Analysis
-
max time kernel
142s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 12:06
Behavioral task
behavioral1
Sample
JaffaCakes118_45b1101db40862e508da8c1023e7b0feb3800b58366fc668d94f1dda43ccc80f.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_45b1101db40862e508da8c1023e7b0feb3800b58366fc668d94f1dda43ccc80f.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_45b1101db40862e508da8c1023e7b0feb3800b58366fc668d94f1dda43ccc80f.exe
-
Size
1.3MB
-
MD5
2d031c806a969795b90cb3cea133b80e
-
SHA1
23b3130dcf218b1f8c6ace8c7485cfdcd47d9163
-
SHA256
45b1101db40862e508da8c1023e7b0feb3800b58366fc668d94f1dda43ccc80f
-
SHA512
a1bb5ce339ae792c10152d7a00013d5ef662cbde68f8da3be5d8fe156b0e8798ca4f16505f10d52e96eae7ce4b8ba8aa4752b715ffdee3c72e4adb8c78d44d1f
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 640 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1888 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1208 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 296 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1828 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1088 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2300 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 584 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1100 2628 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1824 2628 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016fc9-9.dat dcrat behavioral1/memory/2328-13-0x00000000013A0000-0x00000000014B0000-memory.dmp dcrat behavioral1/memory/2116-107-0x00000000002E0000-0x00000000003F0000-memory.dmp dcrat behavioral1/memory/1472-166-0x0000000000020000-0x0000000000130000-memory.dmp dcrat behavioral1/memory/1448-226-0x0000000000C40000-0x0000000000D50000-memory.dmp dcrat behavioral1/memory/2184-286-0x00000000003F0000-0x0000000000500000-memory.dmp dcrat behavioral1/memory/2116-346-0x0000000000CC0000-0x0000000000DD0000-memory.dmp dcrat behavioral1/memory/1780-406-0x0000000000210000-0x0000000000320000-memory.dmp dcrat behavioral1/memory/2932-466-0x0000000000030000-0x0000000000140000-memory.dmp dcrat behavioral1/memory/956-526-0x0000000000FD0000-0x00000000010E0000-memory.dmp dcrat behavioral1/memory/2196-645-0x0000000001350000-0x0000000001460000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2388 powershell.exe 908 powershell.exe 1916 powershell.exe 2144 powershell.exe 2396 powershell.exe 1596 powershell.exe 1780 powershell.exe 2204 powershell.exe 236 powershell.exe 2052 powershell.exe 1464 powershell.exe 932 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2328 DllCommonsvc.exe 2116 lsm.exe 1472 lsm.exe 1448 lsm.exe 2184 lsm.exe 2116 lsm.exe 1780 lsm.exe 2932 lsm.exe 956 lsm.exe 2684 lsm.exe 2196 lsm.exe -
Loads dropped DLL 2 IoCs
pid Process 2892 cmd.exe 2892 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 5 raw.githubusercontent.com 9 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 27 raw.githubusercontent.com 4 raw.githubusercontent.com 12 raw.githubusercontent.com 23 raw.githubusercontent.com 30 raw.githubusercontent.com 34 raw.githubusercontent.com -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Portable Devices\lsm.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\101b941d020240 DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\wininit.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\wininit.exe DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\56085415360792 DllCommonsvc.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\Branding\ShellBrd\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Windows\Cursors\csrss.exe DllCommonsvc.exe File created C:\Windows\Cursors\886983d96e3d3e DllCommonsvc.exe File created C:\Windows\Speech\Engines\SR\es-ES\csrss.exe DllCommonsvc.exe File created C:\Windows\Branding\ShellBrd\services.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_45b1101db40862e508da8c1023e7b0feb3800b58366fc668d94f1dda43ccc80f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2724 schtasks.exe 1208 schtasks.exe 584 schtasks.exe 2760 schtasks.exe 1744 schtasks.exe 1828 schtasks.exe 2292 schtasks.exe 1088 schtasks.exe 1100 schtasks.exe 1824 schtasks.exe 1600 schtasks.exe 2364 schtasks.exe 1332 schtasks.exe 2492 schtasks.exe 2484 schtasks.exe 1644 schtasks.exe 2300 schtasks.exe 2228 schtasks.exe 2556 schtasks.exe 1888 schtasks.exe 2112 schtasks.exe 1476 schtasks.exe 1816 schtasks.exe 2428 schtasks.exe 2652 schtasks.exe 2356 schtasks.exe 296 schtasks.exe 2496 schtasks.exe 640 schtasks.exe 2352 schtasks.exe 2020 schtasks.exe 2280 schtasks.exe 1632 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 2328 DllCommonsvc.exe 1464 powershell.exe 2052 powershell.exe 1916 powershell.exe 908 powershell.exe 2396 powershell.exe 932 powershell.exe 1596 powershell.exe 2204 powershell.exe 1780 powershell.exe 236 powershell.exe 2388 powershell.exe 2144 powershell.exe 2116 lsm.exe 1472 lsm.exe 1448 lsm.exe 2184 lsm.exe 2116 lsm.exe 1780 lsm.exe 2932 lsm.exe 956 lsm.exe 2684 lsm.exe 2196 lsm.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 2328 DllCommonsvc.exe Token: SeDebugPrivilege 1464 powershell.exe Token: SeDebugPrivilege 2052 powershell.exe Token: SeDebugPrivilege 1916 powershell.exe Token: SeDebugPrivilege 908 powershell.exe Token: SeDebugPrivilege 2396 powershell.exe Token: SeDebugPrivilege 932 powershell.exe Token: SeDebugPrivilege 1596 powershell.exe Token: SeDebugPrivilege 2204 powershell.exe Token: SeDebugPrivilege 1780 powershell.exe Token: SeDebugPrivilege 236 powershell.exe Token: SeDebugPrivilege 2388 powershell.exe Token: SeDebugPrivilege 2144 powershell.exe Token: SeDebugPrivilege 2116 lsm.exe Token: SeDebugPrivilege 1472 lsm.exe Token: SeDebugPrivilege 1448 lsm.exe Token: SeDebugPrivilege 2184 lsm.exe Token: SeDebugPrivilege 2116 lsm.exe Token: SeDebugPrivilege 1780 lsm.exe Token: SeDebugPrivilege 2932 lsm.exe Token: SeDebugPrivilege 956 lsm.exe Token: SeDebugPrivilege 2684 lsm.exe Token: SeDebugPrivilege 2196 lsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2820 wrote to memory of 2212 2820 JaffaCakes118_45b1101db40862e508da8c1023e7b0feb3800b58366fc668d94f1dda43ccc80f.exe 30 PID 2820 wrote to memory of 2212 2820 JaffaCakes118_45b1101db40862e508da8c1023e7b0feb3800b58366fc668d94f1dda43ccc80f.exe 30 PID 2820 wrote to memory of 2212 2820 JaffaCakes118_45b1101db40862e508da8c1023e7b0feb3800b58366fc668d94f1dda43ccc80f.exe 30 PID 2820 wrote to memory of 2212 2820 JaffaCakes118_45b1101db40862e508da8c1023e7b0feb3800b58366fc668d94f1dda43ccc80f.exe 30 PID 2212 wrote to memory of 2892 2212 WScript.exe 31 PID 2212 wrote to memory of 2892 2212 WScript.exe 31 PID 2212 wrote to memory of 2892 2212 WScript.exe 31 PID 2212 wrote to memory of 2892 2212 WScript.exe 31 PID 2892 wrote to memory of 2328 2892 cmd.exe 33 PID 2892 wrote to memory of 2328 2892 cmd.exe 33 PID 2892 wrote to memory of 2328 2892 cmd.exe 33 PID 2892 wrote to memory of 2328 2892 cmd.exe 33 PID 2328 wrote to memory of 2052 2328 DllCommonsvc.exe 68 PID 2328 wrote to memory of 2052 2328 DllCommonsvc.exe 68 PID 2328 wrote to memory of 2052 2328 DllCommonsvc.exe 68 PID 2328 wrote to memory of 1464 2328 DllCommonsvc.exe 69 PID 2328 wrote to memory of 1464 2328 DllCommonsvc.exe 69 PID 2328 wrote to memory of 1464 2328 DllCommonsvc.exe 69 PID 2328 wrote to memory of 1916 2328 DllCommonsvc.exe 71 PID 2328 wrote to memory of 1916 2328 DllCommonsvc.exe 71 PID 2328 wrote to memory of 1916 2328 DllCommonsvc.exe 71 PID 2328 wrote to memory of 2144 2328 DllCommonsvc.exe 72 PID 2328 wrote to memory of 2144 2328 DllCommonsvc.exe 72 PID 2328 wrote to memory of 2144 2328 DllCommonsvc.exe 72 PID 2328 wrote to memory of 2396 2328 DllCommonsvc.exe 73 PID 2328 wrote to memory of 2396 2328 DllCommonsvc.exe 73 PID 2328 wrote to memory of 2396 2328 DllCommonsvc.exe 73 PID 2328 wrote to memory of 932 2328 DllCommonsvc.exe 75 PID 2328 wrote to memory of 932 2328 DllCommonsvc.exe 75 PID 2328 wrote to memory of 932 2328 DllCommonsvc.exe 75 PID 2328 wrote to memory of 1596 2328 DllCommonsvc.exe 77 PID 2328 wrote to memory of 1596 2328 DllCommonsvc.exe 77 PID 2328 wrote to memory of 1596 2328 DllCommonsvc.exe 77 PID 2328 wrote to memory of 2388 2328 DllCommonsvc.exe 78 PID 2328 wrote to memory of 2388 2328 DllCommonsvc.exe 78 PID 2328 wrote to memory of 2388 2328 DllCommonsvc.exe 78 PID 2328 wrote to memory of 1780 2328 DllCommonsvc.exe 79 PID 2328 wrote to memory of 1780 2328 DllCommonsvc.exe 79 PID 2328 wrote to memory of 1780 2328 DllCommonsvc.exe 79 PID 2328 wrote to memory of 2204 2328 DllCommonsvc.exe 80 PID 2328 wrote to memory of 2204 2328 DllCommonsvc.exe 80 PID 2328 wrote to memory of 2204 2328 DllCommonsvc.exe 80 PID 2328 wrote to memory of 908 2328 DllCommonsvc.exe 81 PID 2328 wrote to memory of 908 2328 DllCommonsvc.exe 81 PID 2328 wrote to memory of 908 2328 DllCommonsvc.exe 81 PID 2328 wrote to memory of 236 2328 DllCommonsvc.exe 82 PID 2328 wrote to memory of 236 2328 DllCommonsvc.exe 82 PID 2328 wrote to memory of 236 2328 DllCommonsvc.exe 82 PID 2328 wrote to memory of 2880 2328 DllCommonsvc.exe 92 PID 2328 wrote to memory of 2880 2328 DllCommonsvc.exe 92 PID 2328 wrote to memory of 2880 2328 DllCommonsvc.exe 92 PID 2880 wrote to memory of 2236 2880 cmd.exe 94 PID 2880 wrote to memory of 2236 2880 cmd.exe 94 PID 2880 wrote to memory of 2236 2880 cmd.exe 94 PID 2880 wrote to memory of 2116 2880 cmd.exe 95 PID 2880 wrote to memory of 2116 2880 cmd.exe 95 PID 2880 wrote to memory of 2116 2880 cmd.exe 95 PID 2116 wrote to memory of 1736 2116 lsm.exe 96 PID 2116 wrote to memory of 1736 2116 lsm.exe 96 PID 2116 wrote to memory of 1736 2116 lsm.exe 96 PID 1736 wrote to memory of 3008 1736 cmd.exe 98 PID 1736 wrote to memory of 3008 1736 cmd.exe 98 PID 1736 wrote to memory of 3008 1736 cmd.exe 98 PID 1736 wrote to memory of 1472 1736 cmd.exe 99 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_45b1101db40862e508da8c1023e7b0feb3800b58366fc668d94f1dda43ccc80f.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_45b1101db40862e508da8c1023e7b0feb3800b58366fc668d94f1dda43ccc80f.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\ShellBrd\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:236
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6ossFTShKU.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2236
-
-
C:\Program Files (x86)\Windows Portable Devices\lsm.exe"C:\Program Files (x86)\Windows Portable Devices\lsm.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xc1v93Hoh1.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:3008
-
-
C:\Program Files (x86)\Windows Portable Devices\lsm.exe"C:\Program Files (x86)\Windows Portable Devices\lsm.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n3vYZhDjEH.bat"9⤵PID:1560
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2084
-
-
C:\Program Files (x86)\Windows Portable Devices\lsm.exe"C:\Program Files (x86)\Windows Portable Devices\lsm.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1448 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\moqrXfpsIj.bat"11⤵PID:776
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1168
-
-
C:\Program Files (x86)\Windows Portable Devices\lsm.exe"C:\Program Files (x86)\Windows Portable Devices\lsm.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"13⤵PID:1720
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2100
-
-
C:\Program Files (x86)\Windows Portable Devices\lsm.exe"C:\Program Files (x86)\Windows Portable Devices\lsm.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat"15⤵PID:3004
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1248
-
-
C:\Program Files (x86)\Windows Portable Devices\lsm.exe"C:\Program Files (x86)\Windows Portable Devices\lsm.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat"17⤵PID:2328
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2260
-
-
C:\Program Files (x86)\Windows Portable Devices\lsm.exe"C:\Program Files (x86)\Windows Portable Devices\lsm.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat"19⤵PID:1016
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1348
-
-
C:\Program Files (x86)\Windows Portable Devices\lsm.exe"C:\Program Files (x86)\Windows Portable Devices\lsm.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzxbGmHcY3.bat"21⤵PID:1684
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1824
-
-
C:\Program Files (x86)\Windows Portable Devices\lsm.exe"C:\Program Files (x86)\Windows Portable Devices\lsm.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat"23⤵PID:236
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2840
-
-
C:\Program Files (x86)\Windows Portable Devices\lsm.exe"C:\Program Files (x86)\Windows Portable Devices\lsm.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\Branding\ShellBrd\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\Branding\ShellBrd\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Recent\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Recent\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Recent\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Favorites\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824
Network
-
Remote address:8.8.8.8:53Requestraw.githubusercontent.comIN AResponseraw.githubusercontent.comIN A185.199.110.133raw.githubusercontent.comIN A185.199.111.133raw.githubusercontent.comIN A185.199.109.133raw.githubusercontent.comIN A185.199.108.133
-
741 B 4.1kB 9 10
-
793 B 4.2kB 10 11
-
793 B 4.2kB 10 11
-
741 B 4.1kB 9 10
-
741 B 4.1kB 9 10
-
793 B 4.2kB 10 11
-
741 B 4.1kB 9 10
-
793 B 4.2kB 10 11
-
793 B 4.2kB 10 11
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ec8835039dd0e1124620ce94c54d881f
SHA165c95569adce06037d8daf48d7b8bf5ca304fa2c
SHA2564d0812d663d4be9d358577e7576f6b684b8a33e35c64eb86458a679ac1b4ac93
SHA512a6b773ee924f6c33c0132610ba42fb218ef85e7179bfdab659a6877de349214f99d751beceadae7700e21f28b5324f05ca06f12b9721d5e77e57b7fe972ba7b0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b974a2170b4f016c07ceb1b288bf3986
SHA1be6b67ff5caa27c2a47d8040b7fd2ea8eee6d327
SHA25648e282818ee2e6a5593f6e321f35115aa05f97efaf1ba4fa46234e3c36662ac3
SHA512c2664158d900412a07d1db02a4a97f15b29cdc7cb277d2641089178a0a92acc462606364df8132b90ad9c45ad82224c253ad0b035947c2aaa26118a1a6fe5bdd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ee477bf3a04a78bfc21983406dcbfa8b
SHA1299b4939def77970a4de303f64fcb8c4c3e75846
SHA2560fc5788f150c8a97e6d52a810d7389ec490e5497e5463b839c274af32c1d2c8d
SHA512cf8088ca4fbb1305c3708e062a17c570f00fc22197a701a9842b92efc00a0900c4126f218c53d821bc34f22cfd10aaf7f4bf9503bc05b8635968966fa8a2d37b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58f055ecd47142ebcb16d98e358fe0aa8
SHA170655d8bfa58a18a2e9fb1880bf4fe56f4a34558
SHA256480acd841f7c140217a8210f5e75932092ee3906e350dfe8714b2e6709296db4
SHA512ffc99a406b4e419c1ad1c5db87966fd480e89beee92441fea4781a177f2dd32883f955e3392b0af5aace202abda0bf57c941bb19a33ccd1fb3cb49a570c5fa7d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD505f480cbfbde9efd90cd2c11346038bf
SHA1816437e21d0a089b94df0504ad4084ce8dadc60c
SHA2562aa34475287101d5a6c0ec63b1aec84b4e0202b973b9c1e007870b302c247a4c
SHA5127697078b99c1f44dc743f23bd7fa8b2c5624a146c199b3aa123ff2494ee40716e1e31c6dfc59fb02dd21c3a29ac1efc11bfa0da7565be4cdf6117eb8c7375a45
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cf9580d2469b806255d5072b91e63e31
SHA1c40508de204c6a8cbb28d15a4da1aca4d4017de8
SHA256b8330e4237ded90c138303a01c630199f4ca62a9538542b42698395bf6d23b91
SHA51219dee7e64604ed0d860a3153d2c98b01dbc750e74421126cc6ca5c9ada9e943c4ddee721608fda1bd3f82f689413a969b8076134d0fcda8946f972db1454ade0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD529ef3a99ca98d773f908461cb1809df5
SHA14995453ddc8f5a2cc46793f3ebcff6c724f001c7
SHA256d12618331e52c6ee86f4abf80e9ac204db0ff8b5934c9f4abebbc168e634bbd1
SHA512a0ec9be71f8755499e5a84f451effe49234655673e753b20850244da45e677913a1eea59d7fc98125db64c9997b0ae371fe65ac63c864044c7593b9aa1da590b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5683a52c6859c3138ceaf5b7f250ea292
SHA1aa2da7428ecd70e41cb82eaa5e5637682012c17d
SHA2568e142d92eff24a8d2281beecb2a409084d9f3e43872715cbf4e8922dbe3edffa
SHA5125073bdda0ec63bbded2ef3168041e3ec33c9e3ec8e34dacfa2a70a2d5e4b8ee0a23cab1c57941a5c2ed8b1702d02b388281f0188d90bf0f68a371c8721274657
-
Filesize
220B
MD5f2b75f91855ce575f37d443b4843f868
SHA1a9160be94cb2b31ee2504dd5f1a8b0ce1b9b49db
SHA2560a6f7d8969e77ef34cd56e61e7c1033dbe2a68c76ebd46f626f2ec7249a987f4
SHA5123e6624befdd966c36d8ba264937a7c658b7a70853498befdb3e8bcfd5d2fc189c7aeea2c080b4f46d4f4cf0db26a4f9d19a8439a27c844c557695a119ef29edb
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
220B
MD54edf5fda2e790c59ffc59d96f5f3f8d8
SHA1434ce9b2728d1a5fb3e5b6fe4bcff8ed76656628
SHA25687bf648af9a700e079328ec75857ec5d74515d6a90c4c211e6f0f6f00a2a873f
SHA512d6a5aeb22c05c05da86e3b375db5386d4fc7f2cc90f950e9de0545fe9656b53f83a5cb2183ff536487cbfd50c45ea9ebfd54d65397a1e1b92271bb9d26616240
-
Filesize
220B
MD5504d56e1c6b8dffde99d1344c4fdc7f9
SHA170a4214b330fb88734affa0a1273a7e4eed033b4
SHA25613a495f9bd6e971c12f95dad7b7fde4d1528e9b6c3110f2a27e37b7375602bde
SHA512196f2df630a00fbda91e9150fba526a836c8b90075eb51a2909b4d295083b0a56eb4c8f78d907f480db18f939ff13fe243e35754d0e1b3c9f5929a35cad7cd73
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
220B
MD520627e1e0a71dd8cdf6b14655a72c530
SHA174d686c001863109fc0f09596253710152ec802a
SHA256c460b885630efb1b269bedeea7395731c32b3eee52fed99ba81651ff1e50f18a
SHA51289169d3249ee0924ab149082c469339cdc2002c5a99374ae356637c93fd6d873ecd3277f0a7fcf5f79d20aa8ba3f359e7eb151dc2f3750ec4229b6a204f78891
-
Filesize
220B
MD5aca70ec1f5a8989238e6124c6a6ab60d
SHA1e00e1839c74a817a3a9cf65750ef9051e2b5a19d
SHA2561a5b6e3ca3c424114069ecb5bfebae87436331ea948523764ea0ed4c9ce85016
SHA512c7b53b803087248b9ecc0e61dd2a6fe8c18a0bec6acf8bf9a0d708af0ae45c1619f4e7aba2861f64a23c9370a0a82211453b82d0d675455fbdf7be6c93d870ff
-
Filesize
220B
MD5f7d27644513606e6f84e0062c5735265
SHA17523ab64fcd3cb57adda77aeae8c76f5456bdbc0
SHA2569a4f54992a4437a05a0f10af098f7f065fd320c68718967187614136b79ae8af
SHA51235fda4774fd266ef2fe50ded2ab8166a193e95180dc503b8892b7d2276af73a40c1ad8ea2af6c8713a14dc3b5d5ea20e9ae28729338aa2cc02f219a373f0a278
-
Filesize
220B
MD5ca7a5ce8094785baeb5af294497f040d
SHA1294f4ff7b121230f289bf4bae95fc107a0f3d5e5
SHA2565cef8279763dc6b2ea63a9c98f509261ca3b8adaf35c3f5193c48a50fe35e0bb
SHA512016ee5e4451683a1d33bd4c687796515bc2b8ce050b0ba71e02a73f22c23cdf93a78912908db11e06fe311c886547e768a233ecb11f76c109c8e1014ed5a0198
-
Filesize
220B
MD53a76f5e219bf2a6a53f174a0b1be423b
SHA11ebf3d37f2bd2c2920e8830032a5962225546944
SHA25624b67d2bed554ea7639e34a63c8282f37e1d1992bb76b1c0d38fb5691e28cf48
SHA51243575c9c436560245a525dd4b2e2e1389a99cd0e1a8e58f5253106f2496dd8d70ce0c02e130dda42d9b8303af3d0be64883de7b90db5f4587d7365726f07266c
-
Filesize
220B
MD569de33519f7dbbd225c1d85a09b98adc
SHA1c25690d57a81d3ffaccdecc4ed51b0c463360a9a
SHA256ee16dd9995498f549a37a0421ae03242336fb5fad06b957be36025b8cda94ac0
SHA512c22cbfea901aaf33c9d8f135ac62f38bd6d335702340ae15351b1ac77b248a1fa45dedfafe05d574cb5a73e5f5d2b7bb2d8ae35b4d3a3adfc5031bd29681fd90
-
Filesize
220B
MD5940fd9daf51598080e8716a425305a82
SHA19b20dd9d9cbccd00474454c94572e5f6fc7c85b7
SHA2569b0680f89cd0d57ea593a7c9cb4110defd8cc4d4776b45ad4d8fcb4251a50439
SHA5126a5a54801b7f60d14bf0caa6ecbdb5fe59f645b3bf8e81b6e15d7e9938299d4843bb7439de0fffec9dd932f9223833b238463cc267f5bdcfc612bf7b1059969b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5958b6a8a602372af16851fd0222d3c6f
SHA1636426e1dfb35bbad2e4497154114ae7ece38ffb
SHA256c5a0a55feed866e73656fe3e9a30ad1c81fa7a4bac86951a93b884687447f361
SHA5125036e02337b348f0d1656a171807b96c2f96d889957b02176accb092db7fb23eef0c8791f1ab65894eb0fb08d34770220504b0facfcda98b274ac22ebbd059c2
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394