Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 20:46
Behavioral task
behavioral1
Sample
JaffaCakes118_2d38e2d2b3e13da39dfbeed8612fe37747722846b0d75495dbfaf73a7eb75e3a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_2d38e2d2b3e13da39dfbeed8612fe37747722846b0d75495dbfaf73a7eb75e3a.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_2d38e2d2b3e13da39dfbeed8612fe37747722846b0d75495dbfaf73a7eb75e3a.exe
-
Size
1.3MB
-
MD5
32615ad6080d8fe652230bb4c70496a7
-
SHA1
5dd7ca55e4d479aa054309f78225262ed35cc1d3
-
SHA256
2d38e2d2b3e13da39dfbeed8612fe37747722846b0d75495dbfaf73a7eb75e3a
-
SHA512
e8e79f81e355354d1cef17cf101fe2d815cb0b0147ef9cbb573d8cbf3fb1d847ffcbf7735d8a5b5bbc1379727de1cd72454ef45d87f9c9605a65beb2b90ce8e4
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 376 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 336 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1196 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 800 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1012 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1548 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1132 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 964 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1252 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 900 2716 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 2716 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016d31-9.dat dcrat behavioral1/memory/2940-13-0x00000000012F0000-0x0000000001400000-memory.dmp dcrat behavioral1/memory/2056-50-0x0000000000D90000-0x0000000000EA0000-memory.dmp dcrat behavioral1/memory/1472-236-0x0000000000FF0000-0x0000000001100000-memory.dmp dcrat behavioral1/memory/2036-415-0x0000000001170000-0x0000000001280000-memory.dmp dcrat behavioral1/memory/2180-475-0x00000000001F0000-0x0000000000300000-memory.dmp dcrat behavioral1/memory/1524-535-0x00000000008E0000-0x00000000009F0000-memory.dmp dcrat behavioral1/memory/3000-595-0x0000000000090000-0x00000000001A0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1432 powershell.exe 696 powershell.exe 3024 powershell.exe 1460 powershell.exe 1992 powershell.exe 1408 powershell.exe 2220 powershell.exe 1052 powershell.exe 2488 powershell.exe 112 powershell.exe 2000 powershell.exe 324 powershell.exe 2204 powershell.exe 688 powershell.exe -
Executes dropped EXE 10 IoCs
pid Process 2940 DllCommonsvc.exe 2056 conhost.exe 2692 conhost.exe 1472 conhost.exe 1588 conhost.exe 900 conhost.exe 2036 conhost.exe 2180 conhost.exe 1524 conhost.exe 3000 conhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2292 cmd.exe 2292 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 12 raw.githubusercontent.com 16 raw.githubusercontent.com 27 raw.githubusercontent.com 31 raw.githubusercontent.com 34 raw.githubusercontent.com 9 raw.githubusercontent.com 5 raw.githubusercontent.com 20 raw.githubusercontent.com 23 raw.githubusercontent.com 4 raw.githubusercontent.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\explorer.exe DllCommonsvc.exe File created C:\Windows\System32\7a0fd90576e088 DllCommonsvc.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Windows Journal\es-ES\lsass.exe DllCommonsvc.exe File created C:\Program Files\Windows Journal\es-ES\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\sppsvc.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\0a1fd5f707cd16 DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Vss\Writers\System\42af1c969fbb7b DllCommonsvc.exe File created C:\Windows\Vss\Writers\System\audiodg.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_2d38e2d2b3e13da39dfbeed8612fe37747722846b0d75495dbfaf73a7eb75e3a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2900 schtasks.exe 1196 schtasks.exe 2012 schtasks.exe 800 schtasks.exe 1808 schtasks.exe 964 schtasks.exe 2600 schtasks.exe 2608 schtasks.exe 1548 schtasks.exe 2972 schtasks.exe 2272 schtasks.exe 376 schtasks.exe 1132 schtasks.exe 2964 schtasks.exe 2704 schtasks.exe 1012 schtasks.exe 2268 schtasks.exe 2792 schtasks.exe 2920 schtasks.exe 1484 schtasks.exe 832 schtasks.exe 2960 schtasks.exe 2952 schtasks.exe 2784 schtasks.exe 900 schtasks.exe 1252 schtasks.exe 3012 schtasks.exe 2152 schtasks.exe 336 schtasks.exe 1616 schtasks.exe 2788 schtasks.exe 2448 schtasks.exe 2316 schtasks.exe 1688 schtasks.exe 2756 schtasks.exe 2180 schtasks.exe 2120 schtasks.exe 1644 schtasks.exe 2344 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 2940 DllCommonsvc.exe 2940 DllCommonsvc.exe 2940 DllCommonsvc.exe 2940 DllCommonsvc.exe 2940 DllCommonsvc.exe 1408 powershell.exe 688 powershell.exe 1992 powershell.exe 3024 powershell.exe 1052 powershell.exe 2488 powershell.exe 2220 powershell.exe 112 powershell.exe 2204 powershell.exe 1432 powershell.exe 2000 powershell.exe 1460 powershell.exe 696 powershell.exe 324 powershell.exe 2056 conhost.exe 2692 conhost.exe 1472 conhost.exe 1588 conhost.exe 900 conhost.exe 2036 conhost.exe 2180 conhost.exe 1524 conhost.exe 3000 conhost.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2940 DllCommonsvc.exe Token: SeDebugPrivilege 1408 powershell.exe Token: SeDebugPrivilege 688 powershell.exe Token: SeDebugPrivilege 1992 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeDebugPrivilege 1052 powershell.exe Token: SeDebugPrivilege 2488 powershell.exe Token: SeDebugPrivilege 2056 conhost.exe Token: SeDebugPrivilege 2220 powershell.exe Token: SeDebugPrivilege 112 powershell.exe Token: SeDebugPrivilege 2204 powershell.exe Token: SeDebugPrivilege 1432 powershell.exe Token: SeDebugPrivilege 2000 powershell.exe Token: SeDebugPrivilege 1460 powershell.exe Token: SeDebugPrivilege 696 powershell.exe Token: SeDebugPrivilege 324 powershell.exe Token: SeDebugPrivilege 2692 conhost.exe Token: SeDebugPrivilege 1472 conhost.exe Token: SeDebugPrivilege 1588 conhost.exe Token: SeDebugPrivilege 900 conhost.exe Token: SeDebugPrivilege 2036 conhost.exe Token: SeDebugPrivilege 2180 conhost.exe Token: SeDebugPrivilege 1524 conhost.exe Token: SeDebugPrivilege 3000 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2536 wrote to memory of 2544 2536 JaffaCakes118_2d38e2d2b3e13da39dfbeed8612fe37747722846b0d75495dbfaf73a7eb75e3a.exe 30 PID 2536 wrote to memory of 2544 2536 JaffaCakes118_2d38e2d2b3e13da39dfbeed8612fe37747722846b0d75495dbfaf73a7eb75e3a.exe 30 PID 2536 wrote to memory of 2544 2536 JaffaCakes118_2d38e2d2b3e13da39dfbeed8612fe37747722846b0d75495dbfaf73a7eb75e3a.exe 30 PID 2536 wrote to memory of 2544 2536 JaffaCakes118_2d38e2d2b3e13da39dfbeed8612fe37747722846b0d75495dbfaf73a7eb75e3a.exe 30 PID 2544 wrote to memory of 2292 2544 WScript.exe 31 PID 2544 wrote to memory of 2292 2544 WScript.exe 31 PID 2544 wrote to memory of 2292 2544 WScript.exe 31 PID 2544 wrote to memory of 2292 2544 WScript.exe 31 PID 2292 wrote to memory of 2940 2292 cmd.exe 33 PID 2292 wrote to memory of 2940 2292 cmd.exe 33 PID 2292 wrote to memory of 2940 2292 cmd.exe 33 PID 2292 wrote to memory of 2940 2292 cmd.exe 33 PID 2940 wrote to memory of 1992 2940 DllCommonsvc.exe 74 PID 2940 wrote to memory of 1992 2940 DllCommonsvc.exe 74 PID 2940 wrote to memory of 1992 2940 DllCommonsvc.exe 74 PID 2940 wrote to memory of 2488 2940 DllCommonsvc.exe 75 PID 2940 wrote to memory of 2488 2940 DllCommonsvc.exe 75 PID 2940 wrote to memory of 2488 2940 DllCommonsvc.exe 75 PID 2940 wrote to memory of 2204 2940 DllCommonsvc.exe 76 PID 2940 wrote to memory of 2204 2940 DllCommonsvc.exe 76 PID 2940 wrote to memory of 2204 2940 DllCommonsvc.exe 76 PID 2940 wrote to memory of 696 2940 DllCommonsvc.exe 77 PID 2940 wrote to memory of 696 2940 DllCommonsvc.exe 77 PID 2940 wrote to memory of 696 2940 DllCommonsvc.exe 77 PID 2940 wrote to memory of 1408 2940 DllCommonsvc.exe 78 PID 2940 wrote to memory of 1408 2940 DllCommonsvc.exe 78 PID 2940 wrote to memory of 1408 2940 DllCommonsvc.exe 78 PID 2940 wrote to memory of 112 2940 DllCommonsvc.exe 79 PID 2940 wrote to memory of 112 2940 DllCommonsvc.exe 79 PID 2940 wrote to memory of 112 2940 DllCommonsvc.exe 79 PID 2940 wrote to memory of 688 2940 DllCommonsvc.exe 80 PID 2940 wrote to memory of 688 2940 DllCommonsvc.exe 80 PID 2940 wrote to memory of 688 2940 DllCommonsvc.exe 80 PID 2940 wrote to memory of 2220 2940 DllCommonsvc.exe 81 PID 2940 wrote to memory of 2220 2940 DllCommonsvc.exe 81 PID 2940 wrote to memory of 2220 2940 DllCommonsvc.exe 81 PID 2940 wrote to memory of 2000 2940 DllCommonsvc.exe 82 PID 2940 wrote to memory of 2000 2940 DllCommonsvc.exe 82 PID 2940 wrote to memory of 2000 2940 DllCommonsvc.exe 82 PID 2940 wrote to memory of 324 2940 DllCommonsvc.exe 83 PID 2940 wrote to memory of 324 2940 DllCommonsvc.exe 83 PID 2940 wrote to memory of 324 2940 DllCommonsvc.exe 83 PID 2940 wrote to memory of 3024 2940 DllCommonsvc.exe 84 PID 2940 wrote to memory of 3024 2940 DllCommonsvc.exe 84 PID 2940 wrote to memory of 3024 2940 DllCommonsvc.exe 84 PID 2940 wrote to memory of 1052 2940 DllCommonsvc.exe 85 PID 2940 wrote to memory of 1052 2940 DllCommonsvc.exe 85 PID 2940 wrote to memory of 1052 2940 DllCommonsvc.exe 85 PID 2940 wrote to memory of 1432 2940 DllCommonsvc.exe 86 PID 2940 wrote to memory of 1432 2940 DllCommonsvc.exe 86 PID 2940 wrote to memory of 1432 2940 DllCommonsvc.exe 86 PID 2940 wrote to memory of 1460 2940 DllCommonsvc.exe 87 PID 2940 wrote to memory of 1460 2940 DllCommonsvc.exe 87 PID 2940 wrote to memory of 1460 2940 DllCommonsvc.exe 87 PID 2940 wrote to memory of 2056 2940 DllCommonsvc.exe 102 PID 2940 wrote to memory of 2056 2940 DllCommonsvc.exe 102 PID 2940 wrote to memory of 2056 2940 DllCommonsvc.exe 102 PID 2056 wrote to memory of 1316 2056 conhost.exe 104 PID 2056 wrote to memory of 1316 2056 conhost.exe 104 PID 2056 wrote to memory of 1316 2056 conhost.exe 104 PID 1316 wrote to memory of 3012 1316 cmd.exe 106 PID 1316 wrote to memory of 3012 1316 cmd.exe 106 PID 1316 wrote to memory of 3012 1316 cmd.exe 106 PID 1316 wrote to memory of 2692 1316 cmd.exe 107 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2d38e2d2b3e13da39dfbeed8612fe37747722846b0d75495dbfaf73a7eb75e3a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2d38e2d2b3e13da39dfbeed8612fe37747722846b0d75495dbfaf73a7eb75e3a.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\es-ES\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Recent\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\NetHood\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\System\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1460
-
-
C:\Users\Default User\conhost.exe"C:\Users\Default User\conhost.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:3012
-
-
C:\Users\Default User\conhost.exe"C:\Users\Default User\conhost.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat"8⤵PID:2568
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2152
-
-
C:\Users\Default User\conhost.exe"C:\Users\Default User\conhost.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xjNnGM38uG.bat"10⤵PID:2180
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1912
-
-
C:\Users\Default User\conhost.exe"C:\Users\Default User\conhost.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DegeIw2hse.bat"12⤵PID:1120
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2412
-
-
C:\Users\Default User\conhost.exe"C:\Users\Default User\conhost.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:900 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat"14⤵PID:1692
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2572
-
-
C:\Users\Default User\conhost.exe"C:\Users\Default User\conhost.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat"16⤵PID:1560
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2820
-
-
C:\Users\Default User\conhost.exe"C:\Users\Default User\conhost.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat"18⤵PID:2852
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2772
-
-
C:\Users\Default User\conhost.exe"C:\Users\Default User\conhost.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uGRILFBWR.bat"20⤵PID:2992
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2520
-
-
C:\Users\Default User\conhost.exe"C:\Users\Default User\conhost.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat"22⤵PID:112
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2232
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\providercommon\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\es-ES\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\es-ES\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\es-ES\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Libraries\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\providercommon\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Recent\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Recent\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Recent\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\System32\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\System32\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\NetHood\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\NetHood\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\Vss\Writers\System\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\System\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59cc82abe96f746f1ef8e05d131554661
SHA100dd5f5c3881e60daf30f2678a84d70f816665ab
SHA256f5246bc3177bf3322a4dfaafa009b9dbcbea49a2e67af4410360dfa07d8100e8
SHA512be1e9ff8086814585ab469399859d4550cc68eb139ccae040d63cf949d6ef7bb8230faf3fd077ff81e0c53862585417af615b3319e7d0667ec449bac1d00e487
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d3e9dfab5efcc94ceaa9be0c4a9722aa
SHA18c86be2269f76c84756c221a7ceee59901b1efa6
SHA256bdca625a5e1f69f4ae6c8ed36bfef48623ed8a0d0277ff87aed544ec69e01e00
SHA5120cba0c4cc3b778c0af9a3423cea1752e32778b90f54deafb01fa9f158dcfa859498ac74f2bec126dfbb0bb65f58adacd2850b59c57c7c9497d3acab461c02f29
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50934b4995dfa33dbfc59d52cda6eec5d
SHA18019caa2e9d2a04d47528dfc8647a318606e57e7
SHA25652e42b0093c8fad25d7ea428689ac1218337177595cf65084d7a4ff6110835cc
SHA512a8d88b69cb4cc80b9cc0a30d786cdaea68042c67df82ab9ebc4c814d895bf342498e29251cd220c237ef470385e25fb8fc6f7d8acc710b3c3e8a4d08fa51f0d2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD554ef0640fd133d0a7f7737f4db5eb1a1
SHA13b6c26d6ca1de59cf2ebd4c76e02f059053ffa65
SHA256c917f0dd0295ee7bc38ead9753e5c096925c3f77750b433aa4eeb9c21e575c97
SHA512a610c628ae5fbf1897f0cb31837cb96a6fde4df2416af7ef873f44fbaf184f48f8d79b8b16be9c73602e21b3cd4e741eb744d76128070a881b800b1218d41cd3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51b08daa1ade4cabe3380b4ce6748e70f
SHA14e2bd66b46874425922103a1e1afcabe539dcc2e
SHA256478d8b099d7354db45e3f83f77b26710784b3d5d2cd89b7efa0119161378d97e
SHA5128da0ffa555b177885c60c986fa5c50e8a84e7e4e17a4339c8f8700634a5a07056dce1f847fb5fbe6a45544ea78caeef312ab28d9b8453accb5e4c2b7e75fd17f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cca23af2ecc0bb0121f935bc43901083
SHA1f978cd394edfab700e2b7561e690c9a9be9ba090
SHA2566d264058ce8c1432af905c5a537aed704dc413ff237e9764ddcb267588223302
SHA51270e0eea1bfdf74228ad677a49a84db0bcbf04b01ed655dee064a14862b21d67e9e8096de639be6234dcfac055af84e414d1b4fd0fd6be64ac0c68a48f2dda491
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5701581e7daf47f23ab0681e393401fee
SHA1d1f3ce7113b6a05b51cb93be4af408400231773c
SHA2564111778364c186306a4172e991adcebe10c196f838faa77846047eec95d12f76
SHA5128a214bb3ab52c1c5cce69e6b904ac21328b74255a8c9841b6cce7f7c9ddb8b1c308275b677584287573030be47add448587983caccadcc9cf1c45a5cfdbb80fa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c8682c60b9671062ac57cfebb15557c4
SHA1211a6149f875cdb62642724bacc2c9384afbd306
SHA256f479d5b25261921211c1e85ac03c9b25e0c1bc81916fc6fdc1ce0252e6b239d3
SHA512db78cec9bc2f581053fba150ea551eee559b2a7a1e8063a21030345f92392e8c296d0b5783e0c930625882c08241a67323c873d7cd1b59253f41015cd7d423d0
-
Filesize
198B
MD5cfe48d29734c049e875fa828f707e3b8
SHA16ef72abf3e43d8511b53bef6a8868bed6cc1918e
SHA2563cf1fa12c122151c7fb35f70afe3a79bf981693609a3de6489b0c80d601a8714
SHA5128e5da1512b9cd809785747b89e0ded44275d045b6eb0b9eb8262e768d52103a50eeb8e30a2f987e05c57ce1e5824922b9fb7be9797aeba7599938192a09c58b5
-
Filesize
198B
MD589bb47ee7f2f66151eb006221fd40553
SHA145fa90ba9b5ce512ee40dc6f5d4e3447b7f5e6a2
SHA256ea905b5bae3598a907f4e7f580e1869af2762c54ea4ebc70e4a9eb4163465a32
SHA512010ac1163a9086755ccb4fd8931b78f2447931d6a5f80ab6ae19e36d45322a00df465c5d702a800e16bcbb73dd9a58a9da81d1d94a3982f0ad0b8352f70c475b
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
198B
MD57ed30286968cb5e8088ffbe76e1c6020
SHA1e20542e759b27efeca59882226b79799daecc92e
SHA2567196aa0ee110853e9df90fee4b31a51c65c965023b1d45294e1a8f66fd900ccf
SHA5120248a743d0cf2068bcdc219ffc0041e3998bcc1ab2b4b1b9946b1650d1c0f9bb37fbb326f5464f4d86e8d66b309bdd8333cf36e5e8a89158501167da083c99aa
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
198B
MD5ecb1824ef4ba5db9fa2ed9978a7bd051
SHA165caaa725f3f0db3e7abe16a306a7333935dff9a
SHA256505ed47ee97f418901666e772b4951850987689e8b98eab460770b6b7088ae65
SHA5126f190cd49187c5c1913a81e82604b7dab18fa4b0b45c4db7b00b5e5c51ce2975c2192dde9ffeb339bc0a2bb3f641dbfc1aebd42aed245106fb8dc652442206b4
-
Filesize
198B
MD5834b8d39b23ac50a474852fdcc5d3238
SHA1619b3c45fdc02729e1bd764ecc92d043a63043a9
SHA2561abf2cfc193a7e59ff20a8ebbfb1088cb5b47fc47c7dccc87ea35929c856a9df
SHA5126833cd772b01f226d1b2fb9afd07158aafbaf695a1a31ad86724345cddc0ee8e799643ea0441e70cc42a85fe79a559d9617b5c4c710fd5d3b5bfff12a175661d
-
Filesize
198B
MD5b954daee416bc1556be7e5b41db795ac
SHA1c5600dac189d9f928ba86467676705e39cafdaff
SHA2563b092eb3cb258bbefa9035baac597e02f237af3b6e0875f1efe1af879a0ab9f6
SHA512c274b3cebeb2b450970556899192c22bbfb0a09929d309eab434aa946bf4c5534b6ebef89800f4e645cc497ea90559da22c1b236965c42eb47165f2578ab4024
-
Filesize
198B
MD5afcd8012ca61a9f5a15dcbc3febf821d
SHA1df2d9efd933eab6c8ceb952bdc4234906c8c6960
SHA2563a9a9e76683fbe87afe0c6c8aa6a111381e2c6e19a6e90ef354fcf16023244d3
SHA5120ed21efb19171090e2774dfefa66384a9e776f9b6c0d83b80c43fa8b90b76ee6394bf3dd93c7571269ecdef3dd237d7686d0615cbb16f8080483151d20e031f5
-
Filesize
198B
MD5941ae1e29776b5f54c6dd0d4119f06d5
SHA1f6a0d8d10454ddf31c16a0130fc2ce9501d21390
SHA2567775e33d350c995b6a59cbe8b30e07df4ce73cb8fed52cc59bdb2862df2d7960
SHA512e2f8367847df7afb50d9db0cdad02a40824243e1eb8bb1644d4ee94c465dbbd7002516e7bad3448da1590dd3ebeb47ad22813a3ad5f4f23f24bfa8fce7c6c0af
-
Filesize
198B
MD56e4a0b8d6bb58cb741fd419f34002c57
SHA159866f8de80e2fdd584700a1622bdfad7683dfcd
SHA25629118e726dfbb88f6dcbbf532841134307e745576c1b903c6213b9ff269e8c9d
SHA512a4b588e3823cb33f0795c4b199b08be8f082fac01e3ba693c208c980ca535ef8df0bf5ee51ce22db43daddaaa2dcbad8301bb5cfd5de0fc839235131a21fa48a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD584117d30cfd0c3c2f08d7350c0953943
SHA15f756efff97e6be128e3cceedf4e22b5de5e7f76
SHA2562dd245089b9ce10e019d931764769357dbade809665bb692aeadf60d410d8718
SHA51229956aec9807296e9f2e30cc46775061fc3a06e8c6d0681b9239ce6219ee82c70abe561ed59bd73ef4c9e6ef9038c7f8eb87553ddaae7450b819e987292b45cd
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394