Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 01:53
Behavioral task
behavioral1
Sample
JaffaCakes118_dc17c38c81189de2805b13e1a41d0b8470e46e238677e78df8e1159602129bcc.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_dc17c38c81189de2805b13e1a41d0b8470e46e238677e78df8e1159602129bcc.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_dc17c38c81189de2805b13e1a41d0b8470e46e238677e78df8e1159602129bcc.exe
-
Size
1.3MB
-
MD5
e67ebb81ae669b773824e66ceae84b8c
-
SHA1
9c91ca4729083c674e9d439977ee3647c9333b14
-
SHA256
dc17c38c81189de2805b13e1a41d0b8470e46e238677e78df8e1159602129bcc
-
SHA512
588abb3d4f228994af827a20038b5a98ebfed45abb38069e2e514ef61a1e7ed4045515da7212df721ffe3d7d1dcb6a66f630be9c8b3b1ddcacda4d331219f8c0
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2184 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 2184 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2184 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2184 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2184 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2184 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2184 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1880 2184 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 328 2184 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1116 2184 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 2184 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2184 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1532 2184 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2184 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2184 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 484 2184 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 604 2184 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 2184 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 860 2184 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2184 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 2184 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 2184 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 2184 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2184 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000015da7-9.dat dcrat behavioral1/memory/2724-13-0x0000000000F10000-0x0000000001020000-memory.dmp dcrat behavioral1/memory/1560-40-0x0000000001110000-0x0000000001220000-memory.dmp dcrat behavioral1/memory/2312-134-0x0000000000300000-0x0000000000410000-memory.dmp dcrat behavioral1/memory/2332-195-0x0000000000990000-0x0000000000AA0000-memory.dmp dcrat behavioral1/memory/2220-255-0x00000000010C0000-0x00000000011D0000-memory.dmp dcrat behavioral1/memory/2444-493-0x0000000000190000-0x00000000002A0000-memory.dmp dcrat behavioral1/memory/3016-553-0x0000000000FB0000-0x00000000010C0000-memory.dmp dcrat behavioral1/memory/2128-613-0x00000000003A0000-0x00000000004B0000-memory.dmp dcrat behavioral1/memory/320-673-0x0000000000980000-0x0000000000A90000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2248 powershell.exe 1904 powershell.exe 2336 powershell.exe 1752 powershell.exe 2424 powershell.exe 2428 powershell.exe 2532 powershell.exe 2372 powershell.exe 2124 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2724 DllCommonsvc.exe 1560 System.exe 2312 System.exe 2332 System.exe 2220 System.exe 1568 System.exe 604 System.exe 1724 System.exe 2444 System.exe 3016 System.exe 2128 System.exe 320 System.exe -
Loads dropped DLL 2 IoCs
pid Process 3060 cmd.exe 3060 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 27 raw.githubusercontent.com 40 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 9 raw.githubusercontent.com 19 raw.githubusercontent.com 23 raw.githubusercontent.com 31 raw.githubusercontent.com 34 raw.githubusercontent.com 37 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\0407\OSPPSVC.exe DllCommonsvc.exe File created C:\Windows\System32\0407\1610b97d3ab4a7 DllCommonsvc.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\Windows Portable Devices\csrss.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\Windows Defender\en-US\sppsvc.exe DllCommonsvc.exe File created C:\Program Files\Windows Defender\en-US\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\explorer.exe DllCommonsvc.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\7a0fd90576e088 DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Globalization\Sorting\csrss.exe DllCommonsvc.exe File created C:\Windows\Globalization\Sorting\886983d96e3d3e DllCommonsvc.exe File created C:\Windows\Media\Raga\System.exe DllCommonsvc.exe File created C:\Windows\Media\Raga\27d1bcfc3c54e0 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_dc17c38c81189de2805b13e1a41d0b8470e46e238677e78df8e1159602129bcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1116 schtasks.exe 2856 schtasks.exe 3012 schtasks.exe 2944 schtasks.exe 2392 schtasks.exe 328 schtasks.exe 1532 schtasks.exe 604 schtasks.exe 1920 schtasks.exe 860 schtasks.exe 2852 schtasks.exe 1880 schtasks.exe 2860 schtasks.exe 1980 schtasks.exe 3032 schtasks.exe 2672 schtasks.exe 1912 schtasks.exe 2708 schtasks.exe 2312 schtasks.exe 484 schtasks.exe 2972 schtasks.exe 2644 schtasks.exe 2824 schtasks.exe 2620 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 2724 DllCommonsvc.exe 2724 DllCommonsvc.exe 2724 DllCommonsvc.exe 2724 DllCommonsvc.exe 2724 DllCommonsvc.exe 1560 System.exe 2424 powershell.exe 2372 powershell.exe 2428 powershell.exe 1904 powershell.exe 1752 powershell.exe 2336 powershell.exe 2532 powershell.exe 2248 powershell.exe 2124 powershell.exe 2312 System.exe 2332 System.exe 2220 System.exe 1568 System.exe 604 System.exe 1724 System.exe 2444 System.exe 3016 System.exe 2128 System.exe 320 System.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 2724 DllCommonsvc.exe Token: SeDebugPrivilege 1560 System.exe Token: SeDebugPrivilege 2424 powershell.exe Token: SeDebugPrivilege 2372 powershell.exe Token: SeDebugPrivilege 2428 powershell.exe Token: SeDebugPrivilege 1904 powershell.exe Token: SeDebugPrivilege 2336 powershell.exe Token: SeDebugPrivilege 1752 powershell.exe Token: SeDebugPrivilege 2532 powershell.exe Token: SeDebugPrivilege 2248 powershell.exe Token: SeDebugPrivilege 2124 powershell.exe Token: SeDebugPrivilege 2312 System.exe Token: SeDebugPrivilege 2332 System.exe Token: SeDebugPrivilege 2220 System.exe Token: SeDebugPrivilege 1568 System.exe Token: SeDebugPrivilege 604 System.exe Token: SeDebugPrivilege 1724 System.exe Token: SeDebugPrivilege 2444 System.exe Token: SeDebugPrivilege 3016 System.exe Token: SeDebugPrivilege 2128 System.exe Token: SeDebugPrivilege 320 System.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1884 wrote to memory of 3064 1884 JaffaCakes118_dc17c38c81189de2805b13e1a41d0b8470e46e238677e78df8e1159602129bcc.exe 30 PID 1884 wrote to memory of 3064 1884 JaffaCakes118_dc17c38c81189de2805b13e1a41d0b8470e46e238677e78df8e1159602129bcc.exe 30 PID 1884 wrote to memory of 3064 1884 JaffaCakes118_dc17c38c81189de2805b13e1a41d0b8470e46e238677e78df8e1159602129bcc.exe 30 PID 1884 wrote to memory of 3064 1884 JaffaCakes118_dc17c38c81189de2805b13e1a41d0b8470e46e238677e78df8e1159602129bcc.exe 30 PID 3064 wrote to memory of 3060 3064 WScript.exe 31 PID 3064 wrote to memory of 3060 3064 WScript.exe 31 PID 3064 wrote to memory of 3060 3064 WScript.exe 31 PID 3064 wrote to memory of 3060 3064 WScript.exe 31 PID 3060 wrote to memory of 2724 3060 cmd.exe 33 PID 3060 wrote to memory of 2724 3060 cmd.exe 33 PID 3060 wrote to memory of 2724 3060 cmd.exe 33 PID 3060 wrote to memory of 2724 3060 cmd.exe 33 PID 2724 wrote to memory of 2372 2724 DllCommonsvc.exe 59 PID 2724 wrote to memory of 2372 2724 DllCommonsvc.exe 59 PID 2724 wrote to memory of 2372 2724 DllCommonsvc.exe 59 PID 2724 wrote to memory of 2124 2724 DllCommonsvc.exe 60 PID 2724 wrote to memory of 2124 2724 DllCommonsvc.exe 60 PID 2724 wrote to memory of 2124 2724 DllCommonsvc.exe 60 PID 2724 wrote to memory of 1752 2724 DllCommonsvc.exe 62 PID 2724 wrote to memory of 1752 2724 DllCommonsvc.exe 62 PID 2724 wrote to memory of 1752 2724 DllCommonsvc.exe 62 PID 2724 wrote to memory of 1904 2724 DllCommonsvc.exe 63 PID 2724 wrote to memory of 1904 2724 DllCommonsvc.exe 63 PID 2724 wrote to memory of 1904 2724 DllCommonsvc.exe 63 PID 2724 wrote to memory of 2428 2724 DllCommonsvc.exe 64 PID 2724 wrote to memory of 2428 2724 DllCommonsvc.exe 64 PID 2724 wrote to memory of 2428 2724 DllCommonsvc.exe 64 PID 2724 wrote to memory of 2424 2724 DllCommonsvc.exe 65 PID 2724 wrote to memory of 2424 2724 DllCommonsvc.exe 65 PID 2724 wrote to memory of 2424 2724 DllCommonsvc.exe 65 PID 2724 wrote to memory of 2532 2724 DllCommonsvc.exe 66 PID 2724 wrote to memory of 2532 2724 DllCommonsvc.exe 66 PID 2724 wrote to memory of 2532 2724 DllCommonsvc.exe 66 PID 2724 wrote to memory of 2336 2724 DllCommonsvc.exe 67 PID 2724 wrote to memory of 2336 2724 DllCommonsvc.exe 67 PID 2724 wrote to memory of 2336 2724 DllCommonsvc.exe 67 PID 2724 wrote to memory of 2248 2724 DllCommonsvc.exe 68 PID 2724 wrote to memory of 2248 2724 DllCommonsvc.exe 68 PID 2724 wrote to memory of 2248 2724 DllCommonsvc.exe 68 PID 2724 wrote to memory of 1560 2724 DllCommonsvc.exe 77 PID 2724 wrote to memory of 1560 2724 DllCommonsvc.exe 77 PID 2724 wrote to memory of 1560 2724 DllCommonsvc.exe 77 PID 1560 wrote to memory of 1776 1560 System.exe 79 PID 1560 wrote to memory of 1776 1560 System.exe 79 PID 1560 wrote to memory of 1776 1560 System.exe 79 PID 1776 wrote to memory of 3000 1776 cmd.exe 81 PID 1776 wrote to memory of 3000 1776 cmd.exe 81 PID 1776 wrote to memory of 3000 1776 cmd.exe 81 PID 1776 wrote to memory of 2312 1776 cmd.exe 82 PID 1776 wrote to memory of 2312 1776 cmd.exe 82 PID 1776 wrote to memory of 2312 1776 cmd.exe 82 PID 2312 wrote to memory of 2600 2312 System.exe 83 PID 2312 wrote to memory of 2600 2312 System.exe 83 PID 2312 wrote to memory of 2600 2312 System.exe 83 PID 2600 wrote to memory of 928 2600 cmd.exe 85 PID 2600 wrote to memory of 928 2600 cmd.exe 85 PID 2600 wrote to memory of 928 2600 cmd.exe 85 PID 2600 wrote to memory of 2332 2600 cmd.exe 86 PID 2600 wrote to memory of 2332 2600 cmd.exe 86 PID 2600 wrote to memory of 2332 2600 cmd.exe 86 PID 2332 wrote to memory of 2924 2332 System.exe 87 PID 2332 wrote to memory of 2924 2332 System.exe 87 PID 2332 wrote to memory of 2924 2332 System.exe 87 PID 2924 wrote to memory of 2308 2924 cmd.exe 89 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dc17c38c81189de2805b13e1a41d0b8470e46e238677e78df8e1159602129bcc.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dc17c38c81189de2805b13e1a41d0b8470e46e238677e78df8e1159602129bcc.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\en-US\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\Sorting\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\0407\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Raga\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
-
C:\Windows\Media\Raga\System.exe"C:\Windows\Media\Raga\System.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:3000
-
-
C:\Windows\Media\Raga\System.exe"C:\Windows\Media\Raga\System.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jlvf1Vq2YP.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:928
-
-
C:\Windows\Media\Raga\System.exe"C:\Windows\Media\Raga\System.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2308
-
-
C:\Windows\Media\Raga\System.exe"C:\Windows\Media\Raga\System.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat"12⤵PID:1116
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1636
-
-
C:\Windows\Media\Raga\System.exe"C:\Windows\Media\Raga\System.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat"14⤵PID:1868
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2284
-
-
C:\Windows\Media\Raga\System.exe"C:\Windows\Media\Raga\System.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:604 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat"16⤵PID:2576
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:620
-
-
C:\Windows\Media\Raga\System.exe"C:\Windows\Media\Raga\System.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IxigaWiN4Z.bat"18⤵PID:2244
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:804
-
-
C:\Windows\Media\Raga\System.exe"C:\Windows\Media\Raga\System.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\53OVnhiNRT.bat"20⤵PID:2936
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:3036
-
-
C:\Windows\Media\Raga\System.exe"C:\Windows\Media\Raga\System.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3jGxsc69Nm.bat"22⤵PID:1596
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1904
-
-
C:\Windows\Media\Raga\System.exe"C:\Windows\Media\Raga\System.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"24⤵PID:784
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1644
-
-
C:\Windows\Media\Raga\System.exe"C:\Windows\Media\Raga\System.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat"26⤵PID:1896
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:840
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\en-US\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\en-US\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Globalization\Sorting\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Globalization\Sorting\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Globalization\Sorting\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Windows\System32\0407\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\System32\0407\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\System32\0407\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Documents\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\Documents\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Documents\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Raga\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Media\Raga\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\Raga\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55d79af8762524ad7d8e655ed7f4486e5
SHA17dbcada9660b4289c044d6d88e0ee20dac3aa6cb
SHA2561fc54406bc747cdaf1889e4c8d2fdde30a46df6099b1e2568e277d0e4b9b57d0
SHA51245e53386378eaf64d3c9b7fe852f07132ab79efe376ee8958e0fcb307ee485aaad2c59191921a6d5cc25785d24e6881f7d390d26e68f7c7235e30ac2420cfd45
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b73e15fda5fc3adf41b226e95d1a56d8
SHA1808eacf7b83a13285c2a77b417d4f4b516a9dd51
SHA256df959212e67ae6778f6dbd21eec3689b6d71bf93cc3c6c3301a45843c63462d8
SHA512e4c7a1b31a98e1820b01ee9b03cccf44621917dacb5e6ac507ad94b101064d9d68472f3223b70e7d899a104a03ac9f822293568aef5372844fb563f0adbc35ce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a0d4eeb905aee8e973ca0afd4daca8fa
SHA1eebaad3c2439158174236347e8544288fed595b5
SHA25656e30aefd1cb6f54e43c4ee7b83625d41fa8fe0693ee4b7986f926c0e2c6824a
SHA512c1d043fe53b81afce138b993a95e19c0f085f2f1877e1b9a6f47006959840e71f2533fe38272baa784197ae31408610d4d391eb3354b7dbff572536aea282baf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50798ddd5a9544ea5b2fd93c77add57e4
SHA12e70adc6deb209ec6a98d527f1c216adb50ded03
SHA25616c9cb65f5dfbf21362f9934273be9280a933626c7c517933196f97314958d1e
SHA51203e137defec57c3c90cd5f20436bf4659c7737457aeb858964ab9f89e472542d42cd568e6a5ab1b95d0c5b404909d280e9c29f4c145429003a8b83e2b335ace3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ae9a52761e7030f041d3fd7463d63680
SHA1793b6f45e1793c845d6253fb297c066ba3071938
SHA25698123a5331436df2c1975bc90653cf5d0f5c146ad5854f1870360a9df5778884
SHA51223431b7b6bd9ccd54381ed03a1c50459dfb4f97d12d4478c6e9b8d955e9906e0254f6684525b1bef09a655a7148e05b85a215fe40652dd066c33a2310c3bce2a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e18201f0673eac3db1d2cbd98128654d
SHA1532cd6db9c96bab64544f9a9a66d4498fe5c0da7
SHA25697db47fa0e639fcdee232ce9355923db346188c0abb1bf7fafe99a3700b5b37f
SHA512ef86a526bc6ce0cea4e4e180e73a012a167a2f63ba7783f52db7d18660f38d557ed6be7b830a984c36e4abab201367fd1c83da8a7ed39e024769c55041f8a76d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD507ef4f9f440d268196ae5116f521b9eb
SHA1dcd6af7d4d339bae7e587fc3ece572e547bcedd6
SHA256a9a6f502429d54dfb4c6ef61b3c54b895c5b131d7f782acbbfd6350fac02691d
SHA512a22c25d4811848856be17d0d57f64bad7ffeaf856b15303355b2cb00472ec4f829139ca76dedf7b2c683017af5aa1fbd2539513b79b1d6abd8ea266b73e19f4d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD585ee3a103624000579d329c02321be76
SHA10a223a98cb67dde0d08f41201c5438323e8e3cbe
SHA2569b79d35954158fbeddb2259bf58147a2c8080d3bfe7ed61c905d54bc27150ce6
SHA51216b51f91c2442e12484f64d89825e41b2eca05cb45efb946c7e9fe7ce93af7f933cf52bf548b192af9ed20bb8f8549cc7db29b307b23cb40c40f7d81726bd287
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b613701ccc52a302c006323c0c0ad54f
SHA11898228b95c9e2873413af14de9ddfc63805d6dc
SHA2569e4dcf9ec676f82898a49cb5b793f0e2691b6e783b44fb03f126692fbccdfa2f
SHA512891accf597490bf2eb126a5dac132ee77ef9a36093846ddb15619f0d65efcd264d22fe6b8a7525799910279f8170ac6eef33d8bd9af4939f3d9ff4e8e82da90d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5622814911bb1f49d16823438dd1a1261
SHA13ffaf23ddbcfabb972f585846aece464839b056a
SHA256f38300e66b40b65a6772e3e90f1ee97315a139367778d9c5fbbc17eed39feac1
SHA512ced8cdbda0ae4475903350d9030fd8ece5bd59be58796fc2a9ae6b8c5147630df8917bb2d0ed55e81fa9ced503a4724866916c154a12a92c95a9641a800014c1
-
Filesize
197B
MD556d2558305ce8edf98c45ec40e6112b9
SHA16c7b3913cddd7eed4942f9d51b1d49c3a01ea786
SHA25660e11df5fd55f0f63b85cbf3dbb81eae2bc4a2110f6e28673d23062415b8422b
SHA51233ce095c1d102158ad2aadf883248ffa053a2d2ce8b7a4f4e829a594e42543951ed12cfe333370a4cebc6cc8f71b05b8f1033b25dd9fce7ed8d993be23c7de7b
-
Filesize
197B
MD5881900a0a3e3adf126864ad6b299dfc2
SHA1ef930e2dd030ba54c9c242dcd5d9dbd166fff22d
SHA25692fce97fe3376c4310756220ba1c775767185adb62fe316a17be1678d4b6f907
SHA512fa237f9f2a2179ada590b667997b8e65dcb711abeb7431121219624506feeb9ad2eefee69ff62ea8f35d25b08a50abcfe3fd37e3567c908fbe986428107b41c1
-
Filesize
197B
MD5170d53f48f20144a89e79530fe689149
SHA1a52fd2688f9ec6046dc86b9a4d91e938718e87b8
SHA2562e7c401a977d8b4eb1b548d52395aac07daafe313f7d5a1cd213e65233feb9f0
SHA512bd81df61268d7745692f5df272c7f8386bafb67662ebc6b527ea2ca786f9ee6c0a0dd078f40d7e1b8040c82c4652657a6a891d9d1b34d7cadc323b965cb6767b
-
Filesize
197B
MD564e95454a8a6e520ebe05da190692f69
SHA13e3deceba7199215b535421fc3ffda8defefa7b4
SHA256e0517f03daba4f6dc2fa3418f8a79b276406b6f89f99d0b99f85c732bcc39dd9
SHA512c24b4e791192e3989b7217273fddcfe80bd28bb54f1403e8e369e2c029892ec097f48330a65016e10fd7e7dad15a74a6e5aaaf2ffbda3a8c08819fbe8e95df0b
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
197B
MD53cc0601c673be7f81db77ef63d928a7a
SHA15246bd5a55d43fd3349ac240d9cc849672441cd5
SHA256cb976c11e14b5c80fb82e7a661337a90430a403d6bbc940356816bcdc5f73916
SHA5126ceda528b4703fe32555baa2c8d0161f0ec7afc9bd1cddd4f4e16d1a417ce6fc9ea163b5f89c67a0bb1edcc27a7173a34c493e7d3804165711c4e247b22bae94
-
Filesize
197B
MD5d4ab059783d08d73b48bfc4a86e7b128
SHA126682b08386b97b5d85472a471723cbbb1d17eaa
SHA256eb6a508735db6b992789f92433c198c979a832cb24153d0ba4f1c69f8ef9387d
SHA512fb1d7d46dc81e90d98f561d1e8dd092f30fc842cb632691a73bd1a975a3e9b194da8f62d93445afaf0f18014a9f9273ead8f18b8d6b33ecddd8c7c0d8fad1d2d
-
Filesize
197B
MD5a4e187bbb68f14de953221157800aeb0
SHA19d28bc10bb529f89a63e11391d36800650507474
SHA256a072c3edd86cd6a79b47c875d29935333149f14deb5cbb202badf97c561ab18f
SHA51239b488bad598dcd23b77b090e1b51994a6242d4aff8d64c017ca9d7f5b0642e05567cb3200bb1a8d5cd0a7f54a564bc5cb5548ae40326ed974c7cfb37f3b4104
-
Filesize
197B
MD5b7f7b349f81ce9dc191e774e5de76d10
SHA1d5d55801294cfcea59bd75438dd23803e98291e5
SHA256ade6853c20c3a52c71204633341a33ec323c6b6bb662a11b4a81b365ff12c4fd
SHA51277378a33b0b1ab060243fb9849175fadea7b6655bf40a752c8232efd295ebc6147052241ac25a600f033824802a2818363e9b21c9040a42a659591fdc334ca1e
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
197B
MD5ba1fc739de3e67dc4fe488d4745c28d8
SHA19e5f9af418fc74fabb33b9781c0b16692b2ea45e
SHA2563d6c950d8bbdcb697775847a59262acb2781bdf27a43884d5af836c497ccb29c
SHA512275d11e2838ee9d83708d87d1febdaea3aed772a90bfba6a5fb7689a7a22302ea9b5a385f63f92885ea561cae1c9e62f5212bcb7776ee7e4017561df20140445
-
Filesize
197B
MD52e056c9b5ccf4421cc67231af21a3430
SHA1468741d780705efa25493ad79c0432e0a7f9dce8
SHA2560b4fb785fd65e9533302bc42815b1fae768ab46ece675f8236f1ebb0f5b388a2
SHA5121d14bd2f1faf653f64ee1c5a52e41282ae9c6b0d13698bb1d2febf5f2eba3a8c0121a6c8826b34b0aebf3390f9ef9a4bfec224fc03f181857aa4b5fa8c14d4d6
-
Filesize
197B
MD50ff6334549df0f73ca82956a5017ab48
SHA15de5b85fd226c405e83ab4154a0af76e26a4d409
SHA2568716c08611e0d49f9d207c9e8ca416cb52b0abb97657a368b846ba0bbb646176
SHA5122eea1845d9134435ed6989b601169bcdace10dfc3080b18e2df234958a817d7adfa6c745092aae3969ee40e04e5e4dff523e6c799ed1d6594fa2cf00c1f09020
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5bf896ac0b30bb0f4bb9c04b828b8ade0
SHA17afdb0d1e86db2c26c2bbb49f2913aa1f27505e8
SHA25682cb1e9c83bf686cb47b8adc9dbc4b7ffc48f85401c1ba435d917a1f04378442
SHA512d9a5e88862a4dd2f1f78734feb6e009385a5b67370ac543474ceb4d8b1f0d316ad5d4e4919dc96337a94bf9251d530f3c41d798280d49df62443a463138ce18b
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394