Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 00:52
Behavioral task
behavioral1
Sample
JaffaCakes118_3c8f846d26452cc241065278b2f18f16d389a506fcb7d1052d568f746ccfce4f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_3c8f846d26452cc241065278b2f18f16d389a506fcb7d1052d568f746ccfce4f.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_3c8f846d26452cc241065278b2f18f16d389a506fcb7d1052d568f746ccfce4f.exe
-
Size
1.3MB
-
MD5
7d7ef23a8491ae7204bfc24de5794577
-
SHA1
254ba6066a2d51f707a9b16b57fbe70b144e6687
-
SHA256
3c8f846d26452cc241065278b2f18f16d389a506fcb7d1052d568f746ccfce4f
-
SHA512
cfc44ee4128e8206f127e5770360c51863a25f0a456b31e72fafcb8f5a1a7e30651d30b1c42c46a78669c9553bfab73ead58d50ebd5034c8cd3ef713806c51fb
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2744 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 2744 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2744 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2744 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2744 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 2744 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 2744 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 2744 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 2744 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 376 2744 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 544 2744 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2744 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2744 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 2744 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 2744 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2744 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 2744 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 2744 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 2744 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2744 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 2744 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 2744 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2744 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1288 2744 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2220 2744 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 2744 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 2744 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1824 2744 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 2744 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 696 2744 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000016858-12.dat dcrat behavioral1/memory/2760-13-0x0000000000AD0000-0x0000000000BE0000-memory.dmp dcrat behavioral1/memory/672-101-0x0000000000AC0000-0x0000000000BD0000-memory.dmp dcrat behavioral1/memory/1356-161-0x0000000000D80000-0x0000000000E90000-memory.dmp dcrat behavioral1/memory/2584-221-0x0000000000150000-0x0000000000260000-memory.dmp dcrat behavioral1/memory/2940-281-0x0000000000860000-0x0000000000970000-memory.dmp dcrat behavioral1/memory/2896-341-0x0000000000AA0000-0x0000000000BB0000-memory.dmp dcrat behavioral1/memory/1440-460-0x0000000001190000-0x00000000012A0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1052 powershell.exe 288 powershell.exe 1316 powershell.exe 2396 powershell.exe 2580 powershell.exe 688 powershell.exe 2424 powershell.exe 2172 powershell.exe 1864 powershell.exe 1776 powershell.exe 1676 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2760 DllCommonsvc.exe 672 dwm.exe 1356 dwm.exe 2584 dwm.exe 2940 dwm.exe 2896 dwm.exe 2424 dwm.exe 1440 dwm.exe 1800 dwm.exe 2432 dwm.exe 2160 dwm.exe -
Loads dropped DLL 2 IoCs
pid Process 1156 cmd.exe 1156 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 25 raw.githubusercontent.com 32 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com 22 raw.githubusercontent.com 9 raw.githubusercontent.com 18 raw.githubusercontent.com 28 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\lua\modules\spoolsv.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\lua\modules\f3b6ecef712a24 DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\6cb0b6c459d5d3 DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Fonts\dwm.exe DllCommonsvc.exe File created C:\Windows\Fonts\6cb0b6c459d5d3 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_3c8f846d26452cc241065278b2f18f16d389a506fcb7d1052d568f746ccfce4f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1780 schtasks.exe 1636 schtasks.exe 1688 schtasks.exe 1852 schtasks.exe 1508 schtasks.exe 696 schtasks.exe 2636 schtasks.exe 1160 schtasks.exe 2796 schtasks.exe 2996 schtasks.exe 544 schtasks.exe 2220 schtasks.exe 3048 schtasks.exe 2872 schtasks.exe 2452 schtasks.exe 1824 schtasks.exe 2672 schtasks.exe 1848 schtasks.exe 2604 schtasks.exe 2804 schtasks.exe 3060 schtasks.exe 376 schtasks.exe 2200 schtasks.exe 1288 schtasks.exe 2988 schtasks.exe 2668 schtasks.exe 2504 schtasks.exe 1912 schtasks.exe 1908 schtasks.exe 1996 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2760 DllCommonsvc.exe 2760 DllCommonsvc.exe 2760 DllCommonsvc.exe 1864 powershell.exe 1316 powershell.exe 1052 powershell.exe 2424 powershell.exe 2396 powershell.exe 2580 powershell.exe 688 powershell.exe 2172 powershell.exe 1676 powershell.exe 1776 powershell.exe 288 powershell.exe 672 dwm.exe 1356 dwm.exe 2584 dwm.exe 2940 dwm.exe 2896 dwm.exe 2424 dwm.exe 1440 dwm.exe 1800 dwm.exe 2432 dwm.exe 2160 dwm.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 2760 DllCommonsvc.exe Token: SeDebugPrivilege 1864 powershell.exe Token: SeDebugPrivilege 1316 powershell.exe Token: SeDebugPrivilege 1052 powershell.exe Token: SeDebugPrivilege 2424 powershell.exe Token: SeDebugPrivilege 2396 powershell.exe Token: SeDebugPrivilege 2580 powershell.exe Token: SeDebugPrivilege 688 powershell.exe Token: SeDebugPrivilege 2172 powershell.exe Token: SeDebugPrivilege 1676 powershell.exe Token: SeDebugPrivilege 1776 powershell.exe Token: SeDebugPrivilege 288 powershell.exe Token: SeDebugPrivilege 672 dwm.exe Token: SeDebugPrivilege 1356 dwm.exe Token: SeDebugPrivilege 2584 dwm.exe Token: SeDebugPrivilege 2940 dwm.exe Token: SeDebugPrivilege 2896 dwm.exe Token: SeDebugPrivilege 2424 dwm.exe Token: SeDebugPrivilege 1440 dwm.exe Token: SeDebugPrivilege 1800 dwm.exe Token: SeDebugPrivilege 2432 dwm.exe Token: SeDebugPrivilege 2160 dwm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2444 wrote to memory of 3020 2444 JaffaCakes118_3c8f846d26452cc241065278b2f18f16d389a506fcb7d1052d568f746ccfce4f.exe 30 PID 2444 wrote to memory of 3020 2444 JaffaCakes118_3c8f846d26452cc241065278b2f18f16d389a506fcb7d1052d568f746ccfce4f.exe 30 PID 2444 wrote to memory of 3020 2444 JaffaCakes118_3c8f846d26452cc241065278b2f18f16d389a506fcb7d1052d568f746ccfce4f.exe 30 PID 2444 wrote to memory of 3020 2444 JaffaCakes118_3c8f846d26452cc241065278b2f18f16d389a506fcb7d1052d568f746ccfce4f.exe 30 PID 3020 wrote to memory of 1156 3020 WScript.exe 32 PID 3020 wrote to memory of 1156 3020 WScript.exe 32 PID 3020 wrote to memory of 1156 3020 WScript.exe 32 PID 3020 wrote to memory of 1156 3020 WScript.exe 32 PID 1156 wrote to memory of 2760 1156 cmd.exe 34 PID 1156 wrote to memory of 2760 1156 cmd.exe 34 PID 1156 wrote to memory of 2760 1156 cmd.exe 34 PID 1156 wrote to memory of 2760 1156 cmd.exe 34 PID 2760 wrote to memory of 1316 2760 DllCommonsvc.exe 66 PID 2760 wrote to memory of 1316 2760 DllCommonsvc.exe 66 PID 2760 wrote to memory of 1316 2760 DllCommonsvc.exe 66 PID 2760 wrote to memory of 2396 2760 DllCommonsvc.exe 67 PID 2760 wrote to memory of 2396 2760 DllCommonsvc.exe 67 PID 2760 wrote to memory of 2396 2760 DllCommonsvc.exe 67 PID 2760 wrote to memory of 1864 2760 DllCommonsvc.exe 68 PID 2760 wrote to memory of 1864 2760 DllCommonsvc.exe 68 PID 2760 wrote to memory of 1864 2760 DllCommonsvc.exe 68 PID 2760 wrote to memory of 1776 2760 DllCommonsvc.exe 69 PID 2760 wrote to memory of 1776 2760 DllCommonsvc.exe 69 PID 2760 wrote to memory of 1776 2760 DllCommonsvc.exe 69 PID 2760 wrote to memory of 1052 2760 DllCommonsvc.exe 70 PID 2760 wrote to memory of 1052 2760 DllCommonsvc.exe 70 PID 2760 wrote to memory of 1052 2760 DllCommonsvc.exe 70 PID 2760 wrote to memory of 2580 2760 DllCommonsvc.exe 71 PID 2760 wrote to memory of 2580 2760 DllCommonsvc.exe 71 PID 2760 wrote to memory of 2580 2760 DllCommonsvc.exe 71 PID 2760 wrote to memory of 1676 2760 DllCommonsvc.exe 72 PID 2760 wrote to memory of 1676 2760 DllCommonsvc.exe 72 PID 2760 wrote to memory of 1676 2760 DllCommonsvc.exe 72 PID 2760 wrote to memory of 688 2760 DllCommonsvc.exe 73 PID 2760 wrote to memory of 688 2760 DllCommonsvc.exe 73 PID 2760 wrote to memory of 688 2760 DllCommonsvc.exe 73 PID 2760 wrote to memory of 288 2760 DllCommonsvc.exe 75 PID 2760 wrote to memory of 288 2760 DllCommonsvc.exe 75 PID 2760 wrote to memory of 288 2760 DllCommonsvc.exe 75 PID 2760 wrote to memory of 2424 2760 DllCommonsvc.exe 76 PID 2760 wrote to memory of 2424 2760 DllCommonsvc.exe 76 PID 2760 wrote to memory of 2424 2760 DllCommonsvc.exe 76 PID 2760 wrote to memory of 2172 2760 DllCommonsvc.exe 77 PID 2760 wrote to memory of 2172 2760 DllCommonsvc.exe 77 PID 2760 wrote to memory of 2172 2760 DllCommonsvc.exe 77 PID 2760 wrote to memory of 2940 2760 DllCommonsvc.exe 88 PID 2760 wrote to memory of 2940 2760 DllCommonsvc.exe 88 PID 2760 wrote to memory of 2940 2760 DllCommonsvc.exe 88 PID 2940 wrote to memory of 2660 2940 cmd.exe 90 PID 2940 wrote to memory of 2660 2940 cmd.exe 90 PID 2940 wrote to memory of 2660 2940 cmd.exe 90 PID 2940 wrote to memory of 672 2940 cmd.exe 91 PID 2940 wrote to memory of 672 2940 cmd.exe 91 PID 2940 wrote to memory of 672 2940 cmd.exe 91 PID 672 wrote to memory of 2244 672 dwm.exe 92 PID 672 wrote to memory of 2244 672 dwm.exe 92 PID 672 wrote to memory of 2244 672 dwm.exe 92 PID 2244 wrote to memory of 1684 2244 cmd.exe 94 PID 2244 wrote to memory of 1684 2244 cmd.exe 94 PID 2244 wrote to memory of 1684 2244 cmd.exe 94 PID 2244 wrote to memory of 1356 2244 cmd.exe 95 PID 2244 wrote to memory of 1356 2244 cmd.exe 95 PID 2244 wrote to memory of 1356 2244 cmd.exe 95 PID 1356 wrote to memory of 1340 1356 dwm.exe 96 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3c8f846d26452cc241065278b2f18f16d389a506fcb7d1052d568f746ccfce4f.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3c8f846d26452cc241065278b2f18f16d389a506fcb7d1052d568f746ccfce4f.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\modules\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\reports\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9CnSK6J6cV.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2660
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GQn77QEoUi.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1684
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0Sh6ipYOoX.bat"9⤵PID:1340
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2628
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat"11⤵PID:2760
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1440
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat"13⤵PID:544
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1088
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\d8IMWcflW5.bat"15⤵PID:816
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1192
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat"17⤵PID:2524
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1776
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1440 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat"19⤵PID:1044
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2960
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat"21⤵PID:1944
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2676
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat"23⤵PID:1616
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2520
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\Sample Videos\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\Fonts\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Fonts\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\Fonts\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\lua\modules\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\modules\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\lua\modules\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\AppData\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Temp\Crashpad\reports\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\Temp\Crashpad\reports\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52127f5f339f3faf9308c355f242594da
SHA1b10a64e1df19dc908e0c3b8236ed295442186ac8
SHA256af48097c21566e4d41fa240b04993754c997e4cae4da1bb47f7818a4a43cd3c6
SHA512dd394d05db145059b59295a9debacc0add57be6e3f607436f6e771db93f5444ee7f2585c8bfd9f89b2fabf660eaf4f62b32e149744f846b0ee21c08388aab1b4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56e2ba22ab3da0a9e65e60ca56542f82c
SHA16ed124870ebd79935394a37e1768bcdc5332fb64
SHA2564df2440633a513f7228911e6f8899c953ac76907534a16e64103d353599fe39d
SHA51232315ff381c2692dd87eb6a1a276fba277e249c2934a465f4f0b40f3a30d158f033d4d5d996624d277d0a1d345d90d40b1a06e55532b8e14caa996801c06d4c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55fa16f0dc6fc6595bf3f0751acfc171f
SHA10dcdfab3f4d518adfc65b57e6085b0b94872d934
SHA2568a55b3487ff13525428fa0d4b6e41a03735cdbae0a8d5eda4798c83dce839c02
SHA5126d8429a211a455b8d3a2f2a968398a05e7a16d7b10068679adcedc4c41b77c1b40c0cf00ebe18a202ed3febef845c3d77cdc0789361193ff0a7eb3814fa0af03
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50d0b81a69c8f07abbfeaedd68fa9c87e
SHA1c8acb234b73bbd1a6d0012bd9100a83b9cea1912
SHA256788aa57c7942cc0f2811effa2dca2eada16a3bd68a456961dddaf15a403703d2
SHA51264d91c51294ef46ad1de7f3f24dfafc98b31955b839e446a06bc846e844e274f63cfd1a9092bd871b8016320888b0a0c0e78811b4bf456091d1c6f2d881b4fba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD545bd2f06e6ee241b96345b9d8eb08b2a
SHA12c0be8dd5233989b0f569c5b2645751839784f94
SHA25636e1127b3d5702a9b4f604b1a08bd9dcd05ef6e252988555ba4534618ad8b733
SHA51227ba6ac4fc5e40b712646094504717c8371667cd7c1cbb67877091fc1481fef97c23debd3204c0e9bdbd20a59787c338ae24e1999115f455780cdd3baa7f26d7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c16af38a0755d3a5e9de5250b886a002
SHA1d02870a092ac77aa2260e672296238bca72e9cd7
SHA256ab79e2550d783a7f29f69c92733db8e7b66715411a17a728be97dd5a08673624
SHA5128d1d2bec5dd7d561fdf24e7e3a29f6699240153cabfda65ebe57f731898824e5c1f5c293eae82b1d315bdc6f3fdc5331f51fd011126f4b7e250b0e87143c1e79
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55980815781bc92d7999e4dac063ea594
SHA1ec84896cb6dfccd8e6a43a942bd7b1f21fd4b70b
SHA2567e1460b3751d9bea286b5372656826399589756895ee296569730b7f9493ae44
SHA51277ad0c4b6a138f12c69a67ec50ba9159eec0d4fd8dc3e51834b63802a2998ff8f0237c13c73e77f8fca3159a573172259e0501d29aa1e161f5aa895d3cdd84c3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bce57b2039bd722e9bec70325ef18691
SHA12fe515d52970f03002304524b1ecadb7a9278db7
SHA256ed56b4132df19d9e49598b73b3b9590025046c453911295b20ea1867d2b359e8
SHA5127cfa806690a10117b7be8bc08bb80bc3896a4983540366a58d99872d66e6eaaa2baff006d30ddc1d81ea9d15f7025761825a26078ca5df996ae18af9c256d70e
-
Filesize
230B
MD580296f8e10317b949f6d88f577cc7459
SHA13106bfbe28962f03824f2e0cac9b49dd49d5712c
SHA256b223d13b219f7931a29c6d35d4997268f7077db90cb8c91626a7d2e1f02d4b7d
SHA5120daed0f2aa72a92d6dd3655c2e79d2982f88c87c69393ac3bf2cf850bee51dc4b3a27f63a29d7e167534263dc086e865c7a0a3b1250fc1c1d06957fbbc906469
-
Filesize
230B
MD56a968c7840224ed74d9ca8562c45f550
SHA1a3e74c47ac20b1c2bad7b1a80197590528e1ce77
SHA2565b9ca68042df6b85c5bba2043e365fa9e1e2c5beef2f283bc843f8daee8c3ec1
SHA51241608b16813d3b9fe94de7ccb00f6d2b8e6d23444e641e870ab7c7e93ba04d2c4f4efc6f40558289088ee4ac603123fee3d3642ff0239f105bd8564a64a6bf4f
-
Filesize
230B
MD51a94336dad429b7fd32e0c2c8b725a21
SHA18867e09d1758e9012604fa5448ac9cd33c37316c
SHA2562c652b850a377b7325761be2ab32ba8d814dd55d83d40254cad7cac4eab90487
SHA512ad221222917207554f65ad63df357b43263ce139fb78e123c3d986bf83e4be9c04b7e1bfc9d4118101517aca594e0ddfe750d1c620b5306f4ee589eb23066994
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
230B
MD573a9df8b59bc94cf881645214de96dfc
SHA1201798a84839f28e3fcb167af49c84a89cebb29f
SHA25609e88bc430ed782d19e9af7257140822cb4da203797a95d32e69d9ab00ef2b51
SHA51266a2b3b00307468d2d62b0d8029386a92c146f19a6623bd7f5dbd0a1977f53daeae40597ea84363746812e46f9cf7c8ec77e5f512b18a74fc011305ca51b4f21
-
Filesize
230B
MD513e6d5610bf5688c8fb4528c93ad7ccc
SHA1e016a5fcbf7e3028edc71e8976e217198604eed4
SHA2566ad7dac43a613d4d5d3a1cbe0925d0fae0242bd4fece1e1a9aec977e083fd4fd
SHA5122f5bde5c4e7e321bbcccea8de0d1505f1f1181f81b0c5fdd2cf11ac96c1d8a34dc8168acbc50592c91d5ac60b5f15c6a771d7d224fa12f7b1551c5f259be93dd
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
230B
MD5ac277e5c497c19abe30ca892b3a361ef
SHA1eeee4eb43a35621d10a2eaeb1e7164c712b9ceaa
SHA25665652f3a932cae001267801a63a405a418e546b8cf57c4c578ba51858988c651
SHA5123504941022df3792246d2e5edb08ffa5756950a4d59a915eea168b21ecd98661dd0d50d309bd7376c656660ad0c475ab62e0b42300c978e67072df285a853f68
-
Filesize
230B
MD5dea6889625614eb6e26014303e458248
SHA1f834d3d254b87450713a80a765091cd30a810a27
SHA256e70e61ccae1a9d127574a5e9b82d07e0ff86144183df6be3ed39cfb546bf75e6
SHA512fd14843b99c6385a73d6008529db618c10cdc2ac803a7bea4619ef0010478960f5ab3b42c44b43697ef5fb03ab4912b592c355ea0c4a6e05b428e22c6134ab47
-
Filesize
230B
MD52bb004c2499840dd2a950eba09a75154
SHA1bab5a66e2cee5e47e461b38ab722f28fabbbd008
SHA25620ce2d667fd0ea4db0e1db154e33f9b0fd36b3aae4205431fd0bd1756fa3659b
SHA5123b7d9fe5c007aabc584a5f04a92b413a71d23ca6d18686edc528383b62a11f2b8c7da35da87ac95ffdf63238fd4bc01e5a5b2e6a50292dd74ebbc97fae869faf
-
Filesize
230B
MD52d653c20db5034f137def87b3b90b90e
SHA1124b3af86de1ce2ca91670814dec5c44cba35084
SHA2562fe4c35c14e48c8dc44848e9b9a0a59fd09244221458c04390d2d73a08252e00
SHA512a9d2f015885ec57385056ea546a06ed9c4a980d17c278ed574b7047103309a1d93cc6039607ccd55c2774b7b1001e8d5d65d40016d45eabaeafc3d4f0c61f5f7
-
Filesize
230B
MD52363042cb0932b43ada2ce4ef1aa3818
SHA137323260fb37ddedc13b6c494812626afcdf7744
SHA256203347a3df5801d3e6bd4c68f9f0208fa0c896718cdb3711ac49c050c9cd1e56
SHA512f65176e334637f30abfefa237240c6c6eb61f0d4cc4ac57feaa1dfc04c250631299a2f491470bae066a97ef0bdb013e0d5329863a3653ca648f478a47fa0a062
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD59638b3708770919dd42ac080d1a27646
SHA1419d80d84c57ec50fb50ae673af8dba4f8da24ab
SHA256437b9c06fceed461eaa7876437a3d8f315fa8ae06e9dffa6f0f254b48946de1a
SHA512ae07dad8e1324704be29c22901f37f5d7c5a3616b8a32eaa649aac637191da1ebc17dd3b238637aa95cd5f0d65e37e2bf57b29cc634389e9eee4e0eac27561be
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478