Analysis
-
max time kernel
147s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 01:55
Behavioral task
behavioral1
Sample
JaffaCakes118_bbc9ddc269c43c2f86c1daa880e8dd11d578c49b95557c8b3fa0a95fe963b874.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_bbc9ddc269c43c2f86c1daa880e8dd11d578c49b95557c8b3fa0a95fe963b874.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_bbc9ddc269c43c2f86c1daa880e8dd11d578c49b95557c8b3fa0a95fe963b874.exe
-
Size
1.3MB
-
MD5
bc2b67f63b3b07241fde5db665cd8022
-
SHA1
9811b6429483dd3e85992a2bc3df2f70c08c112c
-
SHA256
bbc9ddc269c43c2f86c1daa880e8dd11d578c49b95557c8b3fa0a95fe963b874
-
SHA512
08928d21f9b71341618240f68b73be07979f4d213db60051a9a40033f04d669c56981e176c6e67e0ce6ef0b42fef110c77033f879976047237f24f15869e6d24
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 2620 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2620 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2620 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 2620 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 2620 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 2620 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2620 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 352 2620 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 2620 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 2620 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2400 2620 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 2620 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 2620 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 2620 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1220 2620 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 2620 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2620 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 2620 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 2620 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 2620 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1888 2620 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2620 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1004 2620 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 892 2620 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0007000000019261-12.dat dcrat behavioral1/memory/2580-13-0x0000000000FC0000-0x00000000010D0000-memory.dmp dcrat behavioral1/memory/1788-101-0x0000000000D40000-0x0000000000E50000-memory.dmp dcrat behavioral1/memory/1100-160-0x0000000000F50000-0x0000000001060000-memory.dmp dcrat behavioral1/memory/2696-339-0x0000000001150000-0x0000000001260000-memory.dmp dcrat behavioral1/memory/2388-517-0x00000000001C0000-0x00000000002D0000-memory.dmp dcrat behavioral1/memory/2196-577-0x0000000000980000-0x0000000000A90000-memory.dmp dcrat behavioral1/memory/2968-637-0x0000000000360000-0x0000000000470000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1652 powershell.exe 812 powershell.exe 620 powershell.exe 2084 powershell.exe 2344 powershell.exe 1264 powershell.exe 1928 powershell.exe 2052 powershell.exe 840 powershell.exe 2572 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2580 DllCommonsvc.exe 3032 DllCommonsvc.exe 1788 csrss.exe 1100 csrss.exe 2972 csrss.exe 2344 csrss.exe 2696 csrss.exe 2736 csrss.exe 2428 csrss.exe 2388 csrss.exe 2196 csrss.exe 2968 csrss.exe -
Loads dropped DLL 2 IoCs
pid Process 2312 cmd.exe 2312 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 5 raw.githubusercontent.com 12 raw.githubusercontent.com 26 raw.githubusercontent.com 33 raw.githubusercontent.com 29 raw.githubusercontent.com 4 raw.githubusercontent.com 9 raw.githubusercontent.com 15 raw.githubusercontent.com 19 raw.githubusercontent.com 22 raw.githubusercontent.com -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\5940a34987c991 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\Uninstall Information\dllhost.exe DllCommonsvc.exe File created C:\Program Files\Uninstall Information\5940a34987c991 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bbc9ddc269c43c2f86c1daa880e8dd11d578c49b95557c8b3fa0a95fe963b874.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2260 schtasks.exe 2416 schtasks.exe 1220 schtasks.exe 2204 schtasks.exe 776 schtasks.exe 2484 schtasks.exe 2940 schtasks.exe 352 schtasks.exe 2524 schtasks.exe 1004 schtasks.exe 892 schtasks.exe 2520 schtasks.exe 1708 schtasks.exe 3016 schtasks.exe 1888 schtasks.exe 2516 schtasks.exe 1752 schtasks.exe 3064 schtasks.exe 2400 schtasks.exe 2996 schtasks.exe 1724 schtasks.exe 2800 schtasks.exe 2756 schtasks.exe 2536 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 2580 DllCommonsvc.exe 2580 DllCommonsvc.exe 2580 DllCommonsvc.exe 2580 DllCommonsvc.exe 2580 DllCommonsvc.exe 1264 powershell.exe 1652 powershell.exe 620 powershell.exe 1928 powershell.exe 812 powershell.exe 3032 DllCommonsvc.exe 2052 powershell.exe 840 powershell.exe 2572 powershell.exe 2344 powershell.exe 2084 powershell.exe 1788 csrss.exe 1100 csrss.exe 2972 csrss.exe 2344 csrss.exe 2696 csrss.exe 2736 csrss.exe 2428 csrss.exe 2388 csrss.exe 2196 csrss.exe 2968 csrss.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 2580 DllCommonsvc.exe Token: SeDebugPrivilege 1264 powershell.exe Token: SeDebugPrivilege 1652 powershell.exe Token: SeDebugPrivilege 620 powershell.exe Token: SeDebugPrivilege 1928 powershell.exe Token: SeDebugPrivilege 812 powershell.exe Token: SeDebugPrivilege 3032 DllCommonsvc.exe Token: SeDebugPrivilege 2052 powershell.exe Token: SeDebugPrivilege 840 powershell.exe Token: SeDebugPrivilege 2572 powershell.exe Token: SeDebugPrivilege 2344 powershell.exe Token: SeDebugPrivilege 2084 powershell.exe Token: SeDebugPrivilege 1788 csrss.exe Token: SeDebugPrivilege 1100 csrss.exe Token: SeDebugPrivilege 2972 csrss.exe Token: SeDebugPrivilege 2344 csrss.exe Token: SeDebugPrivilege 2696 csrss.exe Token: SeDebugPrivilege 2736 csrss.exe Token: SeDebugPrivilege 2428 csrss.exe Token: SeDebugPrivilege 2388 csrss.exe Token: SeDebugPrivilege 2196 csrss.exe Token: SeDebugPrivilege 2968 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1552 wrote to memory of 2916 1552 JaffaCakes118_bbc9ddc269c43c2f86c1daa880e8dd11d578c49b95557c8b3fa0a95fe963b874.exe 31 PID 1552 wrote to memory of 2916 1552 JaffaCakes118_bbc9ddc269c43c2f86c1daa880e8dd11d578c49b95557c8b3fa0a95fe963b874.exe 31 PID 1552 wrote to memory of 2916 1552 JaffaCakes118_bbc9ddc269c43c2f86c1daa880e8dd11d578c49b95557c8b3fa0a95fe963b874.exe 31 PID 1552 wrote to memory of 2916 1552 JaffaCakes118_bbc9ddc269c43c2f86c1daa880e8dd11d578c49b95557c8b3fa0a95fe963b874.exe 31 PID 2916 wrote to memory of 2312 2916 WScript.exe 32 PID 2916 wrote to memory of 2312 2916 WScript.exe 32 PID 2916 wrote to memory of 2312 2916 WScript.exe 32 PID 2916 wrote to memory of 2312 2916 WScript.exe 32 PID 2312 wrote to memory of 2580 2312 cmd.exe 34 PID 2312 wrote to memory of 2580 2312 cmd.exe 34 PID 2312 wrote to memory of 2580 2312 cmd.exe 34 PID 2312 wrote to memory of 2580 2312 cmd.exe 34 PID 2580 wrote to memory of 1264 2580 DllCommonsvc.exe 48 PID 2580 wrote to memory of 1264 2580 DllCommonsvc.exe 48 PID 2580 wrote to memory of 1264 2580 DllCommonsvc.exe 48 PID 2580 wrote to memory of 1928 2580 DllCommonsvc.exe 49 PID 2580 wrote to memory of 1928 2580 DllCommonsvc.exe 49 PID 2580 wrote to memory of 1928 2580 DllCommonsvc.exe 49 PID 2580 wrote to memory of 1652 2580 DllCommonsvc.exe 50 PID 2580 wrote to memory of 1652 2580 DllCommonsvc.exe 50 PID 2580 wrote to memory of 1652 2580 DllCommonsvc.exe 50 PID 2580 wrote to memory of 812 2580 DllCommonsvc.exe 51 PID 2580 wrote to memory of 812 2580 DllCommonsvc.exe 51 PID 2580 wrote to memory of 812 2580 DllCommonsvc.exe 51 PID 2580 wrote to memory of 620 2580 DllCommonsvc.exe 52 PID 2580 wrote to memory of 620 2580 DllCommonsvc.exe 52 PID 2580 wrote to memory of 620 2580 DllCommonsvc.exe 52 PID 2580 wrote to memory of 2244 2580 DllCommonsvc.exe 58 PID 2580 wrote to memory of 2244 2580 DllCommonsvc.exe 58 PID 2580 wrote to memory of 2244 2580 DllCommonsvc.exe 58 PID 2244 wrote to memory of 1532 2244 cmd.exe 60 PID 2244 wrote to memory of 1532 2244 cmd.exe 60 PID 2244 wrote to memory of 1532 2244 cmd.exe 60 PID 2244 wrote to memory of 3032 2244 cmd.exe 61 PID 2244 wrote to memory of 3032 2244 cmd.exe 61 PID 2244 wrote to memory of 3032 2244 cmd.exe 61 PID 3032 wrote to memory of 2052 3032 DllCommonsvc.exe 74 PID 3032 wrote to memory of 2052 3032 DllCommonsvc.exe 74 PID 3032 wrote to memory of 2052 3032 DllCommonsvc.exe 74 PID 3032 wrote to memory of 840 3032 DllCommonsvc.exe 75 PID 3032 wrote to memory of 840 3032 DllCommonsvc.exe 75 PID 3032 wrote to memory of 840 3032 DllCommonsvc.exe 75 PID 3032 wrote to memory of 2344 3032 DllCommonsvc.exe 76 PID 3032 wrote to memory of 2344 3032 DllCommonsvc.exe 76 PID 3032 wrote to memory of 2344 3032 DllCommonsvc.exe 76 PID 3032 wrote to memory of 2572 3032 DllCommonsvc.exe 78 PID 3032 wrote to memory of 2572 3032 DllCommonsvc.exe 78 PID 3032 wrote to memory of 2572 3032 DllCommonsvc.exe 78 PID 3032 wrote to memory of 2084 3032 DllCommonsvc.exe 79 PID 3032 wrote to memory of 2084 3032 DllCommonsvc.exe 79 PID 3032 wrote to memory of 2084 3032 DllCommonsvc.exe 79 PID 3032 wrote to memory of 2632 3032 DllCommonsvc.exe 84 PID 3032 wrote to memory of 2632 3032 DllCommonsvc.exe 84 PID 3032 wrote to memory of 2632 3032 DllCommonsvc.exe 84 PID 2632 wrote to memory of 2404 2632 cmd.exe 86 PID 2632 wrote to memory of 2404 2632 cmd.exe 86 PID 2632 wrote to memory of 2404 2632 cmd.exe 86 PID 2632 wrote to memory of 1788 2632 cmd.exe 87 PID 2632 wrote to memory of 1788 2632 cmd.exe 87 PID 2632 wrote to memory of 1788 2632 cmd.exe 87 PID 1788 wrote to memory of 408 1788 csrss.exe 88 PID 1788 wrote to memory of 408 1788 csrss.exe 88 PID 1788 wrote to memory of 408 1788 csrss.exe 88 PID 408 wrote to memory of 348 408 cmd.exe 90 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbc9ddc269c43c2f86c1daa880e8dd11d578c49b95557c8b3fa0a95fe963b874.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbc9ddc269c43c2f86c1daa880e8dd11d578c49b95557c8b3fa0a95fe963b874.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\My Documents\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:620
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zm1JPwAIFX.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1532
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\dllhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Utfk4Eg9N4.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2404
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDq7RH5Uwz.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:348
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat"11⤵PID:1776
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:3052
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1CKPPXbanu.bat"13⤵PID:1844
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2408
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tiBdOqTAMf.bat"15⤵PID:1360
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2732
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kbrh69MYEy.bat"17⤵PID:2000
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1652
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat"19⤵PID:1508
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1416
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat"21⤵PID:2588
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2804
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat"23⤵PID:788
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:3012
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTz6y56Ktd.bat"25⤵PID:1004
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:892
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Users\Default\My Documents\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default\My Documents\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Users\Default\My Documents\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f1c1dd031b2a29cb3a4303777889c20c
SHA1c9fac1bdb9ef770214379e5214014ca753453d1d
SHA2562981241eb6069d8d730c4e0585ab48ba9363c57cbfad19607fbaf219b79ef462
SHA51221005d743d6654148c2756269fe5ffa4ec9751d1d3d341dec8a0601e8c2cdc9a7a99d58a51bac67b5ae3ea631c0d589e54a64806d9b50f0626604d2eebdddaab
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a0382df562532b140a1aa81e230e0202
SHA1143fe4560968f9106be7802a97984ac2fd179173
SHA25669b1d69e3163fca998dcbaf6012db3f6d3ee99ee70e583ad624c340b89332dc4
SHA5127ecdd14ef591948d0f34e418b767e88db952437a3a65609884e6b7843e4966317a301428cd73aeae1ceac97994b78a69c55111eaa49f5f4779d723d09edea0af
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d0ea94e8456f7a51ecf5c03e3e2065e5
SHA1c4f359fe80ae158101f834b92bc470c1375964f4
SHA256e5343fb11a236802843b686e60d8cde6a52e197c77af2fda10bcdaf4c11ba76c
SHA512145184f69b6bb440d9724354223264636ab148af15a9ffde0183838ac8393fdc2527b22d402a7236ee2e520b621e6e6caad8f7ac2ed93a9e2cd5d0cc5170ffe4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD539a324fd6aa7c709e2b0e8ce8ba324a3
SHA1affbdf35a9b0d1c5cdfcf24e5a7fdad7c947f641
SHA2567174ea745da019066e82573a4b113872234dab7bff5cf4bde206109c7991b563
SHA5121eb53361769e74dcab6d7e78062fbf646e3f932ac3e5557dd7582f46f924fc18d2a3719d2ee7aaf817dc11fe690a3267c771dc8b6c4e913273e6ea3d1787b204
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bd4a9efa550ac711ff457f30d857f89b
SHA1e5d83316c2914ddaf34013eec02928482d279b2a
SHA256ac762b99bafd0504eb3da6d2076b1f5f85bcc7e832dcf02c391824a3460e93fa
SHA512e27b58ce2bf30049fa6ab7bcd2584969c401372c3ff7929742c2714235b868a205a75b7bdcbfee30415ffc68c07f9e36fb59f2bb76a258d998d05eb6098e37b5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD502fae86eb75506de9dae95d5838bca6c
SHA1530243efb4c33068e2f70df988e6e073bd16ca32
SHA256d4d4525d3dd8a75124092914e4f4fa020b84a06524b29fe13919f840e59d1dec
SHA512ad2063d0d65f91c55665440a5d2cadafecf25c06d4acff3bb59ee81a7f511ad15ce1728bf747913d8b491c65150d611830c45bb9f5cfbb62d974e4d52a7a4a92
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD545b48c3f7ecdf5cfb15c211cf868c2e2
SHA1b96b910f26f94d2e4250570abdda779b03d03de5
SHA256c4bd39c5f8ba4836f731bbdf11a43a09fdae36b144192df76b1f96f04db45343
SHA512f78919b97064b0144c2a196d6dd14b07243cfe5479709b846ea7646ea71a83ef870851b8c032cb692d686d1b1e5e1e9fdeef0a548011401e63d9271cd98ff646
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5314a99c09c3377e2116ef2396133705f
SHA1a8df4990f1d0bb7066341e46392561d0e795b9b4
SHA25679dca44a9dc17f1732c81d3ab57e0998956c8d6a8b83bbf2446d61c47a3936c7
SHA512f0dc63782a09e57a4118f3c6a4cc64302dfa6a7344060493007bb5bc2e78acd8274f6ede7968b7b2ef37a25a08c5580d3db2aaea8b71b36e95303872cc7a1758
-
Filesize
222B
MD56bb0ee3bc4aa0fe193b95f93fe98a577
SHA19bf49d9533aa98e92b696ef16b69ebf6027e935a
SHA2566aeb388dc593576bbe11daa79d16320eedf7f74f49b450c9a3490e6fa181eaf1
SHA5123e7c83734e6fcec8b21dfd38f0d70ea30650a270ebeac9540488504c6d9b0efe3600e8b02b3fb142da2973ee44c47ef123289fb2d3c6b93191aacc8a2ef5a20d
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
222B
MD5e2adbdfe8b0d447e61eb729f1db50f70
SHA1b08f51df2ca2ca184720fa37efe37f0f4656b6c2
SHA256f815d534695e8ead9c54369dae67f64cf68e91ba7e189583a88a71c56835c988
SHA512d7518f0692ecd64320160c2e42bb65e29499a4a4c97e45bae6b52b93f9fcf880b4bfcfdcbc41f4b81ca4c4df3fec8fccaf003e464c860e11d13485464d2dcbe5
-
Filesize
222B
MD5d81e655e51d24705a9d1688560c2de18
SHA18e0869620ccd55d611669dff1d4b0ccaa6bea7c0
SHA256a29f9f99d63e60ea3a48659fabf867879ca1449b5b878e02ce19b39923532c95
SHA5122983c8e11d7c19d39e54a0c611290e9dbd3cdb31fc282f9e833962617b76867051d7526c01c6f2633134a81bf473019f50c02e4b6a76a6b5a1cc73e66f446f84
-
Filesize
222B
MD553b6a60b3e71db6a14da07484e93cb65
SHA1a251c72695aa3dbc2b0c6708d4e50986fae6fa2f
SHA2561c5a7d6498829d6c30e4ef7e3aa356c341753a60e8d905029955c7d1b6117d77
SHA5128124f4362007fc53f7af9a5fab375d583afcac31fa0e69f7b87d9f24ef8551c941c10d72698d3dfb17bd6521e824afbd57f2212be03cca22e032cd772350c6ca
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
222B
MD50c4e54d3b730db40add627a01ff3ef28
SHA1c6248e12438cbe90cb7d73fa7c444150767bfc56
SHA25687ae8d2fa78c3d80cbfd63b289688ce42109dddef96a6c838174beefa45b2ee3
SHA512654438e68ef23deb229a8276d6a5ee1053a7fa7f7e0387ccc952e1515f077a32d722ff33a78c3887d802d6575ecd1c23043f7512292f8d0d505697cfc114f058
-
Filesize
222B
MD5108f97ee97286515e7e328046eafe20d
SHA1dc8133b794e15d16c04b424c1764bb89d368a2a9
SHA256cc396d2ebd455085e53e2c220e3524b5232576d6abae6dd83f4e8ee5369569ca
SHA5120b145c036ef45c881a05de411195315c1dc7ba337af65a0854a916d588fd0abdff075df5ef626c8629fa10035836043d4e31725b32dc7fbdd19b6ff8637052bd
-
Filesize
222B
MD581fdcbb6868dc2e80451061da72a5659
SHA1cc259edf75f2d12caa56b19f09c5c5a5e88dad10
SHA256abc8772aa5fbabb6b4cd890f3d70ed8b7906ff48c1ec85167e522d397e310853
SHA51274e7bc7435176310505b9c4ebe9701adb49f0fdca43324775f21db2da446f1cff7df7f7360bc5708ec8455a8c041a81d444762a8f0b8ba6aababac17f55e87f1
-
Filesize
222B
MD57e528386db6184b7a1dbe3b65dc864d4
SHA1d42fcfc5f0e8250f20f9621b0a6a31767fde5148
SHA25667680004484c56c9d017d25f7008ea5aadd811ea20bdec183fc7bd8221c7c79a
SHA51246eb3447a9a4a5bcc16c1b47833fed05c68065fe4eb45c0aa71b39076a2227c22a2c4e15990fab088c31e6965811df4eb94eca6d180a40ebfbe11f1265a9d2cb
-
Filesize
222B
MD52e7e6d655382a2603b6cf2eb36904b56
SHA1172cb8e1ddcaca94aae3bd6dc69d4fbef324b560
SHA2565d02e2b61de10931c4e529f965533d6da6b075be0e0fc406d91f87c9933872d2
SHA5127b3bd64c3e0b3b967bd29d0796e4ca62089729c8d137252b8f4b810438e2ef2efa48e5de5a52bbc78deaebf1ad090bc593eaf4963c0f14b76a53cf95efdadfce
-
Filesize
222B
MD5ddfddbf56aa45d4fa2bb84a24236444c
SHA13ca2c96fe9c862cb77e7be55f47ff4a2e74ea100
SHA25603c57c744eee81eb24af1b78b81c9b60a172010d0acc359149e7d5537d0d389c
SHA512379f6e8949cb02b131f0afc74665cf562a0efae478f9db81238fb4bb23688fdd5112c435309582d45a89dc73888836f8efd639fb7cc378ba3cf0165c897688d0
-
Filesize
199B
MD5013ee681a48f14069f6273f650e27246
SHA16c9ac92c738b0787f82271d218bfc0564bb5e699
SHA2568b9d7cc5b87632b2239eaa590b60a3a659609ba0409a01050d168d1d65d6089b
SHA5124e81335875e11239ca37c2d6222ada0041422364cbf614e92b1ed9a4a866bedf71e81c3129ad2249350f506b704ac4cd113423e95ca2ec0fdbbf9d82fefea9b3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5d9fc1467eb7179d20169f3b8c97c10d2
SHA18736777704b42210b805a0521bec1215c075e9da
SHA25641bc90b65142a55f3ab4096159cd1cc1d2609dc9b3173bb54f258923d61a997b
SHA5122b7d273e277a8e9ac78af0fdb860869eb1f6893c11b557c3af02e6333e82f85176123f6e4d40ec7a2f2b24903f4dd4ead282162bbcf9551bd26ea032d63abded
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b97e438f0526da436383f97c8974529d
SHA14ee3cbbe55ca022d5eba65690c8b31920b7a96ba
SHA256dabf0b7544b4b9dee68f0a430ca9611a72d25c919efd882b2ee58ebada3e4e7b
SHA512e03776acc03bb6bfa25440f87388c6eacecf2fba2235ca64b03071d2b029468031568c1f0a4c3ab84de123c1b00a0572e6f8cfea346e0a0fe86c2e85d27b92cd
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478