Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 02:04
Behavioral task
behavioral1
Sample
JaffaCakes118_a30c72ef367d75102a40ab1cca7aaa6eb5c6553c39bef4d7843b60c7409237da.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_a30c72ef367d75102a40ab1cca7aaa6eb5c6553c39bef4d7843b60c7409237da.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_a30c72ef367d75102a40ab1cca7aaa6eb5c6553c39bef4d7843b60c7409237da.exe
-
Size
1.3MB
-
MD5
b166b12f0a2a165bf6f2f7e7342a7a94
-
SHA1
27a963429bdaf51ba631836aace4b0550e142afd
-
SHA256
a30c72ef367d75102a40ab1cca7aaa6eb5c6553c39bef4d7843b60c7409237da
-
SHA512
9c57fc7272948a4ffe38ac09caf61b8cd9b240812974e48daffa5acc002d5d6216bf1d6f1b8aeddd93a7d9d4138e941de75908edbf163d21e576573dee216528
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 548 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1456 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 792 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1184 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1076 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 920 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1204 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 828 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 956 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1464 2748 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1888 2748 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000019345-9.dat dcrat behavioral1/memory/2324-13-0x0000000000110000-0x0000000000220000-memory.dmp dcrat behavioral1/memory/896-48-0x0000000000800000-0x0000000000910000-memory.dmp dcrat behavioral1/memory/2120-174-0x00000000012E0000-0x00000000013F0000-memory.dmp dcrat behavioral1/memory/3056-234-0x00000000000B0000-0x00000000001C0000-memory.dmp dcrat behavioral1/memory/1216-294-0x0000000000EA0000-0x0000000000FB0000-memory.dmp dcrat behavioral1/memory/1164-592-0x0000000001020000-0x0000000001130000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2056 powershell.exe 2544 powershell.exe 2248 powershell.exe 1932 powershell.exe 1736 powershell.exe 1272 powershell.exe 3056 powershell.exe 540 powershell.exe 2464 powershell.exe 908 powershell.exe 844 powershell.exe 1472 powershell.exe 3052 powershell.exe -
Executes dropped EXE 10 IoCs
pid Process 2324 DllCommonsvc.exe 896 spoolsv.exe 2120 spoolsv.exe 3056 spoolsv.exe 1216 spoolsv.exe 1836 spoolsv.exe 1360 spoolsv.exe 3056 spoolsv.exe 1424 spoolsv.exe 1164 spoolsv.exe -
Loads dropped DLL 2 IoCs
pid Process 2704 cmd.exe 2704 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 9 raw.githubusercontent.com 17 raw.githubusercontent.com 21 raw.githubusercontent.com 24 raw.githubusercontent.com 28 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 13 raw.githubusercontent.com 31 raw.githubusercontent.com 35 raw.githubusercontent.com -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files\Common Files\System\msadc\de-DE\System.exe DllCommonsvc.exe File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\System.exe DllCommonsvc.exe File created C:\Program Files\Common Files\System\msadc\de-DE\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files\Windows Journal\fr-FR\dwm.exe DllCommonsvc.exe File created C:\Program Files\Windows Journal\fr-FR\6cb0b6c459d5d3 DllCommonsvc.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\es-ES\taskhost.exe DllCommonsvc.exe File created C:\Windows\es-ES\b75386f1303e64 DllCommonsvc.exe File created C:\Windows\Boot\PCAT\el-GR\dwm.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_a30c72ef367d75102a40ab1cca7aaa6eb5c6553c39bef4d7843b60c7409237da.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2376 schtasks.exe 1184 schtasks.exe 1076 schtasks.exe 1900 schtasks.exe 1920 schtasks.exe 2908 schtasks.exe 1876 schtasks.exe 2956 schtasks.exe 1844 schtasks.exe 2504 schtasks.exe 1888 schtasks.exe 828 schtasks.exe 2100 schtasks.exe 2832 schtasks.exe 2588 schtasks.exe 2612 schtasks.exe 2000 schtasks.exe 2968 schtasks.exe 2440 schtasks.exe 2708 schtasks.exe 2180 schtasks.exe 1204 schtasks.exe 2064 schtasks.exe 548 schtasks.exe 792 schtasks.exe 2040 schtasks.exe 2984 schtasks.exe 956 schtasks.exe 1464 schtasks.exe 1620 schtasks.exe 1456 schtasks.exe 1732 schtasks.exe 1700 schtasks.exe 920 schtasks.exe 2672 schtasks.exe 2632 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 2324 DllCommonsvc.exe 1932 powershell.exe 1272 powershell.exe 844 powershell.exe 2544 powershell.exe 1736 powershell.exe 908 powershell.exe 2056 powershell.exe 2464 powershell.exe 2248 powershell.exe 1472 powershell.exe 3056 powershell.exe 540 powershell.exe 3052 powershell.exe 896 spoolsv.exe 2120 spoolsv.exe 3056 spoolsv.exe 1216 spoolsv.exe 1836 spoolsv.exe 1360 spoolsv.exe 3056 spoolsv.exe 1424 spoolsv.exe 1164 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 2324 DllCommonsvc.exe Token: SeDebugPrivilege 1932 powershell.exe Token: SeDebugPrivilege 1272 powershell.exe Token: SeDebugPrivilege 844 powershell.exe Token: SeDebugPrivilege 2544 powershell.exe Token: SeDebugPrivilege 1736 powershell.exe Token: SeDebugPrivilege 908 powershell.exe Token: SeDebugPrivilege 2056 powershell.exe Token: SeDebugPrivilege 2464 powershell.exe Token: SeDebugPrivilege 2248 powershell.exe Token: SeDebugPrivilege 1472 powershell.exe Token: SeDebugPrivilege 3056 powershell.exe Token: SeDebugPrivilege 540 powershell.exe Token: SeDebugPrivilege 3052 powershell.exe Token: SeDebugPrivilege 896 spoolsv.exe Token: SeDebugPrivilege 2120 spoolsv.exe Token: SeDebugPrivilege 3056 spoolsv.exe Token: SeDebugPrivilege 1216 spoolsv.exe Token: SeDebugPrivilege 1836 spoolsv.exe Token: SeDebugPrivilege 1360 spoolsv.exe Token: SeDebugPrivilege 3056 spoolsv.exe Token: SeDebugPrivilege 1424 spoolsv.exe Token: SeDebugPrivilege 1164 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2568 wrote to memory of 2204 2568 JaffaCakes118_a30c72ef367d75102a40ab1cca7aaa6eb5c6553c39bef4d7843b60c7409237da.exe 30 PID 2568 wrote to memory of 2204 2568 JaffaCakes118_a30c72ef367d75102a40ab1cca7aaa6eb5c6553c39bef4d7843b60c7409237da.exe 30 PID 2568 wrote to memory of 2204 2568 JaffaCakes118_a30c72ef367d75102a40ab1cca7aaa6eb5c6553c39bef4d7843b60c7409237da.exe 30 PID 2568 wrote to memory of 2204 2568 JaffaCakes118_a30c72ef367d75102a40ab1cca7aaa6eb5c6553c39bef4d7843b60c7409237da.exe 30 PID 2204 wrote to memory of 2704 2204 WScript.exe 31 PID 2204 wrote to memory of 2704 2204 WScript.exe 31 PID 2204 wrote to memory of 2704 2204 WScript.exe 31 PID 2204 wrote to memory of 2704 2204 WScript.exe 31 PID 2704 wrote to memory of 2324 2704 cmd.exe 33 PID 2704 wrote to memory of 2324 2704 cmd.exe 33 PID 2704 wrote to memory of 2324 2704 cmd.exe 33 PID 2704 wrote to memory of 2324 2704 cmd.exe 33 PID 2324 wrote to memory of 844 2324 DllCommonsvc.exe 71 PID 2324 wrote to memory of 844 2324 DllCommonsvc.exe 71 PID 2324 wrote to memory of 844 2324 DllCommonsvc.exe 71 PID 2324 wrote to memory of 1736 2324 DllCommonsvc.exe 72 PID 2324 wrote to memory of 1736 2324 DllCommonsvc.exe 72 PID 2324 wrote to memory of 1736 2324 DllCommonsvc.exe 72 PID 2324 wrote to memory of 1932 2324 DllCommonsvc.exe 73 PID 2324 wrote to memory of 1932 2324 DllCommonsvc.exe 73 PID 2324 wrote to memory of 1932 2324 DllCommonsvc.exe 73 PID 2324 wrote to memory of 908 2324 DllCommonsvc.exe 74 PID 2324 wrote to memory of 908 2324 DllCommonsvc.exe 74 PID 2324 wrote to memory of 908 2324 DllCommonsvc.exe 74 PID 2324 wrote to memory of 1272 2324 DllCommonsvc.exe 76 PID 2324 wrote to memory of 1272 2324 DllCommonsvc.exe 76 PID 2324 wrote to memory of 1272 2324 DllCommonsvc.exe 76 PID 2324 wrote to memory of 1472 2324 DllCommonsvc.exe 77 PID 2324 wrote to memory of 1472 2324 DllCommonsvc.exe 77 PID 2324 wrote to memory of 1472 2324 DllCommonsvc.exe 77 PID 2324 wrote to memory of 2464 2324 DllCommonsvc.exe 78 PID 2324 wrote to memory of 2464 2324 DllCommonsvc.exe 78 PID 2324 wrote to memory of 2464 2324 DllCommonsvc.exe 78 PID 2324 wrote to memory of 2248 2324 DllCommonsvc.exe 80 PID 2324 wrote to memory of 2248 2324 DllCommonsvc.exe 80 PID 2324 wrote to memory of 2248 2324 DllCommonsvc.exe 80 PID 2324 wrote to memory of 540 2324 DllCommonsvc.exe 81 PID 2324 wrote to memory of 540 2324 DllCommonsvc.exe 81 PID 2324 wrote to memory of 540 2324 DllCommonsvc.exe 81 PID 2324 wrote to memory of 3056 2324 DllCommonsvc.exe 82 PID 2324 wrote to memory of 3056 2324 DllCommonsvc.exe 82 PID 2324 wrote to memory of 3056 2324 DllCommonsvc.exe 82 PID 2324 wrote to memory of 2544 2324 DllCommonsvc.exe 84 PID 2324 wrote to memory of 2544 2324 DllCommonsvc.exe 84 PID 2324 wrote to memory of 2544 2324 DllCommonsvc.exe 84 PID 2324 wrote to memory of 3052 2324 DllCommonsvc.exe 85 PID 2324 wrote to memory of 3052 2324 DllCommonsvc.exe 85 PID 2324 wrote to memory of 3052 2324 DllCommonsvc.exe 85 PID 2324 wrote to memory of 2056 2324 DllCommonsvc.exe 86 PID 2324 wrote to memory of 2056 2324 DllCommonsvc.exe 86 PID 2324 wrote to memory of 2056 2324 DllCommonsvc.exe 86 PID 2324 wrote to memory of 896 2324 DllCommonsvc.exe 97 PID 2324 wrote to memory of 896 2324 DllCommonsvc.exe 97 PID 2324 wrote to memory of 896 2324 DllCommonsvc.exe 97 PID 896 wrote to memory of 388 896 spoolsv.exe 99 PID 896 wrote to memory of 388 896 spoolsv.exe 99 PID 896 wrote to memory of 388 896 spoolsv.exe 99 PID 388 wrote to memory of 2668 388 cmd.exe 101 PID 388 wrote to memory of 2668 388 cmd.exe 101 PID 388 wrote to memory of 2668 388 cmd.exe 101 PID 388 wrote to memory of 2120 388 cmd.exe 102 PID 388 wrote to memory of 2120 388 cmd.exe 102 PID 388 wrote to memory of 2120 388 cmd.exe 102 PID 2120 wrote to memory of 2544 2120 spoolsv.exe 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a30c72ef367d75102a40ab1cca7aaa6eb5c6553c39bef4d7843b60c7409237da.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a30c72ef367d75102a40ab1cca7aaa6eb5c6553c39bef4d7843b60c7409237da.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\msadc\de-DE\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\fr-FR\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Acrobat\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b9aNmsEibB.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2668
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAWHCtE00Z.bat"8⤵PID:2544
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2292
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kQw8FYVnXF.bat"10⤵PID:2936
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2796
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1216 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat"12⤵PID:1900
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2668
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat"14⤵PID:1920
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2420
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat"16⤵PID:1888
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2480
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q3ZRkRg4YZ.bat"18⤵PID:1236
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:876
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1424 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eKnLpNzAx9.bat"20⤵PID:1936
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:3020
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat"22⤵PID:2436
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1692
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\System\msadc\de-DE\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\msadc\de-DE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\System\msadc\de-DE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Windows\es-ES\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\es-ES\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Libraries\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Cookies\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Cookies\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\fr-FR\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\fr-FR\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Adobe\Acrobat\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\Acrobat\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\providercommon\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58e32d69487c12d09e38aacb9b1cdd06b
SHA1cf7245b2257edbad215c9a363538c773331ce644
SHA2560b92a349d3d08c240eb72868012b7780c5ad4119bfbb1733879373cb01a006e7
SHA5122eb7632166ccf6d21ae1af4289c42147ad8816112253b4107abe39efcb08e11522db2129ba09bd09fcd544bc491f0684e1aab10d742edbab4b4fc684bc7a8171
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59d014be1e39e1110f3132e9d64aebdc9
SHA1d526b198ffb7bf062e69b3462a8bcbee666ed9a2
SHA256b1e6d649576351264d64a14bf55eab51d4f82a0e3565058b3d0070879ba11d8f
SHA512b6b167c3423003ded7d08b553952be2e08ea7069d29d84614fc2759053120f756ba37e2c4d5274002b38a893a53a8866d83a9996890dd02b17f51d59bc80a0b8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f78ac8d2c2a6bd1a563c9ff59488a944
SHA108add82221fbb2392b2da871acfb847708700f55
SHA2560c56e7e17d1763f45bd6dd95bc3a958ead357433d9f199ed2209eeb78d95692d
SHA512d2ec73d98fccd19ae38ae8ee60963b53e5c0d2bf1c4665a1b0d6838aaf2043afe799051b6028a91a0b85c848eb6074a2173002f5d3863206b64863e7ef95689a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51f83b5de81751f42870c300d434e4333
SHA11fb4a08c463ffbff61075c8020b04f8b806d3ece
SHA2568bb6786d6b7c74c9499307f31345af427c1fd46562dad64790ef1756ca742590
SHA51289138c0efbda8063f432a166073bab589ea2a77b46ece911403e0df5dd2104617e17896fc6ef85857724972a337d590bb96c4b6ac9768196877cb4baa0b598c7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5aa94150c8127b8d65faf05c471e37c65
SHA19f651293bbe8f9f97855148eef474c065c7583cc
SHA25672ba945b10d65880bfaa2ef4852f64aac6a70955addebf2f939f0979dcd47a30
SHA512cb9d0f50d90f55fa88ae938644abed2a8b9701765a588dd7311e8aa4891595a6a39efa9701465a49baa68313ff1e814c86a47125dfa273731d68f53d90a94288
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57a0d9d47651d4e890e32c54c8e08782d
SHA10f3c4af07945354fecf9ac5781e259e2037b4f83
SHA2564394fc17f73ac2f27af428ce1a70981e8047e0694e298ae0501c3aacaede8f5b
SHA512e66527f84ccba03b87029afcdf04aedd2cceb006c89ac4a4baf6fd3bfbb4f53f5b8341323e954984dbe269a2653cf7243b14bf8ac6faf701bf83085049f60f9a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56266bbc30cb66150a5ac025fdf528017
SHA188e4cfe8303a011bab43a859891f9a03dd7a6215
SHA256e9d4d242c6dc83d2e0244a44f9a34a865ad8e15523a03172ff7a7ee38b2477b1
SHA5122bd820de8446ec3bfd0f70332aa7ff0457ef88c8204f0385332be932eb7c7c1271c99f15b3662f83719888949ef2eca679c48911940513873c0a9134b3d34864
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a25a70315062d25b231c3c23598bc09b
SHA1f89881b360c6490221c782edaea54ce38668ae20
SHA256297c101ae43e23beccc1b4b5b962d2bb8e10638041f2c3255e3e0013a2491f7a
SHA51287b8adddac456e90d4b0b98bd8191b1a7adca27c1b1f09de78d8a2db2f3a3fc59596dfbf07b021c06cf9c8e9a13d8fda1da24daee0eaf43d103658e2c86f06f6
-
Filesize
194B
MD5f62971ff421030a174f726a2556e4818
SHA1bfbb11bb14d6bafed4a32f9a16f5f09953d44687
SHA256928e941073a353a708c7272c68d35c178a32060dcceb458012712372ea92303c
SHA51298556a91c7ea26795d393a3c82193d5b8162f41451262283b1ed294d32f46c4e9a1e9bdb40a76db6590c64783ac6caaaaf4e5e8278db6d27b22d3e24285d59dd
-
Filesize
194B
MD50fd96b86c54c80e5626e006eeb3e5c84
SHA1472bb297a26cd05a3041fd78ed0cd45206b19d1a
SHA25631f47eb36786ee95c2fda83958c8d7c935c28ed8a249be5045c7f2e6c9fbff73
SHA512a1b7eab581d10e57f91fcc550d649b1bd9bde6162c0a373ebacde33352e7790d4659d531f58721c12d167697c0976f108634fe6aab8411bd0de983bd7b603716
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
194B
MD53ca45749da1436e640c44f4933af4367
SHA174582c19d0683e569e42921c702f87f02b8c9379
SHA256a82eca500424db1090ca9184b48b26828d749a94041c4556d091ced1bb2c78e6
SHA512224a7cb16a2f443ddee18c860af6c7cce45c7c9b762f1bc46adfbe06296e35cfcd2eb3bd016b1288b8ea1479932da71cfbc78d2336e77c135a12980b144b4446
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
194B
MD59e5efc9b07fe2452028296ab8400ff13
SHA1a31ecee044fc53b1a8ade24a370fd07fc7dd36af
SHA25620566ef5736e69c1385f9a29890a3c7c1cc39672bb562842622e5d08284f0da9
SHA51259a39ad67912a579403ae7b701c2341858a4940ccafdc25d89cb1f0fc70e0a7196575e5ce342ccf41e4cc3319ba2e99bb012b39d8abb0da6fa6505e0525cce10
-
Filesize
194B
MD578e250fe7346a2c11940587ad994cec0
SHA16cc1b84db6bbeb7daf0ebfab1a137916fc56c673
SHA256999e96f0a2f7801b68e108e53fe0613d0c1de1155474164ca9aeb33bc51ef877
SHA5127025ff28a93eae68cac536ea52df11b40fc0cb28e5c5e9a680de574b8be91d27fe84abc7bbd5d5316bea280ec380254e59eb47ed2186435736bb551b738255f6
-
Filesize
194B
MD549aef3945bdf57e82f255961f2cde01e
SHA1b3de8a2de5dd42a581f3bbea0d7b891748859b5a
SHA2566275d0d9dc85206671a49ca99bd87c69970e8c28439c8a44ff663a16018a393d
SHA512ddf8f362905f491459ff78e99a2dc98744c732be34bd42c562bac97393423da44360b4084f173c1b35b8435c1e7c32737735280fa76ffe239458711f1e14389f
-
Filesize
194B
MD5a9effc838f07ef384f58a40a177cc6ba
SHA10daf8a4bff728077044467080db4ad29436173c7
SHA2565fa20a86bddec36d23630644459de18635f1c44a8d029e78b01ec8a627b08b22
SHA51257a5f6f93a15f2ce1be3d8b83d7fa4564b05edaa16684ab4f1955cff357a89c8ac8e01560b4c3a9083867ecfc9eb3d56475733d5473bb9625cdc3fdaf61e8f99
-
Filesize
194B
MD52c04833263e2da683e6d782bc7a307e7
SHA1d515adb07eb214add256c0446e6cd842c8a1a8a7
SHA256724fbf74c6fc3fb0caf132c41a1f30419b7b8016e07f63d7901530aa5a2e8cd7
SHA5121c045a583f6c4e4912e1f8d5aee17762775fee3bda8cecc32293bf20f4bf1ef0eed6748b935d9841c12085f0b53a17593163f049c17f6b17fa7ebfa5ec7c1d2a
-
Filesize
194B
MD55612fa4859b0b5bf8f2f2d850da48415
SHA1ad568464b07c2fc2f48bcf47c4b306aae221a4d9
SHA256336702106efe85504444f6b59513b83e8f89a2a8f57e228fcaf111d28f6466ea
SHA512f8b552f70cda8b02bd193b111eae5510bad1a23021efa8796bff62a09d6bbcd168bcce8735fe7cd9e10c45d49daa7ac225976857e6b0767fe0765cbb3c0f7c7c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ac3f78b06718783525dbd11f4ffcd483
SHA1db9c0b5b0f3e8eba044d5a6fb2dabc7b399d22f1
SHA2562bc3282f3ab1f3ebea69f821b60dc0347417ecb12daf6cfa07d64439582bebbe
SHA5129c64779ba0db91a3191186994de9fcbcefa101de398caf6c3597711d4ce360915f5bea486c1edc4dec412f54979286e72b144c9b69a2875e7ff15d40813cb593
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394