Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 20:47
Behavioral task
behavioral1
Sample
JaffaCakes118_f9ef47350bc28d02ca8cc8a3cbe8918281b9bddd22ff3cf6ddce2e0338481b20.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_f9ef47350bc28d02ca8cc8a3cbe8918281b9bddd22ff3cf6ddce2e0338481b20.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_f9ef47350bc28d02ca8cc8a3cbe8918281b9bddd22ff3cf6ddce2e0338481b20.exe
-
Size
1.3MB
-
MD5
beb10c921f9c0ce310b2814a17ac8081
-
SHA1
c1ac32065ad952b2789c79780e53649eb080ed39
-
SHA256
f9ef47350bc28d02ca8cc8a3cbe8918281b9bddd22ff3cf6ddce2e0338481b20
-
SHA512
ab076be546a19385c054effdcfda381d0cef648ad7b1460b25a5a8e51463743fb6efb27fe1c0b8547864f512fc89f35ce24a551fe73a1a25095b2cd123f97548
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 2908 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2908 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 2908 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 2908 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2908 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 2908 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 2908 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 888 2908 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 2908 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 2908 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 2908 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 2908 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 696 2908 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 304 2908 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 2908 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1300 2908 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 2908 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1268 2908 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1164 2908 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 2908 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2908 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 2908 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 2908 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 2908 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000016d36-12.dat dcrat behavioral1/memory/2672-13-0x00000000001C0000-0x00000000002D0000-memory.dmp dcrat behavioral1/memory/3000-87-0x0000000000E60000-0x0000000000F70000-memory.dmp dcrat behavioral1/memory/1576-147-0x0000000001070000-0x0000000001180000-memory.dmp dcrat behavioral1/memory/2160-562-0x00000000003B0000-0x00000000004C0000-memory.dmp dcrat behavioral1/memory/2824-621-0x0000000000F70000-0x0000000001080000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2772 powershell.exe 1060 powershell.exe 1092 powershell.exe 1016 powershell.exe 2088 powershell.exe 2340 powershell.exe 2104 powershell.exe 1672 powershell.exe 2940 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2672 DllCommonsvc.exe 3000 wininit.exe 1576 wininit.exe 2368 wininit.exe 2532 wininit.exe 1392 wininit.exe 2416 wininit.exe 2512 wininit.exe 1860 wininit.exe 2160 wininit.exe 2824 wininit.exe -
Loads dropped DLL 2 IoCs
pid Process 1964 cmd.exe 1964 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 9 raw.githubusercontent.com 16 raw.githubusercontent.com 20 raw.githubusercontent.com 23 raw.githubusercontent.com 27 raw.githubusercontent.com 37 raw.githubusercontent.com 4 raw.githubusercontent.com 13 raw.githubusercontent.com 30 raw.githubusercontent.com 34 raw.githubusercontent.com 5 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\spoolsv.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\f3b6ecef712a24 DllCommonsvc.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\sppsvc.exe DllCommonsvc.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\0a1fd5f707cd16 DllCommonsvc.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\TAPI\dllhost.exe DllCommonsvc.exe File opened for modification C:\Windows\TAPI\dllhost.exe DllCommonsvc.exe File created C:\Windows\TAPI\5940a34987c991 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_f9ef47350bc28d02ca8cc8a3cbe8918281b9bddd22ff3cf6ddce2e0338481b20.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 696 schtasks.exe 1164 schtasks.exe 2860 schtasks.exe 1748 schtasks.exe 2848 schtasks.exe 1668 schtasks.exe 264 schtasks.exe 304 schtasks.exe 2020 schtasks.exe 1768 schtasks.exe 2544 schtasks.exe 2988 schtasks.exe 2288 schtasks.exe 888 schtasks.exe 1716 schtasks.exe 2880 schtasks.exe 2348 schtasks.exe 2356 schtasks.exe 1484 schtasks.exe 3004 schtasks.exe 2608 schtasks.exe 2064 schtasks.exe 1300 schtasks.exe 1268 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2672 DllCommonsvc.exe 2672 DllCommonsvc.exe 2672 DllCommonsvc.exe 2104 powershell.exe 1060 powershell.exe 1092 powershell.exe 1016 powershell.exe 2088 powershell.exe 1672 powershell.exe 2340 powershell.exe 2772 powershell.exe 2940 powershell.exe 3000 wininit.exe 1576 wininit.exe 2368 wininit.exe 2532 wininit.exe 1392 wininit.exe 2416 wininit.exe 2512 wininit.exe 1860 wininit.exe 2160 wininit.exe 2824 wininit.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 2672 DllCommonsvc.exe Token: SeDebugPrivilege 2104 powershell.exe Token: SeDebugPrivilege 1060 powershell.exe Token: SeDebugPrivilege 1092 powershell.exe Token: SeDebugPrivilege 1016 powershell.exe Token: SeDebugPrivilege 2088 powershell.exe Token: SeDebugPrivilege 1672 powershell.exe Token: SeDebugPrivilege 2340 powershell.exe Token: SeDebugPrivilege 2772 powershell.exe Token: SeDebugPrivilege 2940 powershell.exe Token: SeDebugPrivilege 3000 wininit.exe Token: SeDebugPrivilege 1576 wininit.exe Token: SeDebugPrivilege 2368 wininit.exe Token: SeDebugPrivilege 2532 wininit.exe Token: SeDebugPrivilege 1392 wininit.exe Token: SeDebugPrivilege 2416 wininit.exe Token: SeDebugPrivilege 2512 wininit.exe Token: SeDebugPrivilege 1860 wininit.exe Token: SeDebugPrivilege 2160 wininit.exe Token: SeDebugPrivilege 2824 wininit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2016 wrote to memory of 2316 2016 JaffaCakes118_f9ef47350bc28d02ca8cc8a3cbe8918281b9bddd22ff3cf6ddce2e0338481b20.exe 31 PID 2016 wrote to memory of 2316 2016 JaffaCakes118_f9ef47350bc28d02ca8cc8a3cbe8918281b9bddd22ff3cf6ddce2e0338481b20.exe 31 PID 2016 wrote to memory of 2316 2016 JaffaCakes118_f9ef47350bc28d02ca8cc8a3cbe8918281b9bddd22ff3cf6ddce2e0338481b20.exe 31 PID 2016 wrote to memory of 2316 2016 JaffaCakes118_f9ef47350bc28d02ca8cc8a3cbe8918281b9bddd22ff3cf6ddce2e0338481b20.exe 31 PID 2316 wrote to memory of 1964 2316 WScript.exe 32 PID 2316 wrote to memory of 1964 2316 WScript.exe 32 PID 2316 wrote to memory of 1964 2316 WScript.exe 32 PID 2316 wrote to memory of 1964 2316 WScript.exe 32 PID 1964 wrote to memory of 2672 1964 cmd.exe 34 PID 1964 wrote to memory of 2672 1964 cmd.exe 34 PID 1964 wrote to memory of 2672 1964 cmd.exe 34 PID 1964 wrote to memory of 2672 1964 cmd.exe 34 PID 2672 wrote to memory of 2340 2672 DllCommonsvc.exe 60 PID 2672 wrote to memory of 2340 2672 DllCommonsvc.exe 60 PID 2672 wrote to memory of 2340 2672 DllCommonsvc.exe 60 PID 2672 wrote to memory of 2104 2672 DllCommonsvc.exe 61 PID 2672 wrote to memory of 2104 2672 DllCommonsvc.exe 61 PID 2672 wrote to memory of 2104 2672 DllCommonsvc.exe 61 PID 2672 wrote to memory of 2088 2672 DllCommonsvc.exe 63 PID 2672 wrote to memory of 2088 2672 DllCommonsvc.exe 63 PID 2672 wrote to memory of 2088 2672 DllCommonsvc.exe 63 PID 2672 wrote to memory of 1016 2672 DllCommonsvc.exe 65 PID 2672 wrote to memory of 1016 2672 DllCommonsvc.exe 65 PID 2672 wrote to memory of 1016 2672 DllCommonsvc.exe 65 PID 2672 wrote to memory of 2940 2672 DllCommonsvc.exe 66 PID 2672 wrote to memory of 2940 2672 DllCommonsvc.exe 66 PID 2672 wrote to memory of 2940 2672 DllCommonsvc.exe 66 PID 2672 wrote to memory of 1092 2672 DllCommonsvc.exe 68 PID 2672 wrote to memory of 1092 2672 DllCommonsvc.exe 68 PID 2672 wrote to memory of 1092 2672 DllCommonsvc.exe 68 PID 2672 wrote to memory of 1060 2672 DllCommonsvc.exe 70 PID 2672 wrote to memory of 1060 2672 DllCommonsvc.exe 70 PID 2672 wrote to memory of 1060 2672 DllCommonsvc.exe 70 PID 2672 wrote to memory of 1672 2672 DllCommonsvc.exe 71 PID 2672 wrote to memory of 1672 2672 DllCommonsvc.exe 71 PID 2672 wrote to memory of 1672 2672 DllCommonsvc.exe 71 PID 2672 wrote to memory of 2772 2672 DllCommonsvc.exe 72 PID 2672 wrote to memory of 2772 2672 DllCommonsvc.exe 72 PID 2672 wrote to memory of 2772 2672 DllCommonsvc.exe 72 PID 2672 wrote to memory of 1496 2672 DllCommonsvc.exe 78 PID 2672 wrote to memory of 1496 2672 DllCommonsvc.exe 78 PID 2672 wrote to memory of 1496 2672 DllCommonsvc.exe 78 PID 1496 wrote to memory of 1736 1496 cmd.exe 80 PID 1496 wrote to memory of 1736 1496 cmd.exe 80 PID 1496 wrote to memory of 1736 1496 cmd.exe 80 PID 1496 wrote to memory of 3000 1496 cmd.exe 81 PID 1496 wrote to memory of 3000 1496 cmd.exe 81 PID 1496 wrote to memory of 3000 1496 cmd.exe 81 PID 3000 wrote to memory of 908 3000 wininit.exe 82 PID 3000 wrote to memory of 908 3000 wininit.exe 82 PID 3000 wrote to memory of 908 3000 wininit.exe 82 PID 908 wrote to memory of 2600 908 cmd.exe 84 PID 908 wrote to memory of 2600 908 cmd.exe 84 PID 908 wrote to memory of 2600 908 cmd.exe 84 PID 908 wrote to memory of 1576 908 cmd.exe 85 PID 908 wrote to memory of 1576 908 cmd.exe 85 PID 908 wrote to memory of 1576 908 cmd.exe 85 PID 1576 wrote to memory of 2620 1576 wininit.exe 86 PID 1576 wrote to memory of 2620 1576 wininit.exe 86 PID 1576 wrote to memory of 2620 1576 wininit.exe 86 PID 2620 wrote to memory of 1944 2620 cmd.exe 88 PID 2620 wrote to memory of 1944 2620 cmd.exe 88 PID 2620 wrote to memory of 1944 2620 cmd.exe 88 PID 2620 wrote to memory of 2368 2620 cmd.exe 89 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9ef47350bc28d02ca8cc8a3cbe8918281b9bddd22ff3cf6ddce2e0338481b20.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9ef47350bc28d02ca8cc8a3cbe8918281b9bddd22ff3cf6ddce2e0338481b20.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\C43fqAYO3A.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1736
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2zdeBu3xOP.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2600
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6n1oUPmZQq.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1944
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NYP5fOsMgV.bat"11⤵PID:2624
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1680
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nKCzYbro9F.bat"13⤵PID:1508
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2608
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1392 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat"15⤵PID:2888
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:3016
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat"17⤵PID:3020
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2660
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7hZg3igX7v.bat"19⤵PID:888
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1812
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7FnFm4j3ls.bat"21⤵PID:264
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2040
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6qhkY4Aj1y.bat"23⤵PID:1956
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2904
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat"25⤵PID:2588
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2132
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\TAPI\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Documents\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Documents\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Documents\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD573c75187597df2fdf5315928556a69d4
SHA1247b34d17eee4cc6ef1154274aa7c8b2759bdf2f
SHA2561b290e92123315c174b3b825246b102caa183bb8be426f454b485e492218cd60
SHA512f09cb2c36689e7bab667866aca33ffdebacacc52e1598ad5ce3d8f403fd3acce74885badadbc5a12ce1b9bb01d925c23dcd1f54751434019d449989caa3f289d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a629484b4bb1875e07a6c3e52988fd1c
SHA1295f7bf3d3893119b3849bbbdac7ef030d8a6a97
SHA2564c17bd16a28b055b32bc515720d48c6c5a77072c180e6e38a0cfafb56e20dbb3
SHA512684dacca48d54fb33358475537c9775ea8fbe6679144281513d24e16ea7807a4c351cb4b8dc44316d8a7c21eefecc86112146b1fdc2dbe35c4e674f635d6dc7e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f718bb9aa70c0890ddbc2dd133a44c90
SHA152e4f1745272cd719ae459630e1440f665c99db0
SHA2568479fcddffe6d5212e45d2e6f1dc717904d75afcb59393ad2609d3338c566bf6
SHA512a1d1754738a82c5dee4ee790f3b10e458366a4b91e93c3c1546e31bf07480bbd97e2cbcb87d4d631c0e22ea4dcfd0709ee4751425ad682d9c9b3bf889f5dd711
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5032c170805a842a436a3bc121c6ca9c2
SHA1e597763e803066f8b24695a5f752a8ccfd310fac
SHA2565d2409af6e44c2f5003352165661b0fe2f872d08065674919e7f34b1a6596373
SHA5128119b265992a1170c8a081586cc1ded362371f77056075d011f44063c1d3231035a11398d11485bd1d466d79de805b3b72731cf693ca76bd9988a14f7ecfb833
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b79997c4eaac8dbb5c1a331c930d5815
SHA106a80c923a9fb4dc30c5642c6c5960d61830fca2
SHA256446f6875cd2d6176c44da8d410afd4d1d5940fc9200fee6b389c285526c963c1
SHA5126ac144845f7d737d9de385a68ca6104e5fa30e6521296c52f6327251706763f4f969d752ecc1c0f059a4aa142c18d67f8fc6e5002aa251f9cb64f3aa83baf020
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b10050f0291d5cf022b3f0f8cc0e28d2
SHA1e370a470d710ca79fe715e2dcde4c907cf8a4de9
SHA256a0740b7e75473de085628d9a476a6c3d8dfc1d67a45381502d71037863c261ed
SHA512535d8efb14dd3077e2750169b355fc6f19b924ab29cef632934d41832c1d28575b25864ac733f361d1c6ec5d56af8b0b32d291349c8fd1dd393ca4e14deae1c8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD513b08bc1b99c2478de0b921018860f84
SHA1babf76f93890fee88f5a715e5b50d2f0086857a9
SHA256c8372e7cc4c8a4440172d02a64a7a34a0c65e80f777851ff3f532eecc8a85394
SHA512f4210cab07b229d5bb31f5913affcb9227b3795b11bcdf2f071ba4d9bdeec4089742b4e15359559e067e153d77698c51afd07b66c18bfb00f1e58e287432efa7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e40931b0ddee64f3fbf180f217df3de6
SHA1b4b6abd40c219969adc9a8d8e9b79068e8289c4a
SHA2560178fd4d0ea292000eb93fe05dec5f38a119a2ae9ecd457c2b91b469e4601b91
SHA512af3cca39db5a960f56c859c7460ccb38a9db50cb706c1b80a72c9d376d59d5f9267482ccaafe63b571c023c2d4cd29a0fe859d1c0326cfe9973e064cdce69931
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD569872256ed92d942e11151e9b842d8cd
SHA16f66a4e60ed98f077d1800f81b0c704e07f2cc8a
SHA256c6ae4d302f9eb908257a460f715df72f542cfd94897a3955cce83ee26d210fba
SHA51211cc0a8cf78de1ff46894a8ee54a2dd37ae921aaa5b0c49b63f5042043b1906c4aaab906aa91b6d1e6153f970b74b2f994c1e05736e40d8bd10cde179e58ad93
-
Filesize
225B
MD5c679049073b2ae76c1d14e8e7991c230
SHA16942475c0fd5dc7e5665a79051a20ae36cd26f25
SHA256af772fde9ff7396a434d0a59a9333c185dfcadd3e94ca093c9cf48304ba60c2f
SHA51215cae3b6fc2fd928c4cc59664027a3437d23a1d4e9646dc4acd46ef538b1d5f6fa1d366697a2e598cf74f208368f4e2fb6c523952c7a7b6702d6d35a51d149a5
-
Filesize
225B
MD5fa699fbbf691c3780bb697fc3adefb59
SHA13c3a5acea63259d8ab41ccf2808cd354a263e4c7
SHA2560113686dbbb6ca7fb7778203b03608069187b70c8e92525b4a4323af1cc43c8f
SHA512686a25db372972b7b4f069aea044b2cdc7251238a831100fc5b60f7233d5866cfed7d67c908adae4fc69cab111439f9ff1f4e2018f1dc8dd7a67f71e9d6fe66e
-
Filesize
225B
MD55d883648f684924cc65eda2319073eaf
SHA14ece378b0caaac5b9676b67bd062eddc2db028b7
SHA256e61786d30a2e0ef193f44ba533ae2a375d849901cab03f79bc5392e1fb50a562
SHA512d22e1956dbda5d733abaa698857db4f49a63f21425ff3c9d89de97edba80fffb9eec60adff50bc6cbd4c8c062035faba08e8f7b74a16dedee16cc17a359f4806
-
Filesize
225B
MD50e3a31108c67051d6054a230c4a9d82f
SHA16734655a2e6083ddafd48fcdd719187f31524f06
SHA256ffad0069062a78584c04964ed70401c5a52f3d78a79943f95b5a9feba44fa9d8
SHA512563b8c72e359824545ce57dbfba42d6abdb937593791fbd3445f67d580d870a9a7d1c8fa43ec0545691fce3e59fb5e588aa1146f82eec636a97b4c92c6774c86
-
Filesize
225B
MD5df9047f7e49026fa12018b059aab06a8
SHA10a7e0a223392e2fc4727a3c1f29b09480a3c062f
SHA2561c5752745e5e9aa600a92aac128d70c0dfd9587272b698088ed2e248b6a2701a
SHA512d05a5e28bbf398da5dfa16390c5f2e5a87e84ab9ee0f4577dae0afb476fe81c37757fc74bedb03e2b44b337c6ef5d57de4cb2d26253c075589bd0b0cf87e607b
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
225B
MD5895ff5a99a306ec5115e15da03f270a1
SHA1f0553570338cfaf1d8733794844282e528229f66
SHA25656c0b03436f76862e551613314ff3334d0f87d35f9eac32837b31a4e7b49ecce
SHA5123ef3044a9b2076cd9c497964dcfcdd7450992c26859558767a8109e53a7081dbc98202d25d35b2b035565f15e014454eecd9b9d10f4a43c9428680e9980e5fb2
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
225B
MD584305f35a3cc99ecae4b2949222f8b5d
SHA10186dd9e8448afd3d7adab9b777510553d7a1c6a
SHA2566b50857d88c142ffe70283cfa271f6583b00717e97b0c20f828f8da08fec87c1
SHA5127c2c3e8a1971441fe51332fa5c18a5472569e7da92dcca4d645b5da9c2a3da18ac4ec870566d6faa6cf40a7175091b3449c2af0f20a43750cf6325c99e230e3b
-
Filesize
225B
MD5f3edc19db6e2c8b3c92b9359420ea621
SHA115bd3ec32b21943bf550858b5f3f30f9e6048d86
SHA256880b02d4b25ed4b8373877fd7f3971ad96b8d4e5c957459775e37cbca660f2e5
SHA512120b7a01ac684bbd03de9640315834e18a1eb8695765ba2baa1d485dec37794fc3b3d89230dc1acdc0065347ecb3384deb24451eb5905baf1b3c459217b00e8a
-
Filesize
225B
MD52b5814ec1c3b5f43d44d58e79e323d3c
SHA1115087e6c77048d45d105c8e1119e39b4234293d
SHA256e27e2f69a47f816cba77d3d29e5568c9a5f2cc3ef9ccc952768c0410d95b635e
SHA512e8965867d9449e9e343de41ab89ad74024fde11815173fff802b8af83467d59018ab9df112c5667634bf9962385acadd68e71aefa503301d0df7820a756e6e1f
-
Filesize
225B
MD51b9f35ac921fa5301549e8428f50fa85
SHA1b5a35248e1f3cc734071d87eab2e0cf7536205de
SHA2565ba0421078c1b635a7b9cc5e6b75258465c9cc6459370cb8d8f9dbcfd66ad4d4
SHA51280b4b03d04273b4ea47f1eaf764015eaa5825632b8741fe15b6c6b66a5253469568a9ebc55db9af4a1449b63b8f9827897fce847d50eb08111a5fd8422851d9f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b5ba7f0c669d5ba7e36bc72388c15cdc
SHA149fbf6488999fcc7e64ae20f2c8f7ad5ed88729d
SHA2560deede1df1dda2f6487daf472632dc9fd8a52c4f8cc0a9c9c910754817f84156
SHA512fc85749c3dc60870cd911ec91be210808301bf6731f277d3566a94418aa6da60abc1e30d9a312387ece28bc5b70605519fb79ccefbb0fa06b7cf79abc8b4b7a0
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478