Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/12/2024, 01:49
Behavioral task
behavioral1
Sample
JaffaCakes118_21df2e725a749ec56929b0dc07518ed46630743f427a199301e7d2564b9ee0ba.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_21df2e725a749ec56929b0dc07518ed46630743f427a199301e7d2564b9ee0ba.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_21df2e725a749ec56929b0dc07518ed46630743f427a199301e7d2564b9ee0ba.exe
-
Size
1.3MB
-
MD5
bb440de4d62566b7a239336d53696af3
-
SHA1
d160ba34e88346262ac1fdee2b9c7f989760d176
-
SHA256
21df2e725a749ec56929b0dc07518ed46630743f427a199301e7d2564b9ee0ba
-
SHA512
570d608ce02f5c0a7376d6f925ac8370e3f37cf01d8d38be61c7a0fc5b098b548be9ff8bb02884a3c214f362d1e4980a17bb62e3034e1af7ce66481d195bc807
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 3008 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 908 3008 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1440 3008 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 3008 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 3008 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 3008 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 3008 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 3008 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 3008 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 3008 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 644 3008 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 3008 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 3008 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 3008 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 572 3008 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 3008 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 3008 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1888 3008 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1884 3008 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 3008 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 3008 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 3008 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 3008 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 3008 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 3008 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 352 3008 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 896 3008 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 3008 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 948 3008 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 3008 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000015df1-12.dat dcrat behavioral1/memory/2872-13-0x0000000000E50000-0x0000000000F60000-memory.dmp dcrat behavioral1/memory/2012-44-0x0000000000D70000-0x0000000000E80000-memory.dmp dcrat behavioral1/memory/1912-156-0x00000000011A0000-0x00000000012B0000-memory.dmp dcrat behavioral1/memory/2404-216-0x0000000000320000-0x0000000000430000-memory.dmp dcrat behavioral1/memory/580-277-0x0000000001260000-0x0000000001370000-memory.dmp dcrat behavioral1/memory/2960-337-0x00000000013D0000-0x00000000014E0000-memory.dmp dcrat behavioral1/memory/848-634-0x00000000003E0000-0x00000000004F0000-memory.dmp dcrat behavioral1/memory/1592-694-0x0000000001300000-0x0000000001410000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3068 powershell.exe 848 powershell.exe 1772 powershell.exe 1968 powershell.exe 1568 powershell.exe 2492 powershell.exe 1816 powershell.exe 608 powershell.exe 692 powershell.exe 1552 powershell.exe 2948 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2872 DllCommonsvc.exe 2012 spoolsv.exe 1912 spoolsv.exe 2404 spoolsv.exe 580 spoolsv.exe 2960 spoolsv.exe 2812 spoolsv.exe 2132 spoolsv.exe 2920 spoolsv.exe 2696 spoolsv.exe 848 spoolsv.exe 1592 spoolsv.exe -
Loads dropped DLL 2 IoCs
pid Process 2820 cmd.exe 2820 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 4 raw.githubusercontent.com 23 raw.githubusercontent.com 26 raw.githubusercontent.com 30 raw.githubusercontent.com 33 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 37 raw.githubusercontent.com 40 raw.githubusercontent.com -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files (x86)\Uninstall Information\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\lsass.exe DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\de-DE\cmd.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\de-DE\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files (x86)\Google\CrashReports\24dbde2999530e DllCommonsvc.exe File created C:\Program Files (x86)\Uninstall Information\lsass.exe DllCommonsvc.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Migration\WTR\spoolsv.exe DllCommonsvc.exe File opened for modification C:\Windows\Migration\WTR\spoolsv.exe DllCommonsvc.exe File created C:\Windows\Migration\WTR\f3b6ecef712a24 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_21df2e725a749ec56929b0dc07518ed46630743f427a199301e7d2564b9ee0ba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1648 schtasks.exe 2904 schtasks.exe 2640 schtasks.exe 908 schtasks.exe 2088 schtasks.exe 2608 schtasks.exe 1884 schtasks.exe 2284 schtasks.exe 2124 schtasks.exe 1628 schtasks.exe 572 schtasks.exe 1888 schtasks.exe 1676 schtasks.exe 2408 schtasks.exe 644 schtasks.exe 2372 schtasks.exe 948 schtasks.exe 1784 schtasks.exe 1644 schtasks.exe 2180 schtasks.exe 2224 schtasks.exe 352 schtasks.exe 2508 schtasks.exe 2600 schtasks.exe 1476 schtasks.exe 1440 schtasks.exe 2636 schtasks.exe 1668 schtasks.exe 896 schtasks.exe 2484 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 2872 DllCommonsvc.exe 1568 powershell.exe 1816 powershell.exe 1772 powershell.exe 2492 powershell.exe 608 powershell.exe 848 powershell.exe 1552 powershell.exe 2948 powershell.exe 692 powershell.exe 1968 powershell.exe 3068 powershell.exe 2012 spoolsv.exe 1912 spoolsv.exe 2404 spoolsv.exe 580 spoolsv.exe 2960 spoolsv.exe 2812 spoolsv.exe 2132 spoolsv.exe 2920 spoolsv.exe 2696 spoolsv.exe 848 spoolsv.exe 1592 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 2872 DllCommonsvc.exe Token: SeDebugPrivilege 1568 powershell.exe Token: SeDebugPrivilege 1816 powershell.exe Token: SeDebugPrivilege 1772 powershell.exe Token: SeDebugPrivilege 2492 powershell.exe Token: SeDebugPrivilege 608 powershell.exe Token: SeDebugPrivilege 848 powershell.exe Token: SeDebugPrivilege 1552 powershell.exe Token: SeDebugPrivilege 2948 powershell.exe Token: SeDebugPrivilege 2012 spoolsv.exe Token: SeDebugPrivilege 692 powershell.exe Token: SeDebugPrivilege 1968 powershell.exe Token: SeDebugPrivilege 3068 powershell.exe Token: SeDebugPrivilege 1912 spoolsv.exe Token: SeDebugPrivilege 2404 spoolsv.exe Token: SeDebugPrivilege 580 spoolsv.exe Token: SeDebugPrivilege 2960 spoolsv.exe Token: SeDebugPrivilege 2812 spoolsv.exe Token: SeDebugPrivilege 2132 spoolsv.exe Token: SeDebugPrivilege 2920 spoolsv.exe Token: SeDebugPrivilege 2696 spoolsv.exe Token: SeDebugPrivilege 848 spoolsv.exe Token: SeDebugPrivilege 1592 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2248 wrote to memory of 2788 2248 JaffaCakes118_21df2e725a749ec56929b0dc07518ed46630743f427a199301e7d2564b9ee0ba.exe 30 PID 2248 wrote to memory of 2788 2248 JaffaCakes118_21df2e725a749ec56929b0dc07518ed46630743f427a199301e7d2564b9ee0ba.exe 30 PID 2248 wrote to memory of 2788 2248 JaffaCakes118_21df2e725a749ec56929b0dc07518ed46630743f427a199301e7d2564b9ee0ba.exe 30 PID 2248 wrote to memory of 2788 2248 JaffaCakes118_21df2e725a749ec56929b0dc07518ed46630743f427a199301e7d2564b9ee0ba.exe 30 PID 2788 wrote to memory of 2820 2788 WScript.exe 31 PID 2788 wrote to memory of 2820 2788 WScript.exe 31 PID 2788 wrote to memory of 2820 2788 WScript.exe 31 PID 2788 wrote to memory of 2820 2788 WScript.exe 31 PID 2820 wrote to memory of 2872 2820 cmd.exe 33 PID 2820 wrote to memory of 2872 2820 cmd.exe 33 PID 2820 wrote to memory of 2872 2820 cmd.exe 33 PID 2820 wrote to memory of 2872 2820 cmd.exe 33 PID 2872 wrote to memory of 1772 2872 DllCommonsvc.exe 65 PID 2872 wrote to memory of 1772 2872 DllCommonsvc.exe 65 PID 2872 wrote to memory of 1772 2872 DllCommonsvc.exe 65 PID 2872 wrote to memory of 1968 2872 DllCommonsvc.exe 66 PID 2872 wrote to memory of 1968 2872 DllCommonsvc.exe 66 PID 2872 wrote to memory of 1968 2872 DllCommonsvc.exe 66 PID 2872 wrote to memory of 1568 2872 DllCommonsvc.exe 67 PID 2872 wrote to memory of 1568 2872 DllCommonsvc.exe 67 PID 2872 wrote to memory of 1568 2872 DllCommonsvc.exe 67 PID 2872 wrote to memory of 2492 2872 DllCommonsvc.exe 68 PID 2872 wrote to memory of 2492 2872 DllCommonsvc.exe 68 PID 2872 wrote to memory of 2492 2872 DllCommonsvc.exe 68 PID 2872 wrote to memory of 1816 2872 DllCommonsvc.exe 69 PID 2872 wrote to memory of 1816 2872 DllCommonsvc.exe 69 PID 2872 wrote to memory of 1816 2872 DllCommonsvc.exe 69 PID 2872 wrote to memory of 692 2872 DllCommonsvc.exe 70 PID 2872 wrote to memory of 692 2872 DllCommonsvc.exe 70 PID 2872 wrote to memory of 692 2872 DllCommonsvc.exe 70 PID 2872 wrote to memory of 608 2872 DllCommonsvc.exe 71 PID 2872 wrote to memory of 608 2872 DllCommonsvc.exe 71 PID 2872 wrote to memory of 608 2872 DllCommonsvc.exe 71 PID 2872 wrote to memory of 1552 2872 DllCommonsvc.exe 72 PID 2872 wrote to memory of 1552 2872 DllCommonsvc.exe 72 PID 2872 wrote to memory of 1552 2872 DllCommonsvc.exe 72 PID 2872 wrote to memory of 2948 2872 DllCommonsvc.exe 73 PID 2872 wrote to memory of 2948 2872 DllCommonsvc.exe 73 PID 2872 wrote to memory of 2948 2872 DllCommonsvc.exe 73 PID 2872 wrote to memory of 3068 2872 DllCommonsvc.exe 74 PID 2872 wrote to memory of 3068 2872 DllCommonsvc.exe 74 PID 2872 wrote to memory of 3068 2872 DllCommonsvc.exe 74 PID 2872 wrote to memory of 848 2872 DllCommonsvc.exe 75 PID 2872 wrote to memory of 848 2872 DllCommonsvc.exe 75 PID 2872 wrote to memory of 848 2872 DllCommonsvc.exe 75 PID 2872 wrote to memory of 2012 2872 DllCommonsvc.exe 87 PID 2872 wrote to memory of 2012 2872 DllCommonsvc.exe 87 PID 2872 wrote to memory of 2012 2872 DllCommonsvc.exe 87 PID 2012 wrote to memory of 2784 2012 spoolsv.exe 88 PID 2012 wrote to memory of 2784 2012 spoolsv.exe 88 PID 2012 wrote to memory of 2784 2012 spoolsv.exe 88 PID 2784 wrote to memory of 2696 2784 cmd.exe 90 PID 2784 wrote to memory of 2696 2784 cmd.exe 90 PID 2784 wrote to memory of 2696 2784 cmd.exe 90 PID 2784 wrote to memory of 1912 2784 cmd.exe 91 PID 2784 wrote to memory of 1912 2784 cmd.exe 91 PID 2784 wrote to memory of 1912 2784 cmd.exe 91 PID 1912 wrote to memory of 1440 1912 spoolsv.exe 92 PID 1912 wrote to memory of 1440 1912 spoolsv.exe 92 PID 1912 wrote to memory of 1440 1912 spoolsv.exe 92 PID 1440 wrote to memory of 1524 1440 cmd.exe 94 PID 1440 wrote to memory of 1524 1440 cmd.exe 94 PID 1440 wrote to memory of 1524 1440 cmd.exe 94 PID 1440 wrote to memory of 2404 1440 cmd.exe 95 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21df2e725a749ec56929b0dc07518ed46630743f427a199301e7d2564b9ee0ba.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21df2e725a749ec56929b0dc07518ed46630743f427a199301e7d2564b9ee0ba.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\de-DE\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:848
-
-
C:\Windows\Migration\WTR\spoolsv.exe"C:\Windows\Migration\WTR\spoolsv.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0PvuKmrV6l.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2696
-
-
C:\Windows\Migration\WTR\spoolsv.exe"C:\Windows\Migration\WTR\spoolsv.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1524
-
-
C:\Windows\Migration\WTR\spoolsv.exe"C:\Windows\Migration\WTR\spoolsv.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat"10⤵PID:2936
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2612
-
-
C:\Windows\Migration\WTR\spoolsv.exe"C:\Windows\Migration\WTR\spoolsv.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:580 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZDYK5nApHO.bat"12⤵PID:1492
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2920
-
-
C:\Windows\Migration\WTR\spoolsv.exe"C:\Windows\Migration\WTR\spoolsv.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat"14⤵PID:836
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2572
-
-
C:\Windows\Migration\WTR\spoolsv.exe"C:\Windows\Migration\WTR\spoolsv.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat"16⤵PID:2424
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2060
-
-
C:\Windows\Migration\WTR\spoolsv.exe"C:\Windows\Migration\WTR\spoolsv.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CTHuJZ10YE.bat"18⤵PID:2076
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1932
-
-
C:\Windows\Migration\WTR\spoolsv.exe"C:\Windows\Migration\WTR\spoolsv.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eON2Ze4cSc.bat"20⤵PID:1708
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2664
-
-
C:\Windows\Migration\WTR\spoolsv.exe"C:\Windows\Migration\WTR\spoolsv.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat"22⤵PID:2088
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2092
-
-
C:\Windows\Migration\WTR\spoolsv.exe"C:\Windows\Migration\WTR\spoolsv.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:848 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpMZYQImRp.bat"24⤵PID:2352
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2224
-
-
C:\Windows\Migration\WTR\spoolsv.exe"C:\Windows\Migration\WTR\spoolsv.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0WHmS6dpJ0.bat"26⤵PID:1252
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:1784
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Downloads\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a8cd60a65efc5a5b7de365b88701a6c0
SHA1a90f7f63b57e473f1db12906103bf23046da906a
SHA2561dcd863fed6b08288ca6f551df4359118f810fd4fc621ce7b3815fbc1759f7c3
SHA512f0196b391e9557e5649afc4ce530b07edd5f2a1ff6609375d7567e9a908faa63d696af84e670d6b97f6e842ea4d8bca3cf8e932c8c9d6c8e5c81304a81861746
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f4ae38f273f8c15935808f8303409762
SHA10b035d0a55712512a3cd83a8bf235c5616875725
SHA2564e4e6fa49321fc602af98f5f55fafd4f33a8f48d7e1e021a07cea0d2b77fd2b8
SHA5122290c0e672c5e6043cc56e7a0757104a480d5e1fbc447b68924f68813f81bd71fb36944b485a92178e895cfa80ae805b2608d5bf9f9d8ffbbe3d4353f43014b6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56c19b4231ef418232debfad57a5cb814
SHA14e0df53545f0aa1562c309b288c6d478a8fe7b5d
SHA25660dd8f47690996b1d661b2429bffc57b78f1e2b62dfe055b3a62892486d41d35
SHA512a0962e1b7978f7c95784397ec8bd3658fd3aaab86d727514d7730857b3b5bdf35f096bfbbd0255b5ac39042f3c083b1cf7502a5a40235bd9361e371478a936eb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD515caa0096855b0590e42f71fea4c655f
SHA1a66c8eab34e8aee2e168f4b566e6eed33aae446b
SHA256b7995f405d53a49da5c2e57815e3dded074ffe2e101a1ab3480af90927268924
SHA5126392f02dc73767890ce71695f6f11722aae1438fd1d00d3b4598996cc4dea7aa735c6deb61beb86ca4474bfaecef2dab2470929c941451ceaa69fa4ecfd9c698
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51eff0d3fcc49ba126d2e2ef2ab381224
SHA13c87b7eac08b144a37ec6310a34be8c095f3d8ce
SHA256de2701ab9a93387bb00498f6b83470389a87d2ceb777eb2a851e8a22bc989131
SHA5121b45492d25f4c431262bc8ce927159fa091f8dd4e4c82d3ed3c12ea96aa6a6a120d46dee6f34a885e3485b3a4561ec0b6f0822e65558557ccf435188bb9f47c1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD540555d4998a243873e45cdf91b1691b4
SHA1a7f92123cc13ccc0ccbc26ce8bbf39d564f44313
SHA256047b9d351174bfb385e02859531e82b1a727bff5849b2277b137dea1fdf0e06c
SHA512baac231fc73d7a1230efe1ef16fa8fdd35f8e2a7cf425b1b96f282a28fd0421f2125285ca376b6d2705c50c0b68308678e6d42217fd4abc922a3268c7930cc49
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5662afdd7969d81801e26e065f20104d7
SHA1fd2814f8aa71a12b6a5c8c69e29022a043386453
SHA256d625e492dc2a9be55513fd9dee29d326b961102b89c931a55b6e665a586fcfeb
SHA512da930ee6b47f7a7b3d79e85c2c2002d5f8cee200ec8aa08b313b109c4bf7065b301b7329cc625d7e4327dd0c26c8538fff06c1fc8c2a998f09fc14f41b6de891
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5daa89bc6dfcc50080fc21fec969296a7
SHA128488c470c9343baea39dd5c9a3102440547293e
SHA25693d3d12ce1eb164cbe129d7ff23d8d6b05c961b2dcd9e37668bed0c53a6306aa
SHA512b14395059ed9d2ab90209630612dbad1e5dbc63de0cd2682d04960c733d18d33f249d06542d922c4330fe4878f1f1639f93acd4297a973df1bb0cafca2ff9324
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e7b18e44b03b4f6332bf508330ca77ab
SHA1431bd1688152cc5393d240a48c661a86f7ab566c
SHA256d06aa22028ff944eaa9534d61f2161be4fb8e2e550c003fd2e156ed2e70160e5
SHA512be95ba5d4c66da19393c7003a66ed3accb9a463e2536bcfed64b5f131e13056468b70ca6b6ee70fca026940505114a2478dcc52ff9008e29b4b438dcde8fd79a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58835244ec2b3a95946e17c88d5a96022
SHA176d1b85382842d73cf7d5da12a6e6439d927a624
SHA2560a066433556d899236e514376d5e212ddfc1444df2528371a0db2e9e80d47397
SHA5121ff018fb1b3718973511739aa1cbfbc858e9cc47be0ae7552cfa46856e167010c3f229d02484b219b34e7fe0a12409a922ef1416a265ebc7722853e2319d0e83
-
Filesize
201B
MD5fa542c039ba49e2860a7d218e550392c
SHA1074d8efa67d4abdd3e00a051339518b5f81e95d0
SHA256b27db17587d6634379c5bab5af493299f7c10a06d0a5d9436d7bbd84a1eea730
SHA5128b1e0f8a51582c32a29769e69f65efa3312b5683c4a72d9328d933ec39c00d46eb01df8fe6546bea743bc9aa9594f7046133fd1fe268d7777b7073fdae853789
-
Filesize
201B
MD54eae7210786e7623f1f5a4eacd47161e
SHA1d77866258cf7b2d8082fc8893163014329b236d7
SHA2563eac2b32109c74f8515c4f35ede5f0cf9c37694c46e88d4c04f4546516d7b194
SHA51215b4204ef8ace47b93e157940c1955ee03ae1d5e39224779d0e26ce9ca1ef6d716bff8b5ff81db968596086bda4d8de5ca6871c5ef76ee9b6397eba8f1bebab9
-
Filesize
201B
MD579043bca086b3e8809b87856a843d7ab
SHA1a956c87bbf3196d0520f468f12c67844af8face1
SHA2565bdb94d29711b0a6bd3bcb1e79cfec064c3d614b8f519d7bf5a26e3767cf89f5
SHA51201f510855a315624f68561c70516185cd3a5674f6cfb8dd2634c2893f27722eba92df8106260e3227778ee6721a2762948b3a5ca53c67039c24af765056be552
-
Filesize
201B
MD5869e5b89e91693c6e0265c4f7645a809
SHA1ca3e642f1e4e12dd67d6649b7df814ba42f56803
SHA256cc2135203f95d98891371e8a1e325b032fb6fa7a7f1bd2955e2351d66234e451
SHA512b19f70b34a20a242d4e2b0fa7e58d4d5c705081efe71a17400c4cbba9f2bd406fbcda9a7d7fc2291115698c8b427f63b779bf14536548009f31f655c06b20a79
-
Filesize
201B
MD5b327238fbe99b385a7611140c8aac91a
SHA144e632a219c1d63aeca8085dbe281097e1be00b5
SHA256f8071d4e76bb6caa6272f9db9d24ecdb1c4c257745acdff3580eda1ab52edd12
SHA512d97cc7deb0c51acf8638cb82eb5a1107dcc26b7aacc90d6760d2ef2e94b915c3d24d87c13a9d0bb55bb5e2ec666267990d0f4d79f8f3563bad0662e2799859ff
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
201B
MD5bb7e67f401a919d7735da64a760108a2
SHA172febbb5e3312651dd5a097753f38c6b796259bd
SHA2568c8820a4fd016539469376dde995789f8f849884dd9d2e090d7c98998529d4e6
SHA5128fc5f5aea64fc131198e7fdc8cb4dcda2d659cc5b589982027b2e385f25ea3a15d2407cf8c6ff7980dd1d1179bab5e76e8fbc57754dca6f330f3e919ba72496e
-
Filesize
201B
MD5598933d1ed14851ba2d35d0550a3897a
SHA147d1d98e7167e11a4af59a291df6e13ac7b01001
SHA256beb9894e961abfc0252d484be845e0bb7cfb267bf2fc836b056abcbf4d616f66
SHA512a81aba0e71ae34d864c1b44c524e6e84536f5accdffd446ca6250d9a75d0f4faf3305574f6579249f1cfe07569392efb365d58bd3845ad27b5316f64873f0ac6
-
Filesize
201B
MD5663ce120e78ff835f314cd21b5a2660b
SHA1a2f445da70ab4aaa94a07e176f586d9a542a3ef8
SHA2562f7d6bb8ec8e8ab894710141c0e8db2010e1f12f4aa9220ac8d486848b8344f5
SHA512f9f73ecdfe66a572e0c3acff85d42a238cbf36adb3271e2ebb88e2bd0d92176ce955875bf3551eed3577d2fd42d60db28271aca1bd8361bf894e9d9cc3f3d58f
-
Filesize
201B
MD5d946af11fc93caefb9d614e0b3703a03
SHA1f0484e8c5e2aecb66c81985d9591ea6b37c93d5b
SHA2564055fbf30b27542d49a50e870950f207764d947bb258f696b859d2cb23b1f298
SHA5120a50d6c54964d475e3947f8234a4d34a1c2be7ecad6f276bd7efb046cdd100ecc2f695c75d7b34c3c44b4f49f8fe26dc797622debb8e91145b9f1629f1390243
-
Filesize
201B
MD55c3f58bb69e04c5280cee31e49b7c575
SHA1bc842141de6de8bd94cbe802cf73bbad13464ac7
SHA2567a19298487582dee5b414679683d96e303a97e2fe367c48399d16be9ff82d2d5
SHA512a468f3dce348f22f69b7e101cd6e4fbc8b174454bc528553db0ead64de436bd57472d1470daaa140ba02c822828bbf3c87154d3301118f2ac82b03727d137ff5
-
Filesize
201B
MD50dc67e3b5e3921410a6e083dc22fe3f2
SHA121034dc13f2e52a5465a9df59d8d8980ae089742
SHA25658306f6e90688d16d9cf61f51e70572cef0e5a542d5e0ab77bcac642aca55755
SHA512153108fc624a3e57a2555efc3e62e6b94dad47700542fac9263b7334152a63481a7b4226aad2a24e17a9fb56892ace80d5432258bd73c0dbcb2338259643a0bb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\45U5YBLY2UVZS3V6BSCG.temp
Filesize7KB
MD5d909ea6fdbdda76e138283370a364f28
SHA1c5175806b67e6eeddd8f0d0d85b5cd0d3c314ede
SHA2564138d09ee845956cce4a9b35beff2d6888dc4927fa020d62882cc53a7331ef75
SHA512307649c3071b1bd57707e9c204adef2b936542f73c723b2cddb2897e78d29dc2703228246b7e14069b70cfa272021cf840b1262ae1d9984e5553351b41833b78
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478