Analysis
-
max time kernel
145s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 01:20
Behavioral task
behavioral1
Sample
JaffaCakes118_9a51ea7ad7f2c71aeb6b24d7bcddf0d7f8642f81c39844f5e54fc85fe394e740.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_9a51ea7ad7f2c71aeb6b24d7bcddf0d7f8642f81c39844f5e54fc85fe394e740.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_9a51ea7ad7f2c71aeb6b24d7bcddf0d7f8642f81c39844f5e54fc85fe394e740.exe
-
Size
1.3MB
-
MD5
0e8ff980af72539ef8c6a5c2dd19e851
-
SHA1
0712b6c0d2d36ee7ef3f5d9c009feaef560f0350
-
SHA256
9a51ea7ad7f2c71aeb6b24d7bcddf0d7f8642f81c39844f5e54fc85fe394e740
-
SHA512
3cd5dd8ec9b43d57eb134c54bdbea7fb4ac4caf6bfadc37f72b10501e070a55f1727f7f5d32941974d68baaf2083ea62650a2924e07384e39d4aaac5c128f5ba
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1824 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1404 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 876 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 840 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2856 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2856 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x000800000001630a-9.dat dcrat behavioral1/memory/2564-13-0x0000000001150000-0x0000000001260000-memory.dmp dcrat behavioral1/memory/1416-72-0x00000000012C0000-0x00000000013D0000-memory.dmp dcrat behavioral1/memory/624-89-0x0000000000CF0000-0x0000000000E00000-memory.dmp dcrat behavioral1/memory/1168-181-0x0000000000EA0000-0x0000000000FB0000-memory.dmp dcrat behavioral1/memory/2008-242-0x0000000000020000-0x0000000000130000-memory.dmp dcrat behavioral1/memory/2148-302-0x0000000000F90000-0x00000000010A0000-memory.dmp dcrat behavioral1/memory/788-362-0x00000000000E0000-0x00000000001F0000-memory.dmp dcrat behavioral1/memory/1892-422-0x0000000000350000-0x0000000000460000-memory.dmp dcrat behavioral1/memory/1688-482-0x0000000000D50000-0x0000000000E60000-memory.dmp dcrat behavioral1/memory/2240-542-0x0000000000030000-0x0000000000140000-memory.dmp dcrat behavioral1/memory/1700-602-0x00000000001D0000-0x00000000002E0000-memory.dmp dcrat behavioral1/memory/2112-663-0x0000000001370000-0x0000000001480000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2508 powershell.exe 2664 powershell.exe 2880 powershell.exe 3060 powershell.exe 3064 powershell.exe 1660 powershell.exe 2464 powershell.exe 2624 powershell.exe 2256 powershell.exe 2976 powershell.exe 2160 powershell.exe 1756 powershell.exe -
Executes dropped EXE 13 IoCs
pid Process 2564 DllCommonsvc.exe 1700 DllCommonsvc.exe 1416 DllCommonsvc.exe 624 System.exe 1168 System.exe 2008 System.exe 2148 System.exe 788 System.exe 1892 System.exe 1688 System.exe 2240 System.exe 1700 System.exe 2112 System.exe -
Loads dropped DLL 2 IoCs
pid Process 2244 cmd.exe 2244 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 5 raw.githubusercontent.com 9 raw.githubusercontent.com 16 raw.githubusercontent.com 20 raw.githubusercontent.com 33 raw.githubusercontent.com 4 raw.githubusercontent.com 23 raw.githubusercontent.com 26 raw.githubusercontent.com 30 raw.githubusercontent.com 13 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Photo Viewer\explorer.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files\Uninstall Information\System.exe DllCommonsvc.exe File created C:\Program Files\Uninstall Information\27d1bcfc3c54e0 DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\56085415360792 DllCommonsvc.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\wininit.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9a51ea7ad7f2c71aeb6b24d7bcddf0d7f8642f81c39844f5e54fc85fe394e740.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2632 schtasks.exe 2672 schtasks.exe 2060 schtasks.exe 2660 schtasks.exe 2616 schtasks.exe 840 schtasks.exe 2712 schtasks.exe 2940 schtasks.exe 2976 schtasks.exe 1404 schtasks.exe 2136 schtasks.exe 1932 schtasks.exe 2640 schtasks.exe 2492 schtasks.exe 1536 schtasks.exe 2408 schtasks.exe 2692 schtasks.exe 2908 schtasks.exe 1032 schtasks.exe 2688 schtasks.exe 2076 schtasks.exe 1824 schtasks.exe 876 schtasks.exe 1616 schtasks.exe 2024 schtasks.exe 2732 schtasks.exe 2604 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 2564 DllCommonsvc.exe 3060 powershell.exe 1756 powershell.exe 3064 powershell.exe 1700 DllCommonsvc.exe 2464 powershell.exe 1660 powershell.exe 2508 powershell.exe 1416 DllCommonsvc.exe 2976 powershell.exe 2160 powershell.exe 2624 powershell.exe 2664 powershell.exe 2880 powershell.exe 2256 powershell.exe 624 System.exe 1168 System.exe 2008 System.exe 2148 System.exe 788 System.exe 1892 System.exe 1688 System.exe 2240 System.exe 1700 System.exe 2112 System.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 2564 DllCommonsvc.exe Token: SeDebugPrivilege 3060 powershell.exe Token: SeDebugPrivilege 1756 powershell.exe Token: SeDebugPrivilege 3064 powershell.exe Token: SeDebugPrivilege 1700 DllCommonsvc.exe Token: SeDebugPrivilege 2464 powershell.exe Token: SeDebugPrivilege 1660 powershell.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeDebugPrivilege 1416 DllCommonsvc.exe Token: SeDebugPrivilege 2976 powershell.exe Token: SeDebugPrivilege 2160 powershell.exe Token: SeDebugPrivilege 2624 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 2880 powershell.exe Token: SeDebugPrivilege 2256 powershell.exe Token: SeDebugPrivilege 624 System.exe Token: SeDebugPrivilege 1168 System.exe Token: SeDebugPrivilege 2008 System.exe Token: SeDebugPrivilege 2148 System.exe Token: SeDebugPrivilege 788 System.exe Token: SeDebugPrivilege 1892 System.exe Token: SeDebugPrivilege 1688 System.exe Token: SeDebugPrivilege 2240 System.exe Token: SeDebugPrivilege 1700 System.exe Token: SeDebugPrivilege 2112 System.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2528 wrote to memory of 2412 2528 JaffaCakes118_9a51ea7ad7f2c71aeb6b24d7bcddf0d7f8642f81c39844f5e54fc85fe394e740.exe 30 PID 2528 wrote to memory of 2412 2528 JaffaCakes118_9a51ea7ad7f2c71aeb6b24d7bcddf0d7f8642f81c39844f5e54fc85fe394e740.exe 30 PID 2528 wrote to memory of 2412 2528 JaffaCakes118_9a51ea7ad7f2c71aeb6b24d7bcddf0d7f8642f81c39844f5e54fc85fe394e740.exe 30 PID 2528 wrote to memory of 2412 2528 JaffaCakes118_9a51ea7ad7f2c71aeb6b24d7bcddf0d7f8642f81c39844f5e54fc85fe394e740.exe 30 PID 2412 wrote to memory of 2244 2412 WScript.exe 31 PID 2412 wrote to memory of 2244 2412 WScript.exe 31 PID 2412 wrote to memory of 2244 2412 WScript.exe 31 PID 2412 wrote to memory of 2244 2412 WScript.exe 31 PID 2244 wrote to memory of 2564 2244 cmd.exe 33 PID 2244 wrote to memory of 2564 2244 cmd.exe 33 PID 2244 wrote to memory of 2564 2244 cmd.exe 33 PID 2244 wrote to memory of 2564 2244 cmd.exe 33 PID 2564 wrote to memory of 1756 2564 DllCommonsvc.exe 41 PID 2564 wrote to memory of 1756 2564 DllCommonsvc.exe 41 PID 2564 wrote to memory of 1756 2564 DllCommonsvc.exe 41 PID 2564 wrote to memory of 3064 2564 DllCommonsvc.exe 42 PID 2564 wrote to memory of 3064 2564 DllCommonsvc.exe 42 PID 2564 wrote to memory of 3064 2564 DllCommonsvc.exe 42 PID 2564 wrote to memory of 3060 2564 DllCommonsvc.exe 43 PID 2564 wrote to memory of 3060 2564 DllCommonsvc.exe 43 PID 2564 wrote to memory of 3060 2564 DllCommonsvc.exe 43 PID 2564 wrote to memory of 1568 2564 DllCommonsvc.exe 47 PID 2564 wrote to memory of 1568 2564 DllCommonsvc.exe 47 PID 2564 wrote to memory of 1568 2564 DllCommonsvc.exe 47 PID 1568 wrote to memory of 1072 1568 cmd.exe 49 PID 1568 wrote to memory of 1072 1568 cmd.exe 49 PID 1568 wrote to memory of 1072 1568 cmd.exe 49 PID 1568 wrote to memory of 1700 1568 cmd.exe 50 PID 1568 wrote to memory of 1700 1568 cmd.exe 50 PID 1568 wrote to memory of 1700 1568 cmd.exe 50 PID 1700 wrote to memory of 1660 1700 DllCommonsvc.exe 57 PID 1700 wrote to memory of 1660 1700 DllCommonsvc.exe 57 PID 1700 wrote to memory of 1660 1700 DllCommonsvc.exe 57 PID 1700 wrote to memory of 2464 1700 DllCommonsvc.exe 58 PID 1700 wrote to memory of 2464 1700 DllCommonsvc.exe 58 PID 1700 wrote to memory of 2464 1700 DllCommonsvc.exe 58 PID 1700 wrote to memory of 2508 1700 DllCommonsvc.exe 60 PID 1700 wrote to memory of 2508 1700 DllCommonsvc.exe 60 PID 1700 wrote to memory of 2508 1700 DllCommonsvc.exe 60 PID 1700 wrote to memory of 1716 1700 DllCommonsvc.exe 63 PID 1700 wrote to memory of 1716 1700 DllCommonsvc.exe 63 PID 1700 wrote to memory of 1716 1700 DllCommonsvc.exe 63 PID 1716 wrote to memory of 580 1716 cmd.exe 65 PID 1716 wrote to memory of 580 1716 cmd.exe 65 PID 1716 wrote to memory of 580 1716 cmd.exe 65 PID 1716 wrote to memory of 1416 1716 cmd.exe 67 PID 1716 wrote to memory of 1416 1716 cmd.exe 67 PID 1716 wrote to memory of 1416 1716 cmd.exe 67 PID 1416 wrote to memory of 2624 1416 DllCommonsvc.exe 83 PID 1416 wrote to memory of 2624 1416 DllCommonsvc.exe 83 PID 1416 wrote to memory of 2624 1416 DllCommonsvc.exe 83 PID 1416 wrote to memory of 2256 1416 DllCommonsvc.exe 84 PID 1416 wrote to memory of 2256 1416 DllCommonsvc.exe 84 PID 1416 wrote to memory of 2256 1416 DllCommonsvc.exe 84 PID 1416 wrote to memory of 2976 1416 DllCommonsvc.exe 85 PID 1416 wrote to memory of 2976 1416 DllCommonsvc.exe 85 PID 1416 wrote to memory of 2976 1416 DllCommonsvc.exe 85 PID 1416 wrote to memory of 2664 1416 DllCommonsvc.exe 86 PID 1416 wrote to memory of 2664 1416 DllCommonsvc.exe 86 PID 1416 wrote to memory of 2664 1416 DllCommonsvc.exe 86 PID 1416 wrote to memory of 2160 1416 DllCommonsvc.exe 87 PID 1416 wrote to memory of 2160 1416 DllCommonsvc.exe 87 PID 1416 wrote to memory of 2160 1416 DllCommonsvc.exe 87 PID 1416 wrote to memory of 2880 1416 DllCommonsvc.exe 88 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a51ea7ad7f2c71aeb6b24d7bcddf0d7f8642f81c39844f5e54fc85fe394e740.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a51ea7ad7f2c71aeb6b24d7bcddf0d7f8642f81c39844f5e54fc85fe394e740.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Goi7jYSLVL.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1072
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\explorer.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gsi4pWcSOH.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:580
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"8⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\System.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\services.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\wininit.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
C:\Program Files\Uninstall Information\System.exe"C:\Program Files\Uninstall Information\System.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:624 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat"10⤵PID:1488
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:3000
-
-
C:\Program Files\Uninstall Information\System.exe"C:\Program Files\Uninstall Information\System.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Q74CISUeM.bat"12⤵PID:2716
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2752
-
-
C:\Program Files\Uninstall Information\System.exe"C:\Program Files\Uninstall Information\System.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x5nMQhEI33.bat"14⤵PID:1224
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1680
-
-
C:\Program Files\Uninstall Information\System.exe"C:\Program Files\Uninstall Information\System.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat"16⤵PID:2584
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:544
-
-
C:\Program Files\Uninstall Information\System.exe"C:\Program Files\Uninstall Information\System.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:788 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qX4ufk0Q6M.bat"18⤵PID:1932
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2904
-
-
C:\Program Files\Uninstall Information\System.exe"C:\Program Files\Uninstall Information\System.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3j9hYFnRH7.bat"20⤵PID:2472
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2672
-
-
C:\Program Files\Uninstall Information\System.exe"C:\Program Files\Uninstall Information\System.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5cWoBfSAzl.bat"22⤵PID:1116
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1568
-
-
C:\Program Files\Uninstall Information\System.exe"C:\Program Files\Uninstall Information\System.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bGwFtC02oQ.bat"24⤵PID:1940
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2520
-
-
C:\Program Files\Uninstall Information\System.exe"C:\Program Files\Uninstall Information\System.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5pDZQI1oOH.bat"26⤵PID:556
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:2684
-
-
C:\Program Files\Uninstall Information\System.exe"C:\Program Files\Uninstall Information\System.exe"27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\providercommon\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\providercommon\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\providercommon\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56b64e1a55af1eabaeede45d1835d6433
SHA19e5eef1b983e268dc1da8631e1c7a7d5089a5bbd
SHA256f2f133745559633dc8ebd167aa0b1731e1901992000c52f6fb6aee6b1433b3a0
SHA5123ca01fa970cb1e1c34b721f9b8703fc49e1c7afff5e79e58e01cb05e59276bb815121cbffb61446a263207e1abb55e184f138ab077ef206f53ff74da083a6530
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ea1c15297fd50c4f241bb6c22ed43060
SHA15f1992a409f8886ff3b1315613d4837508e5fd60
SHA2563879f0c8d6e884d26d1ebac9167e90527891cd9a979ced95fa6b8da12e6019af
SHA512e48ee668e8c6f496cabbdc2f40cfdd6238d9023d1d0470692ce3e164ea4ee0ce0024047f0780b1bb1a579faa7ced429e56703f85ac18241270d4dfcf04e5ee87
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52c15c722ef1f98f94d15a15a6fc55bb2
SHA11bb2d23f03692273066c9d35ac91ee4be76902f2
SHA25629e82271f5fdb9eac0492011a9c74e49f710c702f2099e597dad0697da65e610
SHA5122c833c05bb94267928e6dbc11bca387b0de9152524553a39dd7aca85e231b4cec77345c68f77dcb52ef06caf96918a43b3a3c70b77339d5b86eb4b63049326e5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50793aa403dfdcb190801eb442b47988b
SHA1296ffa5ade227e461b99c4c69168527f0e2b1589
SHA2560ca05bb86e822e38864ac1f432bf1102101c3c1df1d98ee4b7be53fefe050cbf
SHA512060464e42a96a48b9c51b76108796db18259cd8886fcefbf05f7ca9b726a11f792cb1a671948ea1d3c68a2e33cf288871c8b8590701eef80c4cfbf5c18b95e60
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58b75cea73ba86d80436835854b5d1976
SHA107ca4dd0ad4cba9f5eb526608c43938f552f956a
SHA25634ea47268fd3433136abf082474e62e5ca7e34eb55b961c7f6e318dde4c02ee8
SHA5120030a75d64ffe2fe065c338f9393adc997681c14611b935f9588112951301555d61d573b46f0b33f20b476e57be7d2b8ef2c190fc3c2f767a6b24523e492b1a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c5efc626c39a09d978232478f404df82
SHA1cbe231fa517730b53a694be31d990a7458bc7467
SHA25649731b3d4102ee9a478f9268143f40172b6e244563955d1abd2615842d585168
SHA512df51d5a2310aacfd8598e78cdcd0cd00b74966dca3637de6b515933b22d781251658fa7069426116bbe0aaf8d3429978abc7933747bae88893c18917c84b248b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD579ee4759c1b95cb63b5bfb5cc9066a3e
SHA1c10b7b37776d6ac24884ac483c4cadb49b01a059
SHA25668f047d02e532a0a6d2993372f205f4a96d5c0bba05ce9694b2167c6bb8eccdc
SHA5127c2d46477f693bd19e9f247c3ff3dda5e1556400af9aa8068879f09ed801323b78f851064cc212e313fa0fde167d9f6033c524631a178f1c1c2ebb8dab081c52
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD504b47b4f5195d63b768ca880c8acf11b
SHA1cb443861503ea8f79a69e2db9a8a1a118c98d00d
SHA256c329e1490d10c2f372d98a7fc105e719ebfb1bfadd70fc3135b3a91884ab5f2e
SHA512cac302c4b1e6c3ac223551dd49a99ca690bd97eb2f41d8dac646240726945bdcd0f1a228ac27b77fcdf5b3fc177ea250be338ea552505a3b91258e4b3fc85fdd
-
Filesize
214B
MD58e5f4dc93024ee9f994c47d9b959ad7b
SHA1f93c1e950d2d419c0cd3c9157ee127d9a791dbd1
SHA2563be58d01c738aa1fd036538ddef35d32946d57db0d0886919e7d4fcfeea840e1
SHA512efbd46a1afcb5e92a2ce164c9e51329cb469914df40685cd259bdf2b3358c8b9be134b1e8901148e835ba19fda1baa9cbc512c637e213c466acfb7019b18c3b1
-
Filesize
214B
MD5454174ede0bfd6633ffecdda933d77e3
SHA18c54d9e69694b1f4f43cdaf9789aa6cee67c4179
SHA256c0a41c6a72da1228af5af73fde1df37efd3d4f7e67732d5d4debeb15ee7c18a7
SHA5125ee4c9f54df14d8bab9f7bffaae9b113937ad4c047d9a767ce6c91aa11716a8e661f094432ba6b4b9b3c572f4a907b95bd8fc96123c25aae4b2052b8c9b6c640
-
Filesize
214B
MD5222b525eefd0f98d2ea9a25fe1cbe252
SHA1cc2cedeb29d6bcb0340557b3a8b6a90e12e4244b
SHA256e2b2b4fc047fa1a9a6daf62347fd1da4552b4852558b653546712527ac2082dd
SHA512069600e5ccef5858f2ffd90bf8285e4e666b6dbfd5b2747a1e8f79a548a963aaa3b991db3fa7cce8a5ad2ba07986853ccb879ea55a49bb06644db3ae6b9cdd72
-
Filesize
214B
MD57611027dc3a1c7ec14ce4e5182523afa
SHA1e6037351ee215629f178f20ca096d8abb8453593
SHA2563a870124330d242d1e6719657b2fff56b694520257b7445de37581272c4e99b6
SHA512c7eaf16986aacdf1507f1ae65e8667e67ffd7a0bbf5e40b24a4a6494a813cc8fcad9198bf8d2a2c6f05a593a2a745ce43786ac8f633969532636262299a6c435
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
199B
MD5fca9cab7ea125206e3761f3183ca6960
SHA141024e4b70e1207f0e6a8f874105dd6b25524d61
SHA256f75215dd31516c79f683f04fbb001b6db0b39e3937b58720ad72205b008441c8
SHA512dd7408565ce2c645107f755fa79bec816e0555e3ed7933a8b1afe8e20001133488685bdee9be7729bfdd0044a04dc53c377e85bbe2b7e3762dd482215e87dda7
-
Filesize
199B
MD58d401b7ddc39287a00e13f72771f53d8
SHA186d22239962d89a873561cdd998100dc0c1bae2a
SHA256a60d5ccc9cd85a6578ae213e78a81cf3fc1f1e92532879699c60c6830a047fbe
SHA512df64df1f22f76a19de00ebc0eb0e06b1ada14a2a0ee8daf76e17c6bb5dd7fafe47a822215729d33cc16ebf8d6c985218b36300238f000141c13f0bcd6a1e2cab
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
214B
MD578d80c40841e245084ad86809a8fb921
SHA10c02108627f6f83cbf4fd91011cb8805342b270d
SHA256b2f377f11064fda0e7517fe274c69cb7c7c3433d7cf2d8a29b4f8a17caa77c1b
SHA512a6fc113ebedcdcae27ec16f2590a93e9a459baa1d64cb258127e6ed06fab836a7483198b1c5b791c4706c53ca5c70861d003be9d8a1472cc733b9dd4c22b9e26
-
Filesize
214B
MD55632624820764640f74e875b80e0d20b
SHA1b294e65d68ac75b4cb988f4fad860dce3b2e4b5e
SHA25633315e2dc2fb630ab2e1622e490993822c7590a557a155c1d936a78d5ee97b1d
SHA51293f1c363a336696b58c26caedd6efbaefa791c96574bf446484f893cb74fcf6ce15b19c32cbe61a6e17ce954bbbe5f14110f42040b43f5ecc27b14b699f51d45
-
Filesize
214B
MD5985ffd711148420f2c6de6eeefca61bf
SHA14f684865b9a8f4a9cf25596a556cf35a6aede70e
SHA2562db81d74c7a8bff70292c772b1ff0f1e89298448ece7bd7f7cdd95d79e9bbad6
SHA51208ff212f4088503604caf8d759ccba50379eb122a41d59eadd49a620249b7863a79f8ffce7f72ea8caa54bf15461f2393cc8b842673a8a5e03ca2b5680fe53c3
-
Filesize
214B
MD59dd1002b718eb3ac1a6bab7b6fe6e6b6
SHA1276b51439192a78af97c9b1b64fc865a6aec9fe9
SHA256aca60f786c9bc04245aab29726cef3bff2a17469f6d5fad5ad79a6cf428be2c2
SHA512a09f7669dba6615fe2964e4ba161d863af16aadf7657b8b84391a50271cd97f3d677065574d6933eee0de9960207afac5b00dc1d9b6c686aa9d2c622b85049df
-
Filesize
214B
MD51faaabba205bca067d44285aae0787f5
SHA1fdcfeb97fa909cf4985f13d5de73548c1ec830b3
SHA2562d0936638c4fad869eef600b348cf4457537c2653fe6e407fb39eec7c59facb9
SHA512ca07327d1e9a535658252da7b18b280ac49a454bb959486dcb64ecda6bca7a540e772d77ed5b23744fb546b7dd923e8dba783a2cd220175dd3716446ecfd139a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SELFS4JAAYJOTWQJLJ3D.temp
Filesize7KB
MD575c888bdadb90eee0b39d075e5c70765
SHA1cddd51a62fb3d6c64d17e80278b2279a06077717
SHA2562573ef79f0b3e17f8cd9de7c63d2d2c8665043bc6402d3ce8aed88a8a8b098dc
SHA512808752e9c884b8ee10a6070685b7c115cff4efae1fa3387c1e1c24ef13aa43957f5d4bb334efa40747cf91a7cbcbdef75cea1af09cd92029060c263880d34eb9
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394