Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 01:49
Behavioral task
behavioral1
Sample
JaffaCakes118_7ce6010d506a4b007778b5216a862026ab96341cced3527f6238d16a6084514d.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_7ce6010d506a4b007778b5216a862026ab96341cced3527f6238d16a6084514d.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_7ce6010d506a4b007778b5216a862026ab96341cced3527f6238d16a6084514d.exe
-
Size
1.3MB
-
MD5
43d23305d3f6d8c4e50045d0cc0b5cea
-
SHA1
9d3deb67bf8d0b4c5173c3b9c85970f8c1d72a8a
-
SHA256
7ce6010d506a4b007778b5216a862026ab96341cced3527f6238d16a6084514d
-
SHA512
341ccbc62fbd732eb62bc4347a8e20282734ee9165a4a7a1069079ffb40735d07a0d5bfe4f8aafb348b7c9fead78cbe5c7fb3f4543889fab494c24f7bc235dc8
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2812 2924 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2924 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 2924 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2924 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 784 2924 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2924 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2924 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 2924 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 2924 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 2924 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1472 2924 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 2924 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2924 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1208 2924 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2924 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2568 2924 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 304 2924 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 296 2924 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 2924 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 788 2924 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 2924 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 2924 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1088 2924 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2924 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 2924 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 2924 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 2924 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 2924 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 960 2924 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2924 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016fc9-11.dat dcrat behavioral1/memory/2948-13-0x0000000000360000-0x0000000000470000-memory.dmp dcrat behavioral1/memory/944-44-0x0000000000FA0000-0x00000000010B0000-memory.dmp dcrat behavioral1/memory/1932-160-0x0000000001380000-0x0000000001490000-memory.dmp dcrat behavioral1/memory/2988-220-0x0000000000340000-0x0000000000450000-memory.dmp dcrat behavioral1/memory/2292-280-0x0000000000F80000-0x0000000001090000-memory.dmp dcrat behavioral1/memory/1096-518-0x00000000010A0000-0x00000000011B0000-memory.dmp dcrat behavioral1/memory/812-578-0x0000000000250000-0x0000000000360000-memory.dmp dcrat behavioral1/memory/2660-639-0x0000000000A80000-0x0000000000B90000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2640 powershell.exe 2052 powershell.exe 1952 powershell.exe 1464 powershell.exe 1040 powershell.exe 1804 powershell.exe 2144 powershell.exe 2396 powershell.exe 2368 powershell.exe 1480 powershell.exe 620 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2948 DllCommonsvc.exe 944 cmd.exe 1932 cmd.exe 2988 cmd.exe 2292 cmd.exe 812 cmd.exe 2228 cmd.exe 976 cmd.exe 1096 cmd.exe 812 cmd.exe 2660 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 2344 cmd.exe 2344 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 4 raw.githubusercontent.com 9 raw.githubusercontent.com 15 raw.githubusercontent.com 26 raw.githubusercontent.com 33 raw.githubusercontent.com 37 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 18 raw.githubusercontent.com 19 raw.githubusercontent.com 22 raw.githubusercontent.com 30 raw.githubusercontent.com -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Uninstall Information\lsass.exe DllCommonsvc.exe File created C:\Program Files\Uninstall Information\6203df4a6bafc7 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7ce6010d506a4b007778b5216a862026ab96341cced3527f6238d16a6084514d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2492 schtasks.exe 2496 schtasks.exe 2468 schtasks.exe 2812 schtasks.exe 1472 schtasks.exe 2364 schtasks.exe 304 schtasks.exe 1088 schtasks.exe 1644 schtasks.exe 1816 schtasks.exe 2720 schtasks.exe 3036 schtasks.exe 2840 schtasks.exe 1892 schtasks.exe 2020 schtasks.exe 2288 schtasks.exe 788 schtasks.exe 960 schtasks.exe 2620 schtasks.exe 784 schtasks.exe 2700 schtasks.exe 2652 schtasks.exe 1208 schtasks.exe 2596 schtasks.exe 296 schtasks.exe 2012 schtasks.exe 2352 schtasks.exe 2568 schtasks.exe 3060 schtasks.exe 2836 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2948 DllCommonsvc.exe 944 cmd.exe 2052 powershell.exe 1480 powershell.exe 2368 powershell.exe 2640 powershell.exe 1040 powershell.exe 2144 powershell.exe 1804 powershell.exe 2396 powershell.exe 1952 powershell.exe 1464 powershell.exe 620 powershell.exe 1932 cmd.exe 2988 cmd.exe 2292 cmd.exe 812 cmd.exe 2228 cmd.exe 976 cmd.exe 1096 cmd.exe 812 cmd.exe 2660 cmd.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 2948 DllCommonsvc.exe Token: SeDebugPrivilege 944 cmd.exe Token: SeDebugPrivilege 2052 powershell.exe Token: SeDebugPrivilege 1480 powershell.exe Token: SeDebugPrivilege 2368 powershell.exe Token: SeDebugPrivilege 2640 powershell.exe Token: SeDebugPrivilege 1040 powershell.exe Token: SeDebugPrivilege 2144 powershell.exe Token: SeDebugPrivilege 2396 powershell.exe Token: SeDebugPrivilege 1804 powershell.exe Token: SeDebugPrivilege 1952 powershell.exe Token: SeDebugPrivilege 1464 powershell.exe Token: SeDebugPrivilege 620 powershell.exe Token: SeDebugPrivilege 1932 cmd.exe Token: SeDebugPrivilege 2988 cmd.exe Token: SeDebugPrivilege 2292 cmd.exe Token: SeDebugPrivilege 812 cmd.exe Token: SeDebugPrivilege 2228 cmd.exe Token: SeDebugPrivilege 976 cmd.exe Token: SeDebugPrivilege 1096 cmd.exe Token: SeDebugPrivilege 812 cmd.exe Token: SeDebugPrivilege 2660 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2108 wrote to memory of 2220 2108 JaffaCakes118_7ce6010d506a4b007778b5216a862026ab96341cced3527f6238d16a6084514d.exe 30 PID 2108 wrote to memory of 2220 2108 JaffaCakes118_7ce6010d506a4b007778b5216a862026ab96341cced3527f6238d16a6084514d.exe 30 PID 2108 wrote to memory of 2220 2108 JaffaCakes118_7ce6010d506a4b007778b5216a862026ab96341cced3527f6238d16a6084514d.exe 30 PID 2108 wrote to memory of 2220 2108 JaffaCakes118_7ce6010d506a4b007778b5216a862026ab96341cced3527f6238d16a6084514d.exe 30 PID 2220 wrote to memory of 2344 2220 WScript.exe 31 PID 2220 wrote to memory of 2344 2220 WScript.exe 31 PID 2220 wrote to memory of 2344 2220 WScript.exe 31 PID 2220 wrote to memory of 2344 2220 WScript.exe 31 PID 2344 wrote to memory of 2948 2344 cmd.exe 33 PID 2344 wrote to memory of 2948 2344 cmd.exe 33 PID 2344 wrote to memory of 2948 2344 cmd.exe 33 PID 2344 wrote to memory of 2948 2344 cmd.exe 33 PID 2948 wrote to memory of 2368 2948 DllCommonsvc.exe 65 PID 2948 wrote to memory of 2368 2948 DllCommonsvc.exe 65 PID 2948 wrote to memory of 2368 2948 DllCommonsvc.exe 65 PID 2948 wrote to memory of 2640 2948 DllCommonsvc.exe 66 PID 2948 wrote to memory of 2640 2948 DllCommonsvc.exe 66 PID 2948 wrote to memory of 2640 2948 DllCommonsvc.exe 66 PID 2948 wrote to memory of 1480 2948 DllCommonsvc.exe 68 PID 2948 wrote to memory of 1480 2948 DllCommonsvc.exe 68 PID 2948 wrote to memory of 1480 2948 DllCommonsvc.exe 68 PID 2948 wrote to memory of 1040 2948 DllCommonsvc.exe 69 PID 2948 wrote to memory of 1040 2948 DllCommonsvc.exe 69 PID 2948 wrote to memory of 1040 2948 DllCommonsvc.exe 69 PID 2948 wrote to memory of 1952 2948 DllCommonsvc.exe 71 PID 2948 wrote to memory of 1952 2948 DllCommonsvc.exe 71 PID 2948 wrote to memory of 1952 2948 DllCommonsvc.exe 71 PID 2948 wrote to memory of 620 2948 DllCommonsvc.exe 72 PID 2948 wrote to memory of 620 2948 DllCommonsvc.exe 72 PID 2948 wrote to memory of 620 2948 DllCommonsvc.exe 72 PID 2948 wrote to memory of 2052 2948 DllCommonsvc.exe 74 PID 2948 wrote to memory of 2052 2948 DllCommonsvc.exe 74 PID 2948 wrote to memory of 2052 2948 DllCommonsvc.exe 74 PID 2948 wrote to memory of 1464 2948 DllCommonsvc.exe 75 PID 2948 wrote to memory of 1464 2948 DllCommonsvc.exe 75 PID 2948 wrote to memory of 1464 2948 DllCommonsvc.exe 75 PID 2948 wrote to memory of 1804 2948 DllCommonsvc.exe 77 PID 2948 wrote to memory of 1804 2948 DllCommonsvc.exe 77 PID 2948 wrote to memory of 1804 2948 DllCommonsvc.exe 77 PID 2948 wrote to memory of 2144 2948 DllCommonsvc.exe 78 PID 2948 wrote to memory of 2144 2948 DllCommonsvc.exe 78 PID 2948 wrote to memory of 2144 2948 DllCommonsvc.exe 78 PID 2948 wrote to memory of 2396 2948 DllCommonsvc.exe 79 PID 2948 wrote to memory of 2396 2948 DllCommonsvc.exe 79 PID 2948 wrote to memory of 2396 2948 DllCommonsvc.exe 79 PID 2948 wrote to memory of 944 2948 DllCommonsvc.exe 87 PID 2948 wrote to memory of 944 2948 DllCommonsvc.exe 87 PID 2948 wrote to memory of 944 2948 DllCommonsvc.exe 87 PID 944 wrote to memory of 1160 944 cmd.exe 88 PID 944 wrote to memory of 1160 944 cmd.exe 88 PID 944 wrote to memory of 1160 944 cmd.exe 88 PID 1160 wrote to memory of 1496 1160 cmd.exe 90 PID 1160 wrote to memory of 1496 1160 cmd.exe 90 PID 1160 wrote to memory of 1496 1160 cmd.exe 90 PID 1160 wrote to memory of 1932 1160 cmd.exe 91 PID 1160 wrote to memory of 1932 1160 cmd.exe 91 PID 1160 wrote to memory of 1932 1160 cmd.exe 91 PID 1932 wrote to memory of 2448 1932 cmd.exe 92 PID 1932 wrote to memory of 2448 1932 cmd.exe 92 PID 1932 wrote to memory of 2448 1932 cmd.exe 92 PID 2448 wrote to memory of 2812 2448 cmd.exe 94 PID 2448 wrote to memory of 2812 2448 cmd.exe 94 PID 2448 wrote to memory of 2812 2448 cmd.exe 94 PID 2448 wrote to memory of 2988 2448 cmd.exe 95 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce6010d506a4b007778b5216a862026ab96341cced3527f6238d16a6084514d.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce6010d506a4b007778b5216a862026ab96341cced3527f6238d16a6084514d.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0SbqORFfit.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1496
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6oaLUsZTY.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2812
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yEObGBIDe.bat"10⤵PID:2264
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2932
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat"12⤵PID:1736
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:3016
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FaowIOOII5.bat"14⤵PID:1828
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2904
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DXR1U0Y5m3.bat"16⤵PID:2184
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2844
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1JZ2DT5CuV.bat"18⤵PID:2256
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2600
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1096 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat"20⤵PID:2384
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1248
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat"22⤵PID:1888
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:936
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LIqDUaLb8G.bat"24⤵PID:756
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2856
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\providercommon\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\Sample Pictures\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\Sample Pictures\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD597ff059eb4ded36eaf632b271a770329
SHA15a2d48a68687d2dc476718b5ce02dceb9d260488
SHA2567d3644f1408ff1c78da7623369e151eb571a6945cf3a35c2897d5d60266a8796
SHA512a95da3dd77493227e6383391a068b302a7e45a56d45816e646b99dbb6a19596a961a81ecc3898383b0f3451cf27f945f91eda56389f427752bb68664b50271fb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f05a6f6deb72186c680cbfcc65c15185
SHA1ccc3f6de6cfbf6d209ace9ec3b515bbcb2f047a9
SHA256c0af998adca21776f562500c6bc6a3131635e60060540af2d963298556706c6b
SHA51251ee0f09ff7e0147fc9ac063613c1b19dadf53160b4f5a64a9fd6285f05add9086ec8f5307cb61571b91d286b43e4d25f3362ff9d9713c60c49f2c3e8a5de2fd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c273115d72bf0089f80d9d993964fbc4
SHA1333ef745439ebccf7887547f1f6e9d59f14fd009
SHA2566aff9ae2b41a38088971ca1fa2b4b32876fb614bcbad452e2fa0312b1d742428
SHA51250176546d121e3f8657f763537dbdb1b0ef2d8f99925013aa35439ceaa16b937938f0ea85236d66793105378554085dd1b7f442a73b1a3a163e4b7e42faebccb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54209fb3affec714f2d2cad89f1bcf87c
SHA1bc565e1d55f7ea6078175190e48c9281709a1da7
SHA256b7b20436447dafef6bf0592c3955481c30c3a14dcb183ce2e6f303bf3d9ace5a
SHA51278591f501081ac4b4cc5d39bb21e7bb76ff550127b80a9283d098b9be6f8ce54fd2b4426773afe9310ee9b11758b21fcd766d60694add33a5c31fbd42e47713e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD598593afb7a599237a9386ebb7490104d
SHA1b95613314e57408aebab71d33a5c2b38790ab2aa
SHA256de6cbd441d912dca63f667fd65d47252d2a6a3f0b6ce338eedbc44bcde386c7e
SHA51239056ee8448e9374644095c7279913a2cf6ea0d93926a77bdb0ded5586e23ec18002d8189c7102dc2c17437a1c38685a3477ea8090f142088956830162fc14f0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f910206fb24bcb723e683540e5c109b0
SHA1fbdaa16e53cec314d82204da8d01b5a9c8ad9ecc
SHA256cac2f7910bc412bda2c7c95c9620416b10587ea5048746d1446d5fafe16ae69f
SHA5126b4e6a51849df922da8fd827864ae0e5c546251500ff3a273abd3109c823cd16322207783f47c21b5add48ffe59e451f270e87b7cfe82a6fc7982e1d3f4020af
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ffcfbdf882816b4faa7a8c2bb7c4e79e
SHA147cf94dde1c3cf5399454f93c644e55050cbfb24
SHA25688e2c237954ad4a2bb557024c5fc52abf865d8701dc1a049b05afa6c4f1e1dff
SHA5122c8ef9b662fb5f5ff12f49384470e11777d7da449deffe4596881ca0e724402b7c6815e4541d691605fba4299c3a8600e495ffc7c635bcd6baf7cd7b906f1019
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59dbd0821ada731cd1708d74116f299bc
SHA1750c03791be8d4281d519807bc60d6890069523d
SHA25616de680518372f7ca0a90f1ef0f3b583f4b7436de4eff00602e125e1ed744f4e
SHA5122386d8d73edb47508376a6a8a1d66e501fd0ef7bc4363d296f863e5501db6fb3ee92178dedcd110f2a55cc5c9014153a1b6ffa24d93b82ada06638bd178e1637
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d433fb97289056d1ad67db29806367e5
SHA1910341879b7709eac63e147d0037d3993e39ba0d
SHA2566ac2b5a5715fe4e84a635317561196da5ad1b0bf1718d6fe4f82d172d3d3bb30
SHA512e0033309c9e71b7ec67234f5ba0e5bc4f812dc8befb548abde0c6ce5bcd639a2541574325940d92994453b4a11df70f0a896586dd21f374b302735532d494543
-
Filesize
221B
MD509d9e9cae7248de228c4684e0ff03c2d
SHA1fcc1c6beb89031940d263648b98082dcd9869a20
SHA256fbe01cc86d6fab6e43a3f0244786f162f9e8bca133224cc58e5c12de07831699
SHA512b33a368fe5e88a3b9343a1f0ad2a945c8409a085fbf1a62dcde1d3824f701890262c7c14c7e34636cff2fa7f90fbc2c58cf6de28bd99f8ce220fd6a3245d66e0
-
Filesize
221B
MD5022e7e40abdc6c729677ecb65606c084
SHA1be1794ede40ef4d449afbbbd605b08adfe1ebcd2
SHA256b8292984197ac4abba4c55016471f00c140ec70ab1ea2270c4aeabdefc36fb39
SHA51215b2ace70423332b1841b792e3fc744fb87c31f46a372872f64f731f4cf8193b9a0d47a99226b326149dc95c95286957ecbbb187ce6dbe5c4185c453a8ba076c
-
Filesize
221B
MD5fe5b13ff1de5d52f83cdec2b029b7ea1
SHA11ccf8448daa97d6666dd560ae6cd09a487c6df7c
SHA256ebba7ece8befba027931a7efcd91ea1cbcf72632d08b514933dfb1c2ec1b70d0
SHA512d91910d385ee95de52d14f2e0daf1c4d453df7f4aa381d2e18f7ce8fabc9a0572de1adfc75056be734ca6b498ef4340649b03a52c3560d4139a93ab557350049
-
Filesize
221B
MD5a48a7965cc9dd4d733a1bfea1551bb42
SHA179727b0c5b779efe5df9375014b2f20b9586f27d
SHA25674de6281a5b76c5d95a255d2302dbb940f06ffff10a3fd4994db8411e9040ee2
SHA512fa3933e017bf8bd3cb3e8b0cd6fe83d7b5c0e1ef07848d48120fe6678716a15845002ea159e33ebcfa0e93a3a799d939765ce97c29eec22fcd8d16d4a7fbe95b
-
Filesize
221B
MD5b185d025fb917c1b2cf847828cce8a7e
SHA1740a3705d8d2bcd7586e439528607f55c7b1cd88
SHA256f219f5b5eabcbc2b07cdfb52f38fc45477f5ac10fbb54c6ea33bc9da5ecf99f3
SHA512b10d9cd90cad5d18e2cd240a5b571ca17b599df64a4f71353f8d5a062023ca181234611ce326528d7e6406d64c19c5f7e235018ac7ac7ad164f012ea10857252
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
221B
MD5d17c942dc71f2e32c8dd8248ed96134c
SHA16c6528f7de98f1a85bd1cc0ec10b3c22286f9626
SHA25683614431a77f01ed6300a5817721b13d60192fc16f588f5a4323a6cf62e3d791
SHA512492ccda55b16aa3b2d7d9381d6c777c5e411a1ff96f011618ca74df9ae7b3db181b296524ff1c9d4218455f50d0c51a809e97263016de2a4be0a535af4a81566
-
Filesize
221B
MD5df87b6123e755d2d1a228a5861c4f7a2
SHA1e13d790beded3cb470417521e0ba4fc274b4dc61
SHA2569d3aa392c891f30464982ac3e64b7ce26ef6c0692558c9d48372f608607c7c94
SHA512a314df823a34138267ef449c665b6244d1b01cf76e69ef410cea22a4cf18beafba919be666fdb4618b96ca3a148dd00940fc75c617bd2b5ed81839a3cec83e2d
-
Filesize
221B
MD50315a1ee033654502e2881ae16566f41
SHA19242263df1b51d13fcee34d9ac26d9478fc6910a
SHA25678af4dbf4c0dd94bbc3a336c1ebe5a22fa050eff88eba36b1de82a22dd98dad5
SHA5125d0fc9f5a21df186b5ac83a6118aea3c1ddf85a407e5411efa2261ef5c3b7eed4ad2b338cb9ad75d26d2ecdc33d40496e3e5316c348939c1ae16e83e373fc6df
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
221B
MD58830951d8887ca9120339da91577fdc8
SHA1efad33157124e1c7e2e5ebf9e633f08233141259
SHA25668e5eccf25d5e4fa246eac71a552573c1219942c89c38ffa5801241a60ca544d
SHA512574036385df84d9df73257507657e4a0d4645c44c2c7d294c13b8a89ced6b82ae6babbc7dd302d4fa4e5d9481cd837ba4d67277659e620fc396bc2e8bf1b6744
-
Filesize
221B
MD5e711a8a90b8dfb6f12c931e255f7afdd
SHA12f8757499ebf009611032eaef5ce0f9f60d9e9f7
SHA256e624e4cf0290a1ea047499c4daccbbab550f70dbf11e904448f11f1d0dbb8f67
SHA5129c14412b5b64e37ebfb9be3dc37fab5685fe628c0a640e01c8c2ad4e6534030f77ec38feab5b3fbdeb8700af49d77a52efbed92ac94cb07d38011e5a72266767
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD565e000808955048bf82d021e1d53a6d9
SHA1db0f33db8440fc66b2aafe877efe6767d0dc4655
SHA2561359e60d64d70d31db8e128b2e1427840c9ae26a2ca316a552e9a4b79cee6b0a
SHA512aad2bb872a531ed6ca31f0ff31b65ab7ce0a34fb26e80dc18672687033cc32296fcbe82e84d26cf29e53851573877e23deb4273d0ef5d17f53a6926d14b757ac
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394