsvc.exe 63 PID 2492 wrote to memory of 2984 2492 DllCommonsvc.exe 63 PID 2492 wrote to memory of 2984 2492 DllCommonsvc.exe 63 PID 2492 wrote to memory of 2976 2492 DllCommonsvc.exe 64 PID 2492 wrote to memory of 2976 2492 DllCommonsvc.exe 64 PID 2492 wrote to memory of 2976 2492 DllCommonsvc.exe 64 PID 2492 wrote to memory of 2960 2492 DllCommonsvc.exe 65 PID 2492 wrote to memory of 2960 2492 DllCommonsvc.exe 65 PID 2492 wrote to memory of 2960 2492 DllCommonsvc.exe 65 PID 2492 wrote to memory of 3004 2492 DllCommonsvc.exe 66 PID 2492 wrote to memory of 3004 2492 DllCommonsvc.exe 66 PID 2492 wrote to memory of 3004 2492 DllCommonsvc.exe 66 PID 2492 wrote to memory of 2936 2492 DllCommonsvc.exe 67 PID 2492 wrote to memory of 2936 2492 DllCommonsvc.exe 67 PID 2492 wrote to memory of 2936 2492 DllCommonsvc.exe 67 PID 2492 wrote to memory of 2896 2492 DllCommonsvc.exe 68 PID 2492 wrote to memory of 2896 2492 DllCommonsvc.exe 68 PID 2492 wrote to memory of 2896 2492 DllCommonsvc.exe 68 PID 2492 wrote to memory of 2892 2492 DllCommonsvc.exe 69 PID 2492 wrote to memory of 2892 2492 DllCommonsvc.exe 69 PID 2492 wrote to memory of 2892 2492 DllCommonsvc.exe 69 PID 2492 wrote to memory of 3000 2492 DllCommonsvc.exe 70 PID 2492 wrote to memory of 3000 2492 DllCommonsvc.exe 70 PID 2492 wrote to memory of 3000 2492 DllCommonsvc.exe 70 PID 2492 wrote to memory of 1712 2492 DllCommonsvc.exe 71 PID 2492 wrote to memory of 1712 2492 DllCommonsvc.exe 71 PID 2492 wrote to memory of 1712 2492 DllCommonsvc.exe 71 PID 2492 wrote to memory of 2800 2492 DllCommonsvc.exe 82 PID 2492 wrote to memory of 2800 2492 DllCommonsvc.exe 82 PID 2492 wrote to memory of 2800 2492 DllCommonsvc.exe 82 PID 2800 wrote to memory of 2520 2800 explorer.exe 83 PID 2800 wrote to memory of 2520 2800 explorer.exe 83 PID 2800 wrote to memory of 2520 2800 explorer.exe 83 PID 2520 wrote to memory of 2652 2520 cmd.exe 85 PID 2520 wrote to memory of 2652 2520 cmd.exe 85 PID 2520 wrote to memory of 2652 2520 cmd.exe 85 PID 2520 wrote to memory of 624 2520 cmd.exe 86 PID 2520 wrote to memory of 624 2520 cmd.exe 86 PID 2520 wrote to memory of 624 2520 cmd.exe 86 PID 624 wrote to memory of 844 624 explorer.exe 87 PID 624 wrote to memory of 844 624 explorer.exe 87 PID 624 wrote to memory of 844 624 explorer.exe 87 PID 844 wrote to memory of 316 844 cmd.exe 89 PID 844 wrote to memory of 316 844 cmd.exe 89 PID 844 wrote to memory of 316 844 cmd.exe 89 PID 844 wrote to memory of 2620 844 cmd.exe 90 PID 844 wrote to memory of 2620 844 cmd.exe 90 PID 844 wrote to memory of 2620 844 cmd.exe 90 PID 2620 wrote to memory of 1992 2620 explorer.exe 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e3d224eaacd3dc4249cbc75f7e795b0332c8cb328515963413483a85a19f953.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e3d224eaacd3dc4249cbc75f7e795b0332c8cb328515963413483a85a19f953.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2652
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KtkjGbmHOL.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:316
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat"10⤵PID:1992
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1600
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2996 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\biigBqxW9T.bat"12⤵PID:2752
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2540
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat"14⤵PID:1952
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1288
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat"16⤵PID:2400
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:940
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aTd08pZfDw.bat"18⤵PID:2816
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2068
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat"20⤵PID:968
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1560
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XBBOHPKclM.bat"22⤵PID:1528
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2992
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat"24⤵PID:1768
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1708
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\providercommon\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\providercommon\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Tasks\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Tasks\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD583b6026bf6f159d7c6cce276533f8818
SHA1a72bb4ec711276eff25eee7039014577fa8a9f5a
SHA256dbf1be1ba42d843f87b389bb4571545c7310252323888a0666e5bb3792495326
SHA512919c2f6e3bb30c580b8b21d1122dd04353854b05c05f4f170de1d9ac63e24b9c47a7dcb3467ed6da81f2a62c985142c661abe9e94f22e36abfecaaf22e0d73f0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a52102987e358c614e869426a930222b
SHA19131d95522f6d0b3b7f651dce9661b0494a1f94a
SHA256a3470149c1f418fd0c2df3f9420fb3fbc40f73c6e29748b0b4e9649101905ae5
SHA512cf54d6199157975e55b8e1a0215ea01d9a9045c1c139bc072085133c814db6ea4c6d64bb19ca9bc8229347409c0a5112b1a0b7b69d3336b6a4be005b9b09f92f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d2d6bcf8b7dac36645ce6d9c075cb018
SHA1a526852df21b9202c2ece98fc30f28bb00fc52a8
SHA25684e74b6ef992cf6781024b2d585b5551a7c7ca05641f8e2be660a4d78d4cbed3
SHA512568a7a783e5e1ee9018ddeb5b35784941cf1e44fbfb31045236971ceb8d3f4147f82479bd9c79765069496d882c9b0797df89aaca959ac9b0b01d5b41d1cd171
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53cc1b88b046b50fedca82fb1d66dc5c4
SHA1f42bc4ef6c98400ff323a09a35a23e1af7292455
SHA2560ffd8c0f92bf59b08b842fda0303a8c13e9baee2e41204e128e7a17f81e86cff
SHA512f914f1ae03322c0626a62af71195da70566180ada93a8878d07aaa21c2d5ca8b8f3a22e628fafb9a2372bacc39bce13e0ea2c6ff946789439521e4b43b32d6df
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5aee2c720e8ea281e20093afd3f2b60b0
SHA1fc8fce345f726254d09ad642c42aa66f46483c9e
SHA256863102b66fc3269c2048e06ab000a1941e2ded7d25be22fed1aa049734b07d81
SHA51214e184ecf0b027a39d85f50f27823560acf24bc79e4e50193cd54c5a764405227166cc6b2759f6e71b35bd579e1a44f533a3d4a33dc744c472b5977544a1d1ef
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e88339de54dccbf44b8f1624f54a87ab
SHA12ec84e84b4b963f93276c44efc6c30ae30e69fea
SHA256c648fd8f1e6878deb3f1370a5aa51e175528e5532b444169aa2c6468a01a32ab
SHA5121a588fe47a2adb98088b10f24cb3733b4da672fc7110bd77fba3d6b28b07f732a4f1d63d8d654b6f989ac7ca493ba6acb838c4d3e0d301d644683f2a818f363b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5522063af94e8bbc16389e98286db7ab1
SHA11b229fdf3fc0936f9a8d7311fa889f536b7e535a
SHA25636a71d4cc76cbe7214396c2ab23973b21cb609a7593c26d05a1576d401f1d1ff
SHA512bb63ebfc4eeba135dd23bfdce9a7b17bfbfdcb7040ecae99d658fe52550d526e289b2b690148dbcfa2b328c9e4f91ace4f843b611341d452e41c0bc23c94e677
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a4808cf80ce627727f4d992b0f22c3ac
SHA1e849468ffd706899a31041a9d8b38844f10c1987
SHA2567558134540f041059adc7b16eaf53596f22bab75da23d880dadd242e86aa4a85
SHA512f217e963f963f4c7063803cb08ac72f1198d553e9129f90a23725ecff19dd77c794073b902c6be42640d44d01a6cf19e8f667c44c2b64634f7cdb5f5c1ec7d56
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f84768cf5627f9c5f02d2caed3b01f06
SHA1f7dd8257c3a7b621732182d7b483e77980b98089
SHA256bcf8d262ac51b7633651c00040236440010497d9b52a5d0bf068117836db9ce1
SHA51295ca7423d844a8b013fe968d1a399661ef1efd50c0356aa8de80e0fbf69f8ae122fbb3c7b938b05e96035af6af81380c860e16258b388ac6af95303af81947d0
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
240B
MD5fd0be3c3899ebe95a1203ba35f5db1da
SHA19a7c38566b207cffd503990771eb9aaefa3435d1
SHA2566ce2a42d2c32053143ead159a52c994ba876e71c1c588f9b7a0d1d679b423e29
SHA512f262160543b046b6d6d5393f171b63030fa6226728175c2e2c31744185cd2533b922c27d7ee6a460925ca870d61844df24a9b29192a06c65f7001b1bf8bb8be1
-
Filesize
240B
MD5548bf34ea88f59d95d28e0df9cadc7af
SHA1c406e5d343b92a99ba14d0b19af36f836399cea1
SHA2564b58b126a4cbc153ac1ac2c8d71f320ce8f5b68a15b3b464d92065adfde0bac1
SHA512589e015dc0627f6ad67a44e6f7de249032a7cd17f9520d8d488ec73d18fdbb487e94a4629ee5a22af91083cec552016a1bf58749e305a0270d717d69db30214d
-
Filesize
240B
MD54038575ebd201910086fd500e4bd2ffb
SHA1289b4e926466ae3b1b748781174d984c95dd1d4a
SHA2568b02686eed9984c55198ce5b2dca5dbb397cd7bcd742d7b1c8cbcf74c3931f4b
SHA512634553fbb20d962a513c96e134c7bcb49bfab3c6cf329c0f457fc4f7eb12331b4b41156142f7c06ee8bc3051187c2faa6bcebf991b061dcbd13420c61b962242
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
240B
MD5b0d94372173dcb686a59265577a6859e
SHA18316674c30fccdb344809cc6e437e2a25a31dff1
SHA256d7a448b9bde1d0c15b87918ef3cb0fa21ba8fa764f3a97939985487d474c5890
SHA51231a37128019957424eb8c4e385e3fa692489bccf7f12baa13f1c6bde8915c07d61fc6809d9dcab2dc2aec1ae662af5f651133ee3f7162e97156df9b880f35935
-
Filesize
240B
MD53e391eaccfa2ebdbf09ef98945501027
SHA1f075979e7f20a9fab81ad8df7d057440b4680100
SHA25600f2c8f465e3e19f4930886cab41051316218834e369106a8706783f7f782b58
SHA512d2697c63557fe4484c622c113baaed911e68301dc73bee31bc3584200e8be6c3a8adaec69392eec4db2fe85b4fe00839426912e78a614d9abba1eeafc7fd5001
-
Filesize
240B
MD5110937eb60aea651b23b04705362c20d
SHA13137317d6ede096a70d7e701a031b655defc00da
SHA256f6fa6532d064b4029d3e596b03f4f5363d379e6e3551f53f4a05bdedab0a735d
SHA5122871490da474cf5d23f95c42e76ac184f5c29a07199b1152fe12882d8ae377b6317d9423b504f5884eb61427c26dcb6025bedb54edec06eb3b34bb6ef5dc856a
-
Filesize
240B
MD58b20866d873604120eecb0c66adb7f74
SHA1e1c7060128464c8f0148ccab115e9ee2df320e8a
SHA2569fd074427f824a4f6ec078569b2dfa2598cfbc4445d27a662991f6e7b108a25c
SHA512b811a439b208a47318e3046b27ca6fd54c49b72354c7df7f44dd9058279f717be7dfef84bbb5ae875d627a04c141b05088766ee44d6c7c592a15cfd62671be18
-
Filesize
240B
MD59fe824d38a1dca43ab1f3888ab5faae2
SHA10f7777aa6f8e4910835617e771b5ef7e2349efd2
SHA2568436314a5d1fecc4c251d13af3510043d49dd9b10feb1c25daf1da6f75065b4c
SHA5128cf6d69663b7298f5e0e60c07b6a520c243991bee11cd2eb72c7c82d6cbedca838ec3ba2709080ee70709bfde6fe8d7bfe148aaa38116ff7a14b50a82a510e53
-
Filesize
240B
MD54fcd8e48f271403cce34b79baa3b080c
SHA164d43dcb3feb5aa99fbdc51610f354359af83835
SHA256ca705df4e92901a8ed9887ae52f49582ad9bf02e60983a9392bd85e01bf7f0ed
SHA51231f139b4f1ec877886999ec754e21b06096315daadfcf4a19df7c5a04a7bb410f608f06073b5f0fac287836653892fcb6e973695fb6704f2d00b3c52b354b2b4
-
Filesize
240B
MD55f41fe82e6346d246637de3b7458f51d
SHA132d816e5584c2ec28b81ede104045b52a1f84b73
SHA256bd7db7f26c6df3f039d9f3269adf7eebd4505bbf40ac1a86109a4f5da14331db
SHA51236f5c525000144be064b94affa5e96e7b168d4559a0a462d58af05581c5622bd934d56dda95029128b6bea161337ed4d4763e0f6c052848b80aa6d12cd59b3b5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5fc62fbdac8344f83901d7116b1cd1607
SHA1b330d119bfc49ef734a7e32472b887ab6e40db68
SHA256769cfe2620b5ce428caa20941e2656ac05a6e0580dc8cc3a86aeb870bb7d0082
SHA512d2dc9098f88169e8600703a2519a3f04cfafa93e74aa6ce2ecfd2f5e13c670799aa4a57c89481f4bcac6fe0b8722e66745102b8f937420111faa7dcaa4049a30
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394