Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 20:14
Behavioral task
behavioral1
Sample
JaffaCakes118_0d3b5bc468d9cb483bcacea7c7da457b0647e193c1c517c83fcea6aaa00453bc.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_0d3b5bc468d9cb483bcacea7c7da457b0647e193c1c517c83fcea6aaa00453bc.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_0d3b5bc468d9cb483bcacea7c7da457b0647e193c1c517c83fcea6aaa00453bc.exe
-
Size
1.3MB
-
MD5
7c2dc10b63a2ae06c8752d0ae3cbc3fa
-
SHA1
97cbad5e3a8a94ac6122322fbba0542b0f2a0303
-
SHA256
0d3b5bc468d9cb483bcacea7c7da457b0647e193c1c517c83fcea6aaa00453bc
-
SHA512
0be6fa590f0ce0b38a7ac8c5f9f70b831aea8558ede26174b93e085f077f0f8f6f562c58851f6d2cfdcaa220f5cb8c4f7facd06213c9462b737d70edff095869
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 276 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 664 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 560 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 784 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2220 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2388 3040 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 3040 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000015d87-12.dat dcrat behavioral1/memory/2256-13-0x0000000000300000-0x0000000000410000-memory.dmp dcrat behavioral1/memory/276-91-0x0000000000A30000-0x0000000000B40000-memory.dmp dcrat behavioral1/memory/2328-210-0x0000000000280000-0x0000000000390000-memory.dmp dcrat behavioral1/memory/1956-271-0x0000000001290000-0x00000000013A0000-memory.dmp dcrat behavioral1/memory/2108-686-0x00000000000D0000-0x00000000001E0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1580 powershell.exe 1112 powershell.exe 624 powershell.exe 1732 powershell.exe 2052 powershell.exe 1420 powershell.exe 1788 powershell.exe 1956 powershell.exe 1132 powershell.exe 1704 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2256 DllCommonsvc.exe 276 spoolsv.exe 2568 spoolsv.exe 2328 spoolsv.exe 1956 spoolsv.exe 2408 spoolsv.exe 1288 spoolsv.exe 2052 spoolsv.exe 2176 spoolsv.exe 972 spoolsv.exe 1740 spoolsv.exe 2108 spoolsv.exe -
Loads dropped DLL 2 IoCs
pid Process 2896 cmd.exe 2896 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 9 raw.githubusercontent.com 20 raw.githubusercontent.com 30 raw.githubusercontent.com 23 raw.githubusercontent.com 27 raw.githubusercontent.com 34 raw.githubusercontent.com 37 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\assembly\wininit.exe DllCommonsvc.exe File created C:\Windows\assembly\56085415360792 DllCommonsvc.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\winlogon.exe DllCommonsvc.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\cc11b995f2a76d DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_0d3b5bc468d9cb483bcacea7c7da457b0647e193c1c517c83fcea6aaa00453bc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 664 schtasks.exe 2436 schtasks.exe 1784 schtasks.exe 2880 schtasks.exe 1552 schtasks.exe 2408 schtasks.exe 2388 schtasks.exe 2124 schtasks.exe 2232 schtasks.exe 2788 schtasks.exe 1932 schtasks.exe 3028 schtasks.exe 2544 schtasks.exe 2928 schtasks.exe 1748 schtasks.exe 784 schtasks.exe 1980 schtasks.exe 276 schtasks.exe 2060 schtasks.exe 2976 schtasks.exe 560 schtasks.exe 2432 schtasks.exe 2296 schtasks.exe 536 schtasks.exe 2352 schtasks.exe 2856 schtasks.exe 2220 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2256 DllCommonsvc.exe 1132 powershell.exe 1420 powershell.exe 1788 powershell.exe 1732 powershell.exe 1580 powershell.exe 2052 powershell.exe 1704 powershell.exe 1112 powershell.exe 624 powershell.exe 1956 powershell.exe 276 spoolsv.exe 2568 spoolsv.exe 2328 spoolsv.exe 1956 spoolsv.exe 2408 spoolsv.exe 1288 spoolsv.exe 2052 spoolsv.exe 2176 spoolsv.exe 972 spoolsv.exe 1740 spoolsv.exe 2108 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 2256 DllCommonsvc.exe Token: SeDebugPrivilege 1132 powershell.exe Token: SeDebugPrivilege 1420 powershell.exe Token: SeDebugPrivilege 1788 powershell.exe Token: SeDebugPrivilege 1732 powershell.exe Token: SeDebugPrivilege 1580 powershell.exe Token: SeDebugPrivilege 2052 powershell.exe Token: SeDebugPrivilege 1704 powershell.exe Token: SeDebugPrivilege 1112 powershell.exe Token: SeDebugPrivilege 624 powershell.exe Token: SeDebugPrivilege 1956 powershell.exe Token: SeDebugPrivilege 276 spoolsv.exe Token: SeDebugPrivilege 2568 spoolsv.exe Token: SeDebugPrivilege 2328 spoolsv.exe Token: SeDebugPrivilege 1956 spoolsv.exe Token: SeDebugPrivilege 2408 spoolsv.exe Token: SeDebugPrivilege 1288 spoolsv.exe Token: SeDebugPrivilege 2052 spoolsv.exe Token: SeDebugPrivilege 2176 spoolsv.exe Token: SeDebugPrivilege 972 spoolsv.exe Token: SeDebugPrivilege 1740 spoolsv.exe Token: SeDebugPrivilege 2108 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2704 wrote to memory of 2680 2704 JaffaCakes118_0d3b5bc468d9cb483bcacea7c7da457b0647e193c1c517c83fcea6aaa00453bc.exe 30 PID 2704 wrote to memory of 2680 2704 JaffaCakes118_0d3b5bc468d9cb483bcacea7c7da457b0647e193c1c517c83fcea6aaa00453bc.exe 30 PID 2704 wrote to memory of 2680 2704 JaffaCakes118_0d3b5bc468d9cb483bcacea7c7da457b0647e193c1c517c83fcea6aaa00453bc.exe 30 PID 2704 wrote to memory of 2680 2704 JaffaCakes118_0d3b5bc468d9cb483bcacea7c7da457b0647e193c1c517c83fcea6aaa00453bc.exe 30 PID 2680 wrote to memory of 2896 2680 WScript.exe 31 PID 2680 wrote to memory of 2896 2680 WScript.exe 31 PID 2680 wrote to memory of 2896 2680 WScript.exe 31 PID 2680 wrote to memory of 2896 2680 WScript.exe 31 PID 2896 wrote to memory of 2256 2896 cmd.exe 33 PID 2896 wrote to memory of 2256 2896 cmd.exe 33 PID 2896 wrote to memory of 2256 2896 cmd.exe 33 PID 2896 wrote to memory of 2256 2896 cmd.exe 33 PID 2256 wrote to memory of 1132 2256 DllCommonsvc.exe 62 PID 2256 wrote to memory of 1132 2256 DllCommonsvc.exe 62 PID 2256 wrote to memory of 1132 2256 DllCommonsvc.exe 62 PID 2256 wrote to memory of 1956 2256 DllCommonsvc.exe 63 PID 2256 wrote to memory of 1956 2256 DllCommonsvc.exe 63 PID 2256 wrote to memory of 1956 2256 DllCommonsvc.exe 63 PID 2256 wrote to memory of 1788 2256 DllCommonsvc.exe 65 PID 2256 wrote to memory of 1788 2256 DllCommonsvc.exe 65 PID 2256 wrote to memory of 1788 2256 DllCommonsvc.exe 65 PID 2256 wrote to memory of 1420 2256 DllCommonsvc.exe 66 PID 2256 wrote to memory of 1420 2256 DllCommonsvc.exe 66 PID 2256 wrote to memory of 1420 2256 DllCommonsvc.exe 66 PID 2256 wrote to memory of 2052 2256 DllCommonsvc.exe 67 PID 2256 wrote to memory of 2052 2256 DllCommonsvc.exe 67 PID 2256 wrote to memory of 2052 2256 DllCommonsvc.exe 67 PID 2256 wrote to memory of 1704 2256 DllCommonsvc.exe 68 PID 2256 wrote to memory of 1704 2256 DllCommonsvc.exe 68 PID 2256 wrote to memory of 1704 2256 DllCommonsvc.exe 68 PID 2256 wrote to memory of 1580 2256 DllCommonsvc.exe 69 PID 2256 wrote to memory of 1580 2256 DllCommonsvc.exe 69 PID 2256 wrote to memory of 1580 2256 DllCommonsvc.exe 69 PID 2256 wrote to memory of 624 2256 DllCommonsvc.exe 70 PID 2256 wrote to memory of 624 2256 DllCommonsvc.exe 70 PID 2256 wrote to memory of 624 2256 DllCommonsvc.exe 70 PID 2256 wrote to memory of 1732 2256 DllCommonsvc.exe 71 PID 2256 wrote to memory of 1732 2256 DllCommonsvc.exe 71 PID 2256 wrote to memory of 1732 2256 DllCommonsvc.exe 71 PID 2256 wrote to memory of 1112 2256 DllCommonsvc.exe 73 PID 2256 wrote to memory of 1112 2256 DllCommonsvc.exe 73 PID 2256 wrote to memory of 1112 2256 DllCommonsvc.exe 73 PID 2256 wrote to memory of 1908 2256 DllCommonsvc.exe 81 PID 2256 wrote to memory of 1908 2256 DllCommonsvc.exe 81 PID 2256 wrote to memory of 1908 2256 DllCommonsvc.exe 81 PID 1908 wrote to memory of 576 1908 cmd.exe 84 PID 1908 wrote to memory of 576 1908 cmd.exe 84 PID 1908 wrote to memory of 576 1908 cmd.exe 84 PID 1908 wrote to memory of 276 1908 cmd.exe 85 PID 1908 wrote to memory of 276 1908 cmd.exe 85 PID 1908 wrote to memory of 276 1908 cmd.exe 85 PID 276 wrote to memory of 2288 276 spoolsv.exe 86 PID 276 wrote to memory of 2288 276 spoolsv.exe 86 PID 276 wrote to memory of 2288 276 spoolsv.exe 86 PID 2288 wrote to memory of 112 2288 cmd.exe 88 PID 2288 wrote to memory of 112 2288 cmd.exe 88 PID 2288 wrote to memory of 112 2288 cmd.exe 88 PID 2288 wrote to memory of 2568 2288 cmd.exe 89 PID 2288 wrote to memory of 2568 2288 cmd.exe 89 PID 2288 wrote to memory of 2568 2288 cmd.exe 89 PID 2568 wrote to memory of 3044 2568 spoolsv.exe 90 PID 2568 wrote to memory of 3044 2568 spoolsv.exe 90 PID 2568 wrote to memory of 3044 2568 spoolsv.exe 90 PID 3044 wrote to memory of 1940 3044 cmd.exe 92 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3b5bc468d9cb483bcacea7c7da457b0647e193c1c517c83fcea6aaa00453bc.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3b5bc468d9cb483bcacea7c7da457b0647e193c1c517c83fcea6aaa00453bc.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cAu3s559Vz.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:576
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:112
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u02VouYs0z.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1940
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GsZYO5BIqk.bat"11⤵PID:2892
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2256
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat"13⤵PID:2352
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1752
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rn5V8mQYRH.bat"15⤵PID:1952
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2488
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1288 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CMv1BFFgLz.bat"17⤵PID:2972
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2376
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Or3SRhMf8V.bat"19⤵PID:1624
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2960
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat"21⤵PID:2432
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2128
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:972 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat"23⤵PID:2344
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2852
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat"25⤵PID:2644
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:872
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Downloads\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Downloads\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\assembly\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\assembly\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\assembly\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d4611de57b1675e02c52af608890d200
SHA1a529ab665bddcc07a8198a04e94d904e2db1ec87
SHA2565dc66679bd76b9178050f8d78b2f08e0e00651de73dbe56696689dc34d29165d
SHA512e2aab2f9ef4f674fbd847d63ea00aa026e50b71f61000826b9da626551a41882256093db474944a53671c43bf60411a783a7d237a407a6fad3337fcb2118e802
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d5000e944163ad2268452eec6a5d58d8
SHA1f699ab0f426bd8eba31b92fb7ab6229533d31b65
SHA2564c93a24868ba26aa59f37482bcbeb8e30f07fe16e6195552c785d588f4b838b1
SHA512dd51333fac2d1b580b33c0494364519a78ab22bb6a13019314f1422aca2e5f2fb0bae3203d6724a1e2df40c47b12a484d8ee25c4cf19038fca3a79f15ed7ecb4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5086a93abc4d25b9144b839f8374572c9
SHA1c22a4158d0c79a952ba6bbf14fd6f60eaf52d6fa
SHA256acd70d04ad7f81c49b623dda2e82b30acf9f9b436a743b00918174c15f19b4ee
SHA51226e9a6f97e3fdbb9709585f8dcf27b0962c8a7a699bf5c0b3f7a9c6ea9894eb491bbbafaa0ece59bc44952493f5a9017e0586fede756cbef445076e312ab41eb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5426e7dec96c5319d271a8692b452539b
SHA1fa2669302a1b65aef51721b79ce2f26d8ef3073b
SHA2562b3ca38f4943548fd05a499eec310922eb661bfc4787c90871522ed40eb0bb0c
SHA51265974e36adaafd3a226932f3e7cd31e16685303b6769d67fab5466fc9aa5a81a542d73176d34b3386652ba81ea5160cfee9424809d5a79e1500585ca106af129
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55987637d0a8ff0fd1013f5dbf00544d1
SHA1e42a4450292fd3bee017ea02811c9da9185a0450
SHA25606c6eebbc4517dd2eb4bd4f5e6568857d3272175f1a8ff44337d47e55263cb00
SHA51231720f2e9fc3dbbb7bf89fb268eb040db8fcdbd427fc927fd6844eff20e36fcc56ca4b97d3a164366a624f67c297395b0e21c0eb91a0d17d3c0c70f782029d73
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54d34790b3eaf076a14fab8dd2485e5cf
SHA181f7c46adacfd20a36a17da904f6f412ee989a48
SHA256758e5f5066700183adf1e58ab7d529de88247119f2868a351ea1eb638142aae9
SHA5120f136d54b3d8d8e1d330ea535a68fb3e6fcc5a9b53e7e0bcf682e24bf934f879e671e29e391fa2d2946e5f0dda560dc7c540e7ef05a9668555aa00d59b5c0805
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cf147e60a898df0972815ca2cd1983d2
SHA16d950037f273affcaf79baeda5c478f10e14ddc8
SHA256941ac4d7ea7c71abd4405fcbd45101da062bceca72bbe0b1a90e7314a6fa30ae
SHA51272b64e87c7ddb20587e31a36b5c1758f4ba2f8a82d03c1b25874b7c2966ee068894cf3afb671529090b321171103dbd1ba4d87f642c0d457ab2d5868e3c7283e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d01c44ec93d217ec1106229fdf74ed0f
SHA15fa498ea9fd686ef832d5c3697766a7e4da64330
SHA2565fd2942094c0ba7c89b297072e60ba6458baa31cc60e3c709a06e8522bd55bf8
SHA51219cdccecf39ddef3719d69935a159941db577bdec0d480ade2daef9c51d40f58d5b8ffcff6669a54bcdbc43b8e4dc948949c2d8af67b9a9b6173cdf2ffa662b0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5eafb0de373e211f2c74ad9bf6ae3a992
SHA15803b69ce76f94c5865a205d1baad94491c7916b
SHA2565a40baf3c58329d5121559c428c7ff6d8cbea5588a509446bb3f2adee7c5d3ce
SHA512e84948897ecfca512c6ddf98785575d8ae39f867edceed220e17d01acb636b43325a2924fb1b76c77856d4c4448bfddb5fcb139354d99398a541e75281a5dbf4
-
Filesize
225B
MD59a2033450a7b245070b373c5dd09749f
SHA1741111e193c935dad10c15a25db61fdf923fd2a5
SHA256b6042137019920ea165ddc3f383daad1e6744c1a181733e3955a5fe03bfb8512
SHA512713ea4ac96da4a3ca8134f7e5af40eb7197a721e58c6fba61773fbb3fe82a7f8856f7f25e09f40ca212ef6cd8b8042565b3db6e687916485ae4509814ccfcbcf
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
225B
MD59bc77228453874db6161c78b0333c1d2
SHA14e9810f7cefcfcb1ca2dc50f16585a7b6655a7a9
SHA25654f8bd66cbc87c82d91756210c7d60f5d014692a5f0c8d0a4a4b3500a925716e
SHA512c6b5b8042de511eaee8e2dce07e0cbdaa5a2448f155139c45e772834a4d24a46c9b7523c3d2e25a8f5bfa94ab2292bd5e0616e64bb0b8954abdd75e5dd49058e
-
Filesize
225B
MD5b4f3923062ea2683c118d957e8abe185
SHA198dfb01bab36298584c4df25bc8ecf0e1b9ae437
SHA256eb908040fa3e08d8e091e228301846af8197cf6712ed30783e3e4a7bf989d2be
SHA51237039ca329c3c467193e6e92596592bf324b84e2b18b78bd5b2fd7ec8a7d4bfc040b948907bb9fe8dab8c362ead92c5718cff7dd37ea509a65371ed72deee70b
-
Filesize
225B
MD5e4b46fe2ea99e3fa92e91a1e4c554aa3
SHA19383e7fdf4d22dd0e65ddd51c975254eaad1a81d
SHA256086f6ac29abf4176ea0ffa3217a1376a0195491cfc2d0f874b07fcfaf0546cfa
SHA512e9de8c26e9b32dccefe098dae8416baa6c4dcb38408a63d4dd8d6dbeccca167b1c6cc305d08c603711462c9d13ce568afeb3455b97e4d2219bbcaeeff7b3e342
-
Filesize
225B
MD5a0753bcaec52487956a34163fdeb2750
SHA164324a1173e697428393a359eae407e9ae54d77a
SHA2562cd1461ccf00eda3e1dfae1a6667761861aece3ceae2c75b74fa42f7179a4809
SHA512276e302358c94cd505f3782db08e5e132ee2b130eae453ba9ca23254e98e80d12cf821767d480a6315aaf916b9d52affb9475b684c6e28eceaad54d9482dc183
-
Filesize
225B
MD55a9551af02a7ed956ab19580b32cbc19
SHA1751af9b7d914c6cda31214d5d7e8b75b707bd972
SHA256930a3a804e646f5907fa4b3ee3728eb22426d90d323f52a77919531a48062d76
SHA5127eaa9c3a7e6c87e98d3781a66095c62b9b509ef57c9eea5d0344d3819d8c98859a418a5a1fe6e880cd74544971ec33fe6c143106eca167affb79c18bebb771e0
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
225B
MD53ee63f365a45fe5c02cd15ce32e9506a
SHA126945627fbca8ceaec682f4812327df2f91933d2
SHA256c3373c6b6514a008bdb324e2bc3ed657c1d99f50d9fbdeab2f5c4aec032b8341
SHA512e5435de801a8311891ddf95f1acc5701585f6d7f235a6acffe91980410d0c77e4f817401f84cd1f48c3ad2d7c84e6e7c9f0a8264fb4f0851bf1a35ddfd28e705
-
Filesize
225B
MD5483010b1aeb82f2f5b7ca7b03a81f12e
SHA1f5943b10c9fb65d7144c812c98fc85dc59dc7f33
SHA2569a84216bcb11fc1c96a91d656f948820c7d99c6c74c2e47df523a78febd2d26d
SHA5126de23493a7398a77ebf1819b3ed3fe0219a62fd5e014a216eb094ed4cabadf5b18b30c15d89cda6bbfe993e169473060775a834782b9d50450d9e7050d7109e4
-
Filesize
225B
MD5c2554e94d7d178aeb60f89dbe020f943
SHA17d919cb09e5c3ace2c20f0ce59113705e7b8983a
SHA256082b79bc095830e4d246dde054f146c0dd68f4e90ce40f02950585eb8e2b7a36
SHA5122e2f4180ffe5e792d6b8a4b10e36a7c7d7a3d31ca47dad742f96ee55b55868854bf6284157535a0a5f8f26b8d6126a2fc1a3cb0eba415f1ce8e7165fb34d4019
-
Filesize
225B
MD5189b6d5e4a53032470094589475001d4
SHA1d4c3efd1f7aa0d83c04f05c0236e5c1a7756fbaf
SHA256e3197ddee5a48ad50d15eaaaeab6ccc459722fbcf770aa7e2e0984400e00272e
SHA512ab2052adaa011ca98470283ac374b4eb5d210b9e0a1b6ad79c9c92b65cfc21eab8f5573163c6bf8543e776a5b0fd216ce4ea74f3f0432a85d9644f9600c98b28
-
Filesize
225B
MD526285bb3ecbce1ecc809a4c71b2a20bc
SHA1408a8fba76f4cd5e2507116c2a561de02624a915
SHA256e7cce6f97d34e0e71d0ab8ac32f7792f7c3a3f0cb5200401205cc97c009f193d
SHA512a88234b6e6c4d5dbd9c1e2ed086b3789e567743e767c9889a51a7bbc6c05bf094f62d2d540ef8e94f1971f8dfe1673ba5b98b1747b05464c59affa2421f77cac
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5502b063bc592835956c77e679f199070
SHA12299d03c4c69a4c5c5f2a0a31294d56f98df1030
SHA25648b6c1d16a7fed9d715c9ace64bda740bed5502308a6fa4e0d84ccff224fd49a
SHA5120d7a6d0a7a89a4b124378e80b0054098f7bf9d948c8e6c9dfd966e5fefa56f4ebf9fa6e8808aa143cfac54bf84c319ac9c70232dadfd3f60873f168600222711
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478