Analysis
-
max time kernel
141s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 20:33
Behavioral task
behavioral1
Sample
JaffaCakes118_f2a04ab2b41737abbe3f1e49ed9debf95b8a197fa95f9a93789aada1ab26f55c.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_f2a04ab2b41737abbe3f1e49ed9debf95b8a197fa95f9a93789aada1ab26f55c.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_f2a04ab2b41737abbe3f1e49ed9debf95b8a197fa95f9a93789aada1ab26f55c.exe
-
Size
1.3MB
-
MD5
0e9b77d2adc68f1d8f3a104bb8db6d32
-
SHA1
bf9714af5a5da7cd7cc0ae8a73a1a5010a27066c
-
SHA256
f2a04ab2b41737abbe3f1e49ed9debf95b8a197fa95f9a93789aada1ab26f55c
-
SHA512
1ddac7e2b3e3c3927f7c78a91ad77c2e162072fad149765e60ad683985179de247dffe50363f6bb80fc0971ded4ad5e944775ddb49f84c52ee3d11be32deb15c
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 692 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1308 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 580 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 568 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1128 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1284 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1504 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2388 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1312 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1356 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 836 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2584 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 2584 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x000800000001686c-9.dat dcrat behavioral1/memory/2688-13-0x0000000000FE0000-0x00000000010F0000-memory.dmp dcrat behavioral1/memory/1728-50-0x0000000000070000-0x0000000000180000-memory.dmp dcrat behavioral1/memory/2352-168-0x0000000001380000-0x0000000001490000-memory.dmp dcrat behavioral1/memory/2404-228-0x0000000000320000-0x0000000000430000-memory.dmp dcrat behavioral1/memory/1000-288-0x00000000008F0000-0x0000000000A00000-memory.dmp dcrat behavioral1/memory/3000-349-0x0000000000DB0000-0x0000000000EC0000-memory.dmp dcrat behavioral1/memory/664-647-0x00000000012F0000-0x0000000001400000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1772 powershell.exe 1940 powershell.exe 1712 powershell.exe 2508 powershell.exe 1512 powershell.exe 2396 powershell.exe 1348 powershell.exe 1528 powershell.exe 1824 powershell.exe 2308 powershell.exe 1676 powershell.exe 1724 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2688 DllCommonsvc.exe 1728 services.exe 2352 services.exe 2404 services.exe 1000 services.exe 3000 services.exe 2328 services.exe 2192 services.exe 2616 services.exe 1700 services.exe 664 services.exe 2860 services.exe -
Loads dropped DLL 2 IoCs
pid Process 2904 cmd.exe 2904 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 19 raw.githubusercontent.com 34 raw.githubusercontent.com 37 raw.githubusercontent.com 13 raw.githubusercontent.com 16 raw.githubusercontent.com 23 raw.githubusercontent.com 26 raw.githubusercontent.com 30 raw.githubusercontent.com -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Google\Update\Install\{9DFE08CC-30AD-4427-BBD2-AE53EED44C59}\dwm.exe DllCommonsvc.exe File created C:\Program Files (x86)\Google\Update\Install\{9DFE08CC-30AD-4427-BBD2-AE53EED44C59}\6cb0b6c459d5d3 DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\diagnostics\scheduled\Maintenance\System.exe DllCommonsvc.exe File created C:\Windows\ServiceProfiles\smss.exe DllCommonsvc.exe File opened for modification C:\Windows\ServiceProfiles\smss.exe DllCommonsvc.exe File created C:\Windows\ServiceProfiles\69ddcba757bf72 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_f2a04ab2b41737abbe3f1e49ed9debf95b8a197fa95f9a93789aada1ab26f55c.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2620 schtasks.exe 2380 schtasks.exe 2132 schtasks.exe 1356 schtasks.exe 692 schtasks.exe 568 schtasks.exe 2140 schtasks.exe 2344 schtasks.exe 2040 schtasks.exe 1792 schtasks.exe 836 schtasks.exe 2164 schtasks.exe 1656 schtasks.exe 1752 schtasks.exe 2008 schtasks.exe 2448 schtasks.exe 2404 schtasks.exe 2100 schtasks.exe 3020 schtasks.exe 1308 schtasks.exe 1284 schtasks.exe 2788 schtasks.exe 580 schtasks.exe 2900 schtasks.exe 1976 schtasks.exe 1128 schtasks.exe 1504 schtasks.exe 2484 schtasks.exe 1992 schtasks.exe 1476 schtasks.exe 2936 schtasks.exe 2388 schtasks.exe 1312 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2688 DllCommonsvc.exe 2508 powershell.exe 1528 powershell.exe 2396 powershell.exe 1772 powershell.exe 2308 powershell.exe 1728 services.exe 1676 powershell.exe 1824 powershell.exe 1940 powershell.exe 1348 powershell.exe 1724 powershell.exe 1512 powershell.exe 1712 powershell.exe 2352 services.exe 2404 services.exe 1000 services.exe 3000 services.exe 2328 services.exe 2192 services.exe 2616 services.exe 1700 services.exe 664 services.exe 2860 services.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2688 DllCommonsvc.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeDebugPrivilege 1528 powershell.exe Token: SeDebugPrivilege 2396 powershell.exe Token: SeDebugPrivilege 1772 powershell.exe Token: SeDebugPrivilege 1728 services.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeDebugPrivilege 1676 powershell.exe Token: SeDebugPrivilege 1824 powershell.exe Token: SeDebugPrivilege 1940 powershell.exe Token: SeDebugPrivilege 1348 powershell.exe Token: SeDebugPrivilege 1724 powershell.exe Token: SeDebugPrivilege 1512 powershell.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeDebugPrivilege 2352 services.exe Token: SeDebugPrivilege 2404 services.exe Token: SeDebugPrivilege 1000 services.exe Token: SeDebugPrivilege 3000 services.exe Token: SeDebugPrivilege 2328 services.exe Token: SeDebugPrivilege 2192 services.exe Token: SeDebugPrivilege 2616 services.exe Token: SeDebugPrivilege 1700 services.exe Token: SeDebugPrivilege 664 services.exe Token: SeDebugPrivilege 2860 services.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2856 2092 JaffaCakes118_f2a04ab2b41737abbe3f1e49ed9debf95b8a197fa95f9a93789aada1ab26f55c.exe 30 PID 2092 wrote to memory of 2856 2092 JaffaCakes118_f2a04ab2b41737abbe3f1e49ed9debf95b8a197fa95f9a93789aada1ab26f55c.exe 30 PID 2092 wrote to memory of 2856 2092 JaffaCakes118_f2a04ab2b41737abbe3f1e49ed9debf95b8a197fa95f9a93789aada1ab26f55c.exe 30 PID 2092 wrote to memory of 2856 2092 JaffaCakes118_f2a04ab2b41737abbe3f1e49ed9debf95b8a197fa95f9a93789aada1ab26f55c.exe 30 PID 2856 wrote to memory of 2904 2856 WScript.exe 31 PID 2856 wrote to memory of 2904 2856 WScript.exe 31 PID 2856 wrote to memory of 2904 2856 WScript.exe 31 PID 2856 wrote to memory of 2904 2856 WScript.exe 31 PID 2904 wrote to memory of 2688 2904 cmd.exe 33 PID 2904 wrote to memory of 2688 2904 cmd.exe 33 PID 2904 wrote to memory of 2688 2904 cmd.exe 33 PID 2904 wrote to memory of 2688 2904 cmd.exe 33 PID 2688 wrote to memory of 1512 2688 DllCommonsvc.exe 68 PID 2688 wrote to memory of 1512 2688 DllCommonsvc.exe 68 PID 2688 wrote to memory of 1512 2688 DllCommonsvc.exe 68 PID 2688 wrote to memory of 2396 2688 DllCommonsvc.exe 69 PID 2688 wrote to memory of 2396 2688 DllCommonsvc.exe 69 PID 2688 wrote to memory of 2396 2688 DllCommonsvc.exe 69 PID 2688 wrote to memory of 1348 2688 DllCommonsvc.exe 70 PID 2688 wrote to memory of 1348 2688 DllCommonsvc.exe 70 PID 2688 wrote to memory of 1348 2688 DllCommonsvc.exe 70 PID 2688 wrote to memory of 1528 2688 DllCommonsvc.exe 71 PID 2688 wrote to memory of 1528 2688 DllCommonsvc.exe 71 PID 2688 wrote to memory of 1528 2688 DllCommonsvc.exe 71 PID 2688 wrote to memory of 1824 2688 DllCommonsvc.exe 72 PID 2688 wrote to memory of 1824 2688 DllCommonsvc.exe 72 PID 2688 wrote to memory of 1824 2688 DllCommonsvc.exe 72 PID 2688 wrote to memory of 1772 2688 DllCommonsvc.exe 73 PID 2688 wrote to memory of 1772 2688 DllCommonsvc.exe 73 PID 2688 wrote to memory of 1772 2688 DllCommonsvc.exe 73 PID 2688 wrote to memory of 1940 2688 DllCommonsvc.exe 74 PID 2688 wrote to memory of 1940 2688 DllCommonsvc.exe 74 PID 2688 wrote to memory of 1940 2688 DllCommonsvc.exe 74 PID 2688 wrote to memory of 2308 2688 DllCommonsvc.exe 75 PID 2688 wrote to memory of 2308 2688 DllCommonsvc.exe 75 PID 2688 wrote to memory of 2308 2688 DllCommonsvc.exe 75 PID 2688 wrote to memory of 1712 2688 DllCommonsvc.exe 76 PID 2688 wrote to memory of 1712 2688 DllCommonsvc.exe 76 PID 2688 wrote to memory of 1712 2688 DllCommonsvc.exe 76 PID 2688 wrote to memory of 2508 2688 DllCommonsvc.exe 77 PID 2688 wrote to memory of 2508 2688 DllCommonsvc.exe 77 PID 2688 wrote to memory of 2508 2688 DllCommonsvc.exe 77 PID 2688 wrote to memory of 1676 2688 DllCommonsvc.exe 78 PID 2688 wrote to memory of 1676 2688 DllCommonsvc.exe 78 PID 2688 wrote to memory of 1676 2688 DllCommonsvc.exe 78 PID 2688 wrote to memory of 1724 2688 DllCommonsvc.exe 79 PID 2688 wrote to memory of 1724 2688 DllCommonsvc.exe 79 PID 2688 wrote to memory of 1724 2688 DllCommonsvc.exe 79 PID 2688 wrote to memory of 1728 2688 DllCommonsvc.exe 92 PID 2688 wrote to memory of 1728 2688 DllCommonsvc.exe 92 PID 2688 wrote to memory of 1728 2688 DllCommonsvc.exe 92 PID 1728 wrote to memory of 2624 1728 services.exe 93 PID 1728 wrote to memory of 2624 1728 services.exe 93 PID 1728 wrote to memory of 2624 1728 services.exe 93 PID 2624 wrote to memory of 1612 2624 cmd.exe 95 PID 2624 wrote to memory of 1612 2624 cmd.exe 95 PID 2624 wrote to memory of 1612 2624 cmd.exe 95 PID 2624 wrote to memory of 2352 2624 cmd.exe 96 PID 2624 wrote to memory of 2352 2624 cmd.exe 96 PID 2624 wrote to memory of 2352 2624 cmd.exe 96 PID 2352 wrote to memory of 1004 2352 services.exe 97 PID 2352 wrote to memory of 1004 2352 services.exe 97 PID 2352 wrote to memory of 1004 2352 services.exe 97 PID 1004 wrote to memory of 1288 1004 cmd.exe 99 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f2a04ab2b41737abbe3f1e49ed9debf95b8a197fa95f9a93789aada1ab26f55c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f2a04ab2b41737abbe3f1e49ed9debf95b8a197fa95f9a93789aada1ab26f55c.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\Install\{9DFE08CC-30AD-4427-BBD2-AE53EED44C59}\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
C:\Users\Admin\Start Menu\services.exe"C:\Users\Admin\Start Menu\services.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1612
-
-
C:\Users\Admin\Start Menu\services.exe"C:\Users\Admin\Start Menu\services.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTtrehocny.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1288
-
-
C:\Users\Admin\Start Menu\services.exe"C:\Users\Admin\Start Menu\services.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat"10⤵PID:1824
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:608
-
-
C:\Users\Admin\Start Menu\services.exe"C:\Users\Admin\Start Menu\services.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat"12⤵PID:2684
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2568
-
-
C:\Users\Admin\Start Menu\services.exe"C:\Users\Admin\Start Menu\services.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RBIFf9IaIr.bat"14⤵PID:2208
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1772
-
-
C:\Users\Admin\Start Menu\services.exe"C:\Users\Admin\Start Menu\services.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat"16⤵PID:1968
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2812
-
-
C:\Users\Admin\Start Menu\services.exe"C:\Users\Admin\Start Menu\services.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat"18⤵PID:2364
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1572
-
-
C:\Users\Admin\Start Menu\services.exe"C:\Users\Admin\Start Menu\services.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat"20⤵PID:1728
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1736
-
-
C:\Users\Admin\Start Menu\services.exe"C:\Users\Admin\Start Menu\services.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat"22⤵PID:496
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1676
-
-
C:\Users\Admin\Start Menu\services.exe"C:\Users\Admin\Start Menu\services.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:664 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat"24⤵PID:1744
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2712
-
-
C:\Users\Admin\Start Menu\services.exe"C:\Users\Admin\Start Menu\services.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\ServiceProfiles\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Start Menu\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Start Menu\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\Install\{9DFE08CC-30AD-4427-BBD2-AE53EED44C59}\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Install\{9DFE08CC-30AD-4427-BBD2-AE53EED44C59}\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\Install\{9DFE08CC-30AD-4427-BBD2-AE53EED44C59}\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\providercommon\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5097614f5d2e9f5677591efa76c7d2950
SHA1d05d16d7c486575a1f013c2363d49893a891b202
SHA2563cfe05227482792c1b096971dda03e49513a33c7e1e75fedf192decc25301963
SHA512fe5afb7841cba03fb3b4ffd7cd31796addfb8a49adbff1140c2d36e7d7f4e585c73a16a703e6685eff446f601770a2bad76ed9c0cd7b4279546845f52704c54e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5480bf627e57f1717c91e94c448b7333f
SHA10f9d208a61fa2fb79d4fcdc2b73d42d8b26725b7
SHA25648f9f622f57d92b9f8143475d0d94ecdc2320ea8f646f900689a5bb938da7bc0
SHA512c065a3fb047434000946778ed116f37c309a5259765de6c30815a3cb2a1977271f22dbd7681e13ff3000539af1b06dc9a5473389699157eddd5c37a43f4da78b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e8223d4f44865923b6a738d841ac2e1c
SHA12a6a5281281d350b6d6f948ca4ffcf7c5e5b6a35
SHA2561bd0583ba0ad113dae773b21a2f97cbce56b7e7c2fe19587e4ab4eeef052ef2d
SHA512a3590b1ee0258806cda7f0e6f6ab0d6651f930ee7972f0e4c9c6aa7cad8506e86d58bed57331cb52e48dd2ea7fac6c47612af4a7b16c100ea72efedf61f8f5fd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD526d57ce96c4a795768139797c0504d94
SHA1eacbcf4e031990ee8499c3e0a2930193078e1164
SHA256bd800a4e402a57c62197fb277a4f0d985aabe9b631352341fd086604efd03af8
SHA512814c04f3f4be7841b7ddb969c272877ddd6c35ffcda57df5f4cea891e16fc81a6f69783cc47bae4af3c5ff0cb30e7f3d19c9bbe51ad002be396a811cf910f340
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e6d8758a43d9f4cf3f1bdb158281725b
SHA18d050f5bfda7af46ffd1735a53b063784e539675
SHA25604f4148f3897b9a8b5c3fc98ec90c4586061b42ecd50957e8860aafc0f921119
SHA512a0320825ddce5e40b7f55b5881c3731a795dc4bf28cf932f62b51302d5cd253976848f52a6d775cc5fd51f5144a38f57299ce56e39245e58764cdf55ef62f675
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56d9c1996ff316726ca90390d9d2a65a5
SHA1b0e774d73f52ca887e77f14ee58eb83d252f45c6
SHA2560f242349a221765a9f42de02478d5d898476e6b270ea4541ee3130061be88dc8
SHA5128e4d1af81e759a05403622cec470ae0f9e98ce73751270d6cab56a64229de578ed95b66202dbe6bb9ab6d7b5ddca23a2781c6bfbfd9fe30cf230c660dc10ff42
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dc38fe5a59f1eeb56de6f56c4983ec6f
SHA1914b348b95c5e2172f7a2753bdae721e08c6d432
SHA256b7fbabe5c9a5ee6214a8217dcbebe35ebda521381abf40f070f7aed8bb34aa9d
SHA5127015125a1e757341390d2264361f747317590eb2cec71cdd342b3668457e1fabf214008dc9bb95633e40b95e9d2a96867749a164c96f6d9316e75ea745e2740c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59e7854057367fa0b3b4518f988b2c6e4
SHA1af4376e03be9a3a9592ccec9b4afbd7321639f1e
SHA25665fa4f66696587ce1dae5899cbb455c83811c33a6dea8efba37f11cf5f84adaa
SHA512be420d345cab5a33b41f47c32d3de5ce6103c92ff0b18a91badb65220546a27e68a6817e6e8f92464a2dbad4f6d12828ac4e92cd574137ab197c5c8b6b05e83d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55fc5766c5e41ef63aa0ad6cd3e8c64a8
SHA1038bfd7e11ab7990cedebcf19ce1b79f42969cd2
SHA256906e52a78295e8efebe97d54931e36286a4485eb9ae193e8bb1a79dff51822c5
SHA51274a911bcbe792ba6a517cd1f3faf926c647b267fa27cf15d2cb10e228f4d8c6e7488a1605946d2a1988c30e31db93aa077ae2a1418562052a7330e10495282dc
-
Filesize
203B
MD5b889ff166db2e92a9f7d15e00afc0c91
SHA16fd3d2c889f9fa16bcf73d7cc4e637c1111f591b
SHA2562f17d51892a48689b68bb7eff8f69d45d88a223c1e4b2540916ec7ddd519d740
SHA512255f6b151fb3ee0d4227445d8a3108ddfbac1ddf03d46f77cb085ee9e53ba194da59ec149122d71573195de0cc966bd6914357a12cddc52891efeb2390af7c46
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
203B
MD5efa71234c1ab5a8bb5c6d1a84c249dae
SHA1ddfa9d1a64043e38f9f47353fdda0a7cc621cfe2
SHA256f7c3a29f0d82175e51278985635c00bfa5e57d951df9e102fd268c478dbd1c3d
SHA512d42f9f9e0b784a24815f6e026d6ce8923ab83d8bd63b5f11922b8c268bbfeebe142c5001adce00abc90098a57cec7e4a77ef38140d04d3e40959ee3f462e0dc1
-
Filesize
203B
MD5a15dbff7190e62407afb2da058e5efaf
SHA1c6ee2ab5bf8a84f53e4a5bf97ed318f611a52541
SHA25671037be349f0f8fc2475d01871a70268640f0b5d1582f6eb2ee54095eac4eef5
SHA512d07a1441019c6f34302a4592cfd25a616f112a8f904ad3c1568ede26567cc77714d9dc02ae4e49353cd99ae01811547c62fb6856f916aeeb8a6bfc6cc004ed9c
-
Filesize
203B
MD5da47937af77e6d76141d22405ea9f29c
SHA1c0aeb63d69872b35db4b15bd4929105fdedb07c2
SHA25675dfcf258e4c980d6f958ce877cc839a55a0769e2ae4e4ecfd25968846dc1b8f
SHA512d1ce3b3c8242eb3a3675f0f5cf73dc502488b8dd19cd8cdb8ab66ef3dd409ee25bb3e031b99ffaa7d9f5928085167ae5275efdab1a240a50f025fe57db2fbcdb
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
203B
MD549c37e460a60ef39a4c259181c9b0b53
SHA118b94771000ba48fd5c8dec166ebd765d0c3e29b
SHA256ce48c5f5793f2b30e3468124acf6092af51e28de2b4a6549efca3cd4fa0e0292
SHA512b7fb705bca55391c631ec4814b75e41c121e5ac54eb0fbba2e7cf0769d4370515f7c057e169bd5d2e28db5a1ba9285322a4be80e321c6b0b959fb27f65ffc88d
-
Filesize
203B
MD5558bcc199272863f52ac9f2e82bbe589
SHA1edcc3924f2913146b5a24a4f33c11b62186ec6a4
SHA256e598802badd14fe8bddd3bf3524efc17795b62d96805ae02b785f43284a142d7
SHA512c9e240957f4c46cad8c48dde589aae163a832db8459ed9b660e5e984c247f6fe58ae1fb1be8d9e045e03af580a38053fa2c36411e9fba99d268a2204aea848e8
-
Filesize
203B
MD5b955f3522401f9b3e69d76caea2c646c
SHA167666a59733c2655f612a839b586f3be874f0aea
SHA25656c1a962e833c63cbd6d522fef46770dca9a92424b34ff41c73e0c8a62154666
SHA512f5c766275516083a162c9c6157e3c4f5cb7994f72feefbf131414ff47d32f749736d07ed910347cd365751df2a648dc0097cef0c239a62fc8f3db0d023660df9
-
Filesize
203B
MD5565e82039b88dd560ae0e24ed81cf5ca
SHA16502965991b0db979a134be0a81003635e49ef9b
SHA2567394d25b9905544a5c415a9b13a623bb15517f094fbee3881e485d9cd985b169
SHA512075413a5911212e51e1407fbbd6c9760aad607678d7008f81820bf331a232a359c9239a6366cb3e6e421d0208725d28f4cd09911d4b8f9af8333a4c301766929
-
Filesize
203B
MD51c9f8fed7da88d35c79a0395b2372f66
SHA169d2d2817f279284da4e2653d07e2ee1f671661a
SHA2563bfe7f798590a095744e6ccbcf66ceca8ab4bd4b84583881707f60f2afd7041e
SHA512c95a21d948317dddccd456fc72b05bc94a49c1be83ec889e1315b31e959e708553aaafd0314f0796854ee754bb9a56f533e184af7f7bcaa488263d8c1a649569
-
Filesize
203B
MD58db8dff4c9ac161374b0906436b1bb5b
SHA1a3b0e817f4ee92b52da1c7c260739664af96da2b
SHA25681d6f25a287902599d0bee0fadf281ef44039a5778a80fa2272bf21f305d7908
SHA5128bef6c741b8e944fbd19a20c43ff7358a3f9c783623debd5327a192042a3f1dc216ef29b46aa2cc80b00d257f03a7e36007fdacea1e766efb9c91c2bfd6e86c1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD569920ed84b1d8608749d96e47b64d264
SHA10af420710ea2213292bc563bbafb6621d86f11e5
SHA2569168b19a40c8a07eb1e346475709b96a27a91ae2e9fb2c400e214abcc80e8fee
SHA512abb2a69f185583093710601cb8d0720eacee2246d5ed655c571b02f775c36b84987fd9df57333b07095041efa61e62e58ac95ecbb63890cd65bb56b9047f976b
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394