Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 05:43
Behavioral task
behavioral1
Sample
JaffaCakes118_034b2a05353c57c99a509eb4ec62b41d0932b39223089bd1d41243387858c58d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_034b2a05353c57c99a509eb4ec62b41d0932b39223089bd1d41243387858c58d.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_034b2a05353c57c99a509eb4ec62b41d0932b39223089bd1d41243387858c58d.exe
-
Size
1.3MB
-
MD5
41cbb8d59a3587705c3ad07b9799811a
-
SHA1
d40744a16badbe139b09fb0d904ac2c134ac728b
-
SHA256
034b2a05353c57c99a509eb4ec62b41d0932b39223089bd1d41243387858c58d
-
SHA512
9c97191a0ca2a2ded86476272dbfd60b197416020edf9176dda875ad115bb0081b6048531eecf7eef7b4721b5766f5dc79bdf48be7cfa2ffa487826624e5f768
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2652 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2652 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 2652 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2652 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2652 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1888 2652 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 2652 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1272 2652 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 2652 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 716 2652 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1312 2652 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 2652 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 2652 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 2652 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2652 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 332 2652 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 556 2652 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2652 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2652 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2652 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2652 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 2652 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 2652 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2652 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 2652 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 2652 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 2652 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 676 2652 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1396 2652 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2652 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x00080000000173f3-9.dat dcrat behavioral1/memory/2784-13-0x00000000012D0000-0x00000000013E0000-memory.dmp dcrat behavioral1/memory/2484-101-0x0000000000B80000-0x0000000000C90000-memory.dmp dcrat behavioral1/memory/1648-160-0x0000000000090000-0x00000000001A0000-memory.dmp dcrat behavioral1/memory/2064-220-0x0000000000C30000-0x0000000000D40000-memory.dmp dcrat behavioral1/memory/2140-280-0x0000000000230000-0x0000000000340000-memory.dmp dcrat behavioral1/memory/2144-340-0x00000000009C0000-0x0000000000AD0000-memory.dmp dcrat behavioral1/memory/2908-400-0x00000000000D0000-0x00000000001E0000-memory.dmp dcrat behavioral1/memory/1980-460-0x0000000000BB0000-0x0000000000CC0000-memory.dmp dcrat behavioral1/memory/2576-521-0x0000000000EC0000-0x0000000000FD0000-memory.dmp dcrat behavioral1/memory/3068-581-0x0000000000EE0000-0x0000000000FF0000-memory.dmp dcrat behavioral1/memory/2748-641-0x0000000000F60000-0x0000000001070000-memory.dmp dcrat behavioral1/memory/1568-701-0x0000000001080000-0x0000000001190000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1104 powershell.exe 916 powershell.exe 1528 powershell.exe 1176 powershell.exe 568 powershell.exe 1692 powershell.exe 1020 powershell.exe 944 powershell.exe 2244 powershell.exe 1948 powershell.exe 1584 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2784 DllCommonsvc.exe 2484 OSPPSVC.exe 1648 OSPPSVC.exe 2064 OSPPSVC.exe 2140 OSPPSVC.exe 2144 OSPPSVC.exe 2908 OSPPSVC.exe 1980 OSPPSVC.exe 2576 OSPPSVC.exe 3068 OSPPSVC.exe 2748 OSPPSVC.exe 1568 OSPPSVC.exe -
Loads dropped DLL 2 IoCs
pid Process 2708 cmd.exe 2708 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 22 raw.githubusercontent.com 25 raw.githubusercontent.com 28 raw.githubusercontent.com 31 raw.githubusercontent.com 35 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com 18 raw.githubusercontent.com -
Drops file in Program Files directory 9 IoCs
description ioc Process File created C:\Program Files\Java\jre7\bin\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files\Windows Journal\it-IT\56085415360792 DllCommonsvc.exe File created C:\Program Files\DVD Maker\en-US\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\cmd.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\cmd.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files\Java\jre7\bin\smss.exe DllCommonsvc.exe File created C:\Program Files\Windows Journal\it-IT\wininit.exe DllCommonsvc.exe File created C:\Program Files\DVD Maker\en-US\dwm.exe DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe DllCommonsvc.exe File created C:\Windows\Prefetch\ReadyBoot\1610b97d3ab4a7 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_034b2a05353c57c99a509eb4ec62b41d0932b39223089bd1d41243387858c58d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 332 schtasks.exe 2412 schtasks.exe 1888 schtasks.exe 1728 schtasks.exe 2180 schtasks.exe 2436 schtasks.exe 2944 schtasks.exe 2880 schtasks.exe 2448 schtasks.exe 716 schtasks.exe 1272 schtasks.exe 556 schtasks.exe 676 schtasks.exe 2528 schtasks.exe 2940 schtasks.exe 3048 schtasks.exe 1652 schtasks.exe 2404 schtasks.exe 776 schtasks.exe 1980 schtasks.exe 1956 schtasks.exe 1988 schtasks.exe 1396 schtasks.exe 2620 schtasks.exe 2076 schtasks.exe 2380 schtasks.exe 2904 schtasks.exe 2012 schtasks.exe 2752 schtasks.exe 1312 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 2784 DllCommonsvc.exe 2784 DllCommonsvc.exe 2784 DllCommonsvc.exe 2244 powershell.exe 1104 powershell.exe 944 powershell.exe 1948 powershell.exe 916 powershell.exe 1528 powershell.exe 1176 powershell.exe 1692 powershell.exe 1020 powershell.exe 1584 powershell.exe 568 powershell.exe 2484 OSPPSVC.exe 1648 OSPPSVC.exe 2064 OSPPSVC.exe 2140 OSPPSVC.exe 2144 OSPPSVC.exe 2908 OSPPSVC.exe 1980 OSPPSVC.exe 2576 OSPPSVC.exe 3068 OSPPSVC.exe 2748 OSPPSVC.exe 1568 OSPPSVC.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 2784 DllCommonsvc.exe Token: SeDebugPrivilege 2244 powershell.exe Token: SeDebugPrivilege 1104 powershell.exe Token: SeDebugPrivilege 944 powershell.exe Token: SeDebugPrivilege 1948 powershell.exe Token: SeDebugPrivilege 916 powershell.exe Token: SeDebugPrivilege 1528 powershell.exe Token: SeDebugPrivilege 1176 powershell.exe Token: SeDebugPrivilege 1692 powershell.exe Token: SeDebugPrivilege 1020 powershell.exe Token: SeDebugPrivilege 1584 powershell.exe Token: SeDebugPrivilege 568 powershell.exe Token: SeDebugPrivilege 2484 OSPPSVC.exe Token: SeDebugPrivilege 1648 OSPPSVC.exe Token: SeDebugPrivilege 2064 OSPPSVC.exe Token: SeDebugPrivilege 2140 OSPPSVC.exe Token: SeDebugPrivilege 2144 OSPPSVC.exe Token: SeDebugPrivilege 2908 OSPPSVC.exe Token: SeDebugPrivilege 1980 OSPPSVC.exe Token: SeDebugPrivilege 2576 OSPPSVC.exe Token: SeDebugPrivilege 3068 OSPPSVC.exe Token: SeDebugPrivilege 2748 OSPPSVC.exe Token: SeDebugPrivilege 1568 OSPPSVC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2148 wrote to memory of 2816 2148 JaffaCakes118_034b2a05353c57c99a509eb4ec62b41d0932b39223089bd1d41243387858c58d.exe 31 PID 2148 wrote to memory of 2816 2148 JaffaCakes118_034b2a05353c57c99a509eb4ec62b41d0932b39223089bd1d41243387858c58d.exe 31 PID 2148 wrote to memory of 2816 2148 JaffaCakes118_034b2a05353c57c99a509eb4ec62b41d0932b39223089bd1d41243387858c58d.exe 31 PID 2148 wrote to memory of 2816 2148 JaffaCakes118_034b2a05353c57c99a509eb4ec62b41d0932b39223089bd1d41243387858c58d.exe 31 PID 2816 wrote to memory of 2708 2816 WScript.exe 32 PID 2816 wrote to memory of 2708 2816 WScript.exe 32 PID 2816 wrote to memory of 2708 2816 WScript.exe 32 PID 2816 wrote to memory of 2708 2816 WScript.exe 32 PID 2708 wrote to memory of 2784 2708 cmd.exe 34 PID 2708 wrote to memory of 2784 2708 cmd.exe 34 PID 2708 wrote to memory of 2784 2708 cmd.exe 34 PID 2708 wrote to memory of 2784 2708 cmd.exe 34 PID 2784 wrote to memory of 1104 2784 DllCommonsvc.exe 66 PID 2784 wrote to memory of 1104 2784 DllCommonsvc.exe 66 PID 2784 wrote to memory of 1104 2784 DllCommonsvc.exe 66 PID 2784 wrote to memory of 916 2784 DllCommonsvc.exe 67 PID 2784 wrote to memory of 916 2784 DllCommonsvc.exe 67 PID 2784 wrote to memory of 916 2784 DllCommonsvc.exe 67 PID 2784 wrote to memory of 1020 2784 DllCommonsvc.exe 68 PID 2784 wrote to memory of 1020 2784 DllCommonsvc.exe 68 PID 2784 wrote to memory of 1020 2784 DllCommonsvc.exe 68 PID 2784 wrote to memory of 1528 2784 DllCommonsvc.exe 69 PID 2784 wrote to memory of 1528 2784 DllCommonsvc.exe 69 PID 2784 wrote to memory of 1528 2784 DllCommonsvc.exe 69 PID 2784 wrote to memory of 1176 2784 DllCommonsvc.exe 70 PID 2784 wrote to memory of 1176 2784 DllCommonsvc.exe 70 PID 2784 wrote to memory of 1176 2784 DllCommonsvc.exe 70 PID 2784 wrote to memory of 944 2784 DllCommonsvc.exe 71 PID 2784 wrote to memory of 944 2784 DllCommonsvc.exe 71 PID 2784 wrote to memory of 944 2784 DllCommonsvc.exe 71 PID 2784 wrote to memory of 568 2784 DllCommonsvc.exe 72 PID 2784 wrote to memory of 568 2784 DllCommonsvc.exe 72 PID 2784 wrote to memory of 568 2784 DllCommonsvc.exe 72 PID 2784 wrote to memory of 1692 2784 DllCommonsvc.exe 73 PID 2784 wrote to memory of 1692 2784 DllCommonsvc.exe 73 PID 2784 wrote to memory of 1692 2784 DllCommonsvc.exe 73 PID 2784 wrote to memory of 2244 2784 DllCommonsvc.exe 74 PID 2784 wrote to memory of 2244 2784 DllCommonsvc.exe 74 PID 2784 wrote to memory of 2244 2784 DllCommonsvc.exe 74 PID 2784 wrote to memory of 1948 2784 DllCommonsvc.exe 75 PID 2784 wrote to memory of 1948 2784 DllCommonsvc.exe 75 PID 2784 wrote to memory of 1948 2784 DllCommonsvc.exe 75 PID 2784 wrote to memory of 1584 2784 DllCommonsvc.exe 76 PID 2784 wrote to memory of 1584 2784 DllCommonsvc.exe 76 PID 2784 wrote to memory of 1584 2784 DllCommonsvc.exe 76 PID 2784 wrote to memory of 2368 2784 DllCommonsvc.exe 88 PID 2784 wrote to memory of 2368 2784 DllCommonsvc.exe 88 PID 2784 wrote to memory of 2368 2784 DllCommonsvc.exe 88 PID 2368 wrote to memory of 2752 2368 cmd.exe 90 PID 2368 wrote to memory of 2752 2368 cmd.exe 90 PID 2368 wrote to memory of 2752 2368 cmd.exe 90 PID 2368 wrote to memory of 2484 2368 cmd.exe 91 PID 2368 wrote to memory of 2484 2368 cmd.exe 91 PID 2368 wrote to memory of 2484 2368 cmd.exe 91 PID 2484 wrote to memory of 2764 2484 OSPPSVC.exe 92 PID 2484 wrote to memory of 2764 2484 OSPPSVC.exe 92 PID 2484 wrote to memory of 2764 2484 OSPPSVC.exe 92 PID 2764 wrote to memory of 2904 2764 cmd.exe 94 PID 2764 wrote to memory of 2904 2764 cmd.exe 94 PID 2764 wrote to memory of 2904 2764 cmd.exe 94 PID 2764 wrote to memory of 1648 2764 cmd.exe 95 PID 2764 wrote to memory of 1648 2764 cmd.exe 95 PID 2764 wrote to memory of 1648 2764 cmd.exe 95 PID 1648 wrote to memory of 788 1648 OSPPSVC.exe 96 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_034b2a05353c57c99a509eb4ec62b41d0932b39223089bd1d41243387858c58d.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_034b2a05353c57c99a509eb4ec62b41d0932b39223089bd1d41243387858c58d.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1176
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\bin\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\it-IT\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\en-US\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gKSvXanOy6.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2752
-
-
C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2904
-
-
C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat"9⤵PID:788
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2216
-
-
C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat"11⤵PID:1772
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1632
-
-
C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\niOj6yjqzp.bat"13⤵PID:2840
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2844
-
-
C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEoBbgPmrR.bat"15⤵PID:2592
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2092
-
-
C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1XclINWiF.bat"17⤵PID:2128
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2784
-
-
C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat"19⤵PID:2528
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1172
-
-
C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat"21⤵PID:2104
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1580
-
-
C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat"23⤵PID:676
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2192
-
-
C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat"25⤵PID:2468
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2028
-
-
C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jre7\bin\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre7\bin\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\it-IT\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\it-IT\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\en-US\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\en-US\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\providercommon\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5de8651c657b33a3dd39f0a541f5a778a
SHA1f8a0c185abb724a51934c2717c73022389d64a0f
SHA256c4018e3aab784ea121836b355be3ff02bb9625b20ffc4284ae7a3b5ed5db759b
SHA5129a890dc149f9d2266386a32beb78e3a75317900def5ea982be8eeda2971dec14855777a3ca2d50c36367a3d3c093818e29c73181ecae3001f1e41a2cd2ae19ef
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50949d9486e9712e68b148616e270f446
SHA1bd469c3442e6b26cd4f41268d35f46d4c1fc813b
SHA256ea4d09e98ba956f0648bf62c35d780b5a92e326a9524d9ad4e936d407be1947e
SHA51220a329d18a4784035d9e0b7c71076d170a7d904bfafee1abc4f0f0893f235b9bbdcfb60774ce2d2ed45199633ed3706fcd67a1a20c7cedc2e984271fcb8e0fae
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cd6ec6254875b9624f714c5e0ecf31d9
SHA187182f2a065a8a23c40d6b13dc4143d7468223a0
SHA256f6109810e6020c62c901b0e932d474d71a34db89600144b6ec7cdf1d419db02a
SHA512c7b431e6ff13a7be08966a0ffca7d0fdbaa58b21b343436b1295d83317e2653731b556c257132fedeec471fbe1f5f9ddce9dc843f6575d11cb58be6323347546
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD521f01a88e6f2af5d859ee62b8ab47336
SHA16c9777b6eeb02eb22ac3f8f9db19677a5c90029a
SHA256f4d8bb6172a6b63d4d825fab3c477a9ef098f0a0ce54f11e316f275304dc9a49
SHA512f2d7facefe2d4a947825e57996943f12c564e69324935917fdd4f6575475d67c5b61c5948f7b95bcb6cf164b1247e6ea910f975c928026fafe03d56006e9efa8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ffac108fc1b46784f06d37a82ca74da4
SHA1d75af0f1b64922912b4ae59164a23b8256f49130
SHA256b4f777535bbfa3211c535637edbd1d7232fcb4dfec5559786f543d1c8d247959
SHA512ae1bbf46d35507b7ae3b49e81ab8557a2227d7b9f00dc3cbdb8f44686852f8005a24aa8f6169ba8e8ae7cbdd0746b597bbcc357a185363cc07dc5d08602b7a80
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e0a47425315d902847cd71e1803eb7ad
SHA1e0d5c66d1a387486db9d398518672ca4fb9d8f2e
SHA2561ea5b32d825a5cd4d7aa1059bab596fccbe01ec7aba38c89597960d81921340c
SHA512fe6022e02e8a128ad76b8595ec3a9e2c66638a369b6a0a70a6f017d7bb6fd11ccd7cbfb7843d0c0e96ddd73cf99eea726e16c2744daf18f397187b7e5da7d2cf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5590063f1b84d768de243c3369fe0988f
SHA16d4231ab535ccffa151da90034f66a72d2c67582
SHA256edc1b31c051aecb868f68d05a082da2e78cbbabf249d879b8a45090594f0e5d9
SHA512457574fbe06ab3f586768e7406a90a247906cfb50da131c4714369b10fd4a3e4e61b7a9a7b44f4a1365d198dc0246b5118b03294338d6093e40b7b064f351345
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d4382bb9ee779f241b4dcb6bbf275860
SHA1e39511a8c9a76f9c6c33f3626debeab0f5166cd3
SHA256ac068c8917f81232efa296069303c3778ac691ab4b235f61598c8f22c3621637
SHA512dc8e9911fc47a7a0e4c2e8d4530bfd047bff8055f90562654c831955e890c9c968655ea60c05dc59b9a7d528b35eb8842602849e5ef0186fb40716a4b767fa62
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cc3fe3b7690ae5f561a80c1e7a7b88ac
SHA15f151be09533f53965fbe98ff0f90c588acce7e9
SHA2563c14af03c4d4df6573542b7e12879207f57ad64fbfd71e2ff72d5d2e1bef0c47
SHA512969b721cacef74253e865450e88409d75f2e5234c618d4e718cd3e727ee52d6424fa7e437921ab2d832ba21392eecbe3f8e3c2d891a6ebec7c810842a652c057
-
Filesize
206B
MD5ddf096ff3667b3a3de8bc4938b9d29e4
SHA13c9a0d814b977c5b8fbe83b4231228bc5bd794e9
SHA256984dd4602aac8839788bb2001f4a25c8bd04bc9dca09944e1a53c02c16a39975
SHA512c929712ef7288593bead3084b8b3c2ea325025bb3666b57e3741aaf7acaa1f39d0b5b1b4d3674b22024c8473e5fae2da2135f3440d0bc1cce82d2d0c1bd2327c
-
Filesize
206B
MD561a7174328df8178a42c4058b60d4439
SHA1c8df417e7ed957c906da1f1930f1f63c4773f577
SHA256c2264bf4384eab33d6a926de8927d19c3d0d848c6cfef991b5f90b1309a7174b
SHA512093e2d383c0567ab1d6e0bb084492d52735314d88d14fde135b664737c360250fa1aab2d323cbfa59a86ffd51939daa36adac4f9ec25c50e30e0bd4be4dd2ef3
-
Filesize
206B
MD56176254d138991649293a75aaeb7fce9
SHA1bf354f06b222865e91cd786560cadeb547edb6c6
SHA256f7356e9ea76ae8bdb0c32757e4238606491995ba1560aee9c657188a624b744a
SHA512372977fa3676278980fdd6869a591a0e9a3becdf7daa1347bed03ac6d89329578e504b5895ced52736da17df540bb7e06ff454e595f52a7abd14482141f6d97b
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
206B
MD571b20212f9aad7b171e8d5da2757e949
SHA142d77b945a2030d6676466881bb95d40c9a4e64b
SHA2569db5f599003d6f7c070dce8048d109e9e14c59d201b5b3b44451a5d5e598f098
SHA5127cc272dfad08c34e77ae01d435c93684cf2e2f4ce7427d19c55b407d68981864bcc054d053901545f25723251be40187d894db13ffa3fd669db4ae49eeb0d2e4
-
Filesize
206B
MD56dc3f5812a310e2533a5539f60c4b6d5
SHA1e76f249f9f8c6eccf90550f082e7e378692cb9f5
SHA25662c0673cc3584ca08c8788b3251c4095d4a77f4e81c60bc22b9a07b7e31f73f1
SHA512da57b7d6124839a70d522af9a1cab3254867f46c22050479da77fb2b17a7de12e4eabee1fbb15008a4fc6121bc879afff8b7f6adb75828393dc8bc6f2c64f0c2
-
Filesize
206B
MD5eec10e31db1028f03fecd8049a1733fe
SHA1acd700c380a349538b66b78887498da148a6cad9
SHA256537d8acc2c293783ab381ceec5489b8d02c6d491450b10affaa5896aafac34a7
SHA51286db958bbe377566b1cf1d894ede5b0275a1c16e81a11efc9206137814d737255214b712df7b3c578eb63b366b4b90f84911a45babef9cea1459948f788cafe8
-
Filesize
206B
MD5739c3c28d2051ec9a5449cd8943cb6f0
SHA1f18b06b566af405c7c55962ae79361a5da80e382
SHA25641d107e5efc79994ba9ee18e6ee29bd00449da7e15f5ff88772a6868e6ff5c00
SHA512dc72d029e74f1c27a00ba92bf8d9cca740ea61ac4d4c8079cade87b9cdb0692fe8f4238af9bfccab2fb427735fbed010b3f799dfdf704eb94a80bb47783eaa20
-
Filesize
206B
MD5ff302f7f005ab533268d5f800c24b1e7
SHA1b7191c894742f5ed3b5342a3a394c7191e377957
SHA256e8a7e4842a27040c9160498918e1c48a6c8adc322f0224d1a4d37bae20aca548
SHA5124c3cae811d16a04581ea0cef9a665cf602d76029e00a4862ad3ab66c74b3bff954f05431602c9bcb379550e525e8114eab55e26dcaf70c784eab1558bcc49d3c
-
Filesize
206B
MD5252e7a5dff84c9eb6d8e5ac6dbef6b83
SHA1e5e250290acd7a2464c577a9c414daf882576b26
SHA256d35ff8c56872de057ec247442592083b6a5f6eeba76d83159cae2970ebd460c0
SHA5122e2bdd12d42c263c6eb42c33503e2ed91b17dbfd37539082e3bbb74bbb013f8ede13dca0442c165c15934b431c5c82c96b6885a817be1d20b9bfd8ebf04fcff1
-
Filesize
206B
MD56516e58e9a0115e9a382a1795dcdcda9
SHA1e41b7b6162ce0e118e394d3779937faf73a70262
SHA2560a6b75130f8478a03e3d15c4860ae86c3307ddad9e8f48f829d96e9ec4231791
SHA512702902bffe8c655ee335e66db6a2b9d839ee3fa5f2bd4044c233888cbb44515d0bb9cbe73c6f5ee8c282408aaf54f77dfd007f07484f73db374f20fbd3a73de5
-
Filesize
206B
MD589ab5aefd66c89b03b1b26b8549c75b4
SHA127f39d6d52bfa95df666b3ef301ecf9ae9481137
SHA25627dd48ada81dadf8ae171f4375749bedc441c503751b28dd17a51dac0d513385
SHA51242052ee136e59288f03fa27439f949e0210fc43c6aff6e264e0100f58aea1cf2b12e3b32be1cfa242319d9f8d50666e57d58025b5d9a6eaac82b43cc95c88138
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD517a900ac5341f6d4c51dbb78c612a421
SHA1091d935809ad88b0a31a524ceb4c4cdd2b26daa0
SHA256e4f11f6561431f4970b723a71731ae1d9f55f38f2c776db5b4e60691f28d5d7e
SHA512304e72010cb408c99ee17cb5a559a3f7507d14ad86cb89480376590dcda90cf7dff7e82e7c7df24eb42e1a29102f0dee982249f092f7386cd91fb2f97bc671d5
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394