Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 17:21
Behavioral task
behavioral1
Sample
JaffaCakes118_1ebaa7ed4637c29a58054d76654806ceb134309a5e6f97c7cedaa5b8c18b266f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_1ebaa7ed4637c29a58054d76654806ceb134309a5e6f97c7cedaa5b8c18b266f.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_1ebaa7ed4637c29a58054d76654806ceb134309a5e6f97c7cedaa5b8c18b266f.exe
-
Size
1.3MB
-
MD5
fedee8ea04a3f6492e257a602f572046
-
SHA1
1f66231cefbabedfeec7087ecb028720d89dd5af
-
SHA256
1ebaa7ed4637c29a58054d76654806ceb134309a5e6f97c7cedaa5b8c18b266f
-
SHA512
8e376fad91e1762b52cac76c3a80ee11863d0786a05e7ccc67d25b8119dcb670f39c5d12e219675ed9236d410bdf55f270c45665388c20199aad7323c588aa64
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 2084 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2084 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2084 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2084 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2084 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2084 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 2084 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1292 2084 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 272 2084 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 2084 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1884 2084 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 320 2084 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 2084 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 600 2084 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2084 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1088 2084 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 2084 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1128 2084 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 816 2084 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2084 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 2084 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2084 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2084 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1324 2084 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 2084 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 2084 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2084 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 2084 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 2084 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 2084 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000015e48-9.dat dcrat behavioral1/memory/1320-13-0x00000000000D0000-0x00000000001E0000-memory.dmp dcrat behavioral1/memory/1152-48-0x0000000000100000-0x0000000000210000-memory.dmp dcrat behavioral1/memory/2828-159-0x00000000003D0000-0x00000000004E0000-memory.dmp dcrat behavioral1/memory/824-279-0x0000000000FE0000-0x00000000010F0000-memory.dmp dcrat behavioral1/memory/1320-458-0x0000000001320000-0x0000000001430000-memory.dmp dcrat behavioral1/memory/2732-518-0x00000000003B0000-0x00000000004C0000-memory.dmp dcrat behavioral1/memory/2368-578-0x0000000000C00000-0x0000000000D10000-memory.dmp dcrat behavioral1/memory/1476-639-0x0000000000F60000-0x0000000001070000-memory.dmp dcrat behavioral1/memory/2488-699-0x00000000003C0000-0x00000000004D0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1236 powershell.exe 1380 powershell.exe 1924 powershell.exe 3040 powershell.exe 3048 powershell.exe 628 powershell.exe 1036 powershell.exe 972 powershell.exe 2040 powershell.exe 2972 powershell.exe 2148 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 1320 DllCommonsvc.exe 1152 lsm.exe 2828 lsm.exe 2544 lsm.exe 824 lsm.exe 2468 lsm.exe 2492 lsm.exe 1320 lsm.exe 2732 lsm.exe 2368 lsm.exe 1476 lsm.exe 2488 lsm.exe -
Loads dropped DLL 2 IoCs
pid Process 2848 cmd.exe 2848 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 4 raw.githubusercontent.com 12 raw.githubusercontent.com 19 raw.githubusercontent.com 23 raw.githubusercontent.com 30 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 16 raw.githubusercontent.com 26 raw.githubusercontent.com 33 raw.githubusercontent.com 37 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\7-Zip\sppsvc.exe DllCommonsvc.exe File created C:\Program Files\7-Zip\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files (x86)\Uninstall Information\lsass.exe DllCommonsvc.exe File created C:\Program Files (x86)\Uninstall Information\6203df4a6bafc7 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1ebaa7ed4637c29a58054d76654806ceb134309a5e6f97c7cedaa5b8c18b266f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2680 schtasks.exe 1324 schtasks.exe 2548 schtasks.exe 272 schtasks.exe 2896 schtasks.exe 2644 schtasks.exe 2660 schtasks.exe 1816 schtasks.exe 1612 schtasks.exe 448 schtasks.exe 2960 schtasks.exe 2892 schtasks.exe 1088 schtasks.exe 816 schtasks.exe 2936 schtasks.exe 2124 schtasks.exe 2860 schtasks.exe 2740 schtasks.exe 2616 schtasks.exe 1900 schtasks.exe 2784 schtasks.exe 1292 schtasks.exe 320 schtasks.exe 1128 schtasks.exe 1656 schtasks.exe 600 schtasks.exe 1844 schtasks.exe 1884 schtasks.exe 1640 schtasks.exe 2940 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1320 DllCommonsvc.exe 1320 DllCommonsvc.exe 1320 DllCommonsvc.exe 1236 powershell.exe 1924 powershell.exe 1036 powershell.exe 1380 powershell.exe 2040 powershell.exe 3048 powershell.exe 2972 powershell.exe 972 powershell.exe 2148 powershell.exe 628 powershell.exe 3040 powershell.exe 1152 lsm.exe 2828 lsm.exe 2544 lsm.exe 824 lsm.exe 2468 lsm.exe 2492 lsm.exe 1320 lsm.exe 2732 lsm.exe 2368 lsm.exe 1476 lsm.exe 2488 lsm.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 1320 DllCommonsvc.exe Token: SeDebugPrivilege 1236 powershell.exe Token: SeDebugPrivilege 1924 powershell.exe Token: SeDebugPrivilege 1036 powershell.exe Token: SeDebugPrivilege 1380 powershell.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeDebugPrivilege 3048 powershell.exe Token: SeDebugPrivilege 2972 powershell.exe Token: SeDebugPrivilege 972 powershell.exe Token: SeDebugPrivilege 2148 powershell.exe Token: SeDebugPrivilege 628 powershell.exe Token: SeDebugPrivilege 3040 powershell.exe Token: SeDebugPrivilege 1152 lsm.exe Token: SeDebugPrivilege 2828 lsm.exe Token: SeDebugPrivilege 2544 lsm.exe Token: SeDebugPrivilege 824 lsm.exe Token: SeDebugPrivilege 2468 lsm.exe Token: SeDebugPrivilege 2492 lsm.exe Token: SeDebugPrivilege 1320 lsm.exe Token: SeDebugPrivilege 2732 lsm.exe Token: SeDebugPrivilege 2368 lsm.exe Token: SeDebugPrivilege 1476 lsm.exe Token: SeDebugPrivilege 2488 lsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1732 wrote to memory of 1864 1732 JaffaCakes118_1ebaa7ed4637c29a58054d76654806ceb134309a5e6f97c7cedaa5b8c18b266f.exe 30 PID 1732 wrote to memory of 1864 1732 JaffaCakes118_1ebaa7ed4637c29a58054d76654806ceb134309a5e6f97c7cedaa5b8c18b266f.exe 30 PID 1732 wrote to memory of 1864 1732 JaffaCakes118_1ebaa7ed4637c29a58054d76654806ceb134309a5e6f97c7cedaa5b8c18b266f.exe 30 PID 1732 wrote to memory of 1864 1732 JaffaCakes118_1ebaa7ed4637c29a58054d76654806ceb134309a5e6f97c7cedaa5b8c18b266f.exe 30 PID 1864 wrote to memory of 2848 1864 WScript.exe 31 PID 1864 wrote to memory of 2848 1864 WScript.exe 31 PID 1864 wrote to memory of 2848 1864 WScript.exe 31 PID 1864 wrote to memory of 2848 1864 WScript.exe 31 PID 2848 wrote to memory of 1320 2848 cmd.exe 33 PID 2848 wrote to memory of 1320 2848 cmd.exe 33 PID 2848 wrote to memory of 1320 2848 cmd.exe 33 PID 2848 wrote to memory of 1320 2848 cmd.exe 33 PID 1320 wrote to memory of 3040 1320 DllCommonsvc.exe 65 PID 1320 wrote to memory of 3040 1320 DllCommonsvc.exe 65 PID 1320 wrote to memory of 3040 1320 DllCommonsvc.exe 65 PID 1320 wrote to memory of 3048 1320 DllCommonsvc.exe 66 PID 1320 wrote to memory of 3048 1320 DllCommonsvc.exe 66 PID 1320 wrote to memory of 3048 1320 DllCommonsvc.exe 66 PID 1320 wrote to memory of 2972 1320 DllCommonsvc.exe 67 PID 1320 wrote to memory of 2972 1320 DllCommonsvc.exe 67 PID 1320 wrote to memory of 2972 1320 DllCommonsvc.exe 67 PID 1320 wrote to memory of 2148 1320 DllCommonsvc.exe 68 PID 1320 wrote to memory of 2148 1320 DllCommonsvc.exe 68 PID 1320 wrote to memory of 2148 1320 DllCommonsvc.exe 68 PID 1320 wrote to memory of 628 1320 DllCommonsvc.exe 69 PID 1320 wrote to memory of 628 1320 DllCommonsvc.exe 69 PID 1320 wrote to memory of 628 1320 DllCommonsvc.exe 69 PID 1320 wrote to memory of 1236 1320 DllCommonsvc.exe 70 PID 1320 wrote to memory of 1236 1320 DllCommonsvc.exe 70 PID 1320 wrote to memory of 1236 1320 DllCommonsvc.exe 70 PID 1320 wrote to memory of 1036 1320 DllCommonsvc.exe 71 PID 1320 wrote to memory of 1036 1320 DllCommonsvc.exe 71 PID 1320 wrote to memory of 1036 1320 DllCommonsvc.exe 71 PID 1320 wrote to memory of 972 1320 DllCommonsvc.exe 72 PID 1320 wrote to memory of 972 1320 DllCommonsvc.exe 72 PID 1320 wrote to memory of 972 1320 DllCommonsvc.exe 72 PID 1320 wrote to memory of 1380 1320 DllCommonsvc.exe 73 PID 1320 wrote to memory of 1380 1320 DllCommonsvc.exe 73 PID 1320 wrote to memory of 1380 1320 DllCommonsvc.exe 73 PID 1320 wrote to memory of 2040 1320 DllCommonsvc.exe 74 PID 1320 wrote to memory of 2040 1320 DllCommonsvc.exe 74 PID 1320 wrote to memory of 2040 1320 DllCommonsvc.exe 74 PID 1320 wrote to memory of 1924 1320 DllCommonsvc.exe 75 PID 1320 wrote to memory of 1924 1320 DllCommonsvc.exe 75 PID 1320 wrote to memory of 1924 1320 DllCommonsvc.exe 75 PID 1320 wrote to memory of 1152 1320 DllCommonsvc.exe 87 PID 1320 wrote to memory of 1152 1320 DllCommonsvc.exe 87 PID 1320 wrote to memory of 1152 1320 DllCommonsvc.exe 87 PID 1152 wrote to memory of 1720 1152 lsm.exe 89 PID 1152 wrote to memory of 1720 1152 lsm.exe 89 PID 1152 wrote to memory of 1720 1152 lsm.exe 89 PID 1720 wrote to memory of 3032 1720 cmd.exe 91 PID 1720 wrote to memory of 3032 1720 cmd.exe 91 PID 1720 wrote to memory of 3032 1720 cmd.exe 91 PID 1720 wrote to memory of 2828 1720 cmd.exe 92 PID 1720 wrote to memory of 2828 1720 cmd.exe 92 PID 1720 wrote to memory of 2828 1720 cmd.exe 92 PID 2828 wrote to memory of 1060 2828 lsm.exe 93 PID 2828 wrote to memory of 1060 2828 lsm.exe 93 PID 2828 wrote to memory of 1060 2828 lsm.exe 93 PID 1060 wrote to memory of 1764 1060 cmd.exe 95 PID 1060 wrote to memory of 1764 1060 cmd.exe 95 PID 1060 wrote to memory of 1764 1060 cmd.exe 95 PID 1060 wrote to memory of 2544 1060 cmd.exe 96 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1ebaa7ed4637c29a58054d76654806ceb134309a5e6f97c7cedaa5b8c18b266f.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1ebaa7ed4637c29a58054d76654806ceb134309a5e6f97c7cedaa5b8c18b266f.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
-
C:\Users\Admin\AppData\Local\lsm.exe"C:\Users\Admin\AppData\Local\lsm.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZfR0hqQ1j6.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:3032
-
-
C:\Users\Admin\AppData\Local\lsm.exe"C:\Users\Admin\AppData\Local\lsm.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1764
-
-
C:\Users\Admin\AppData\Local\lsm.exe"C:\Users\Admin\AppData\Local\lsm.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1XclINWiF.bat"10⤵PID:1896
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1040
-
-
C:\Users\Admin\AppData\Local\lsm.exe"C:\Users\Admin\AppData\Local\lsm.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y29a6RA8xz.bat"12⤵PID:2788
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1736
-
-
C:\Users\Admin\AppData\Local\lsm.exe"C:\Users\Admin\AppData\Local\lsm.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat"14⤵PID:1528
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1224
-
-
C:\Users\Admin\AppData\Local\lsm.exe"C:\Users\Admin\AppData\Local\lsm.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GN7B3lpeta.bat"16⤵PID:1064
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2524
-
-
C:\Users\Admin\AppData\Local\lsm.exe"C:\Users\Admin\AppData\Local\lsm.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat"18⤵PID:2088
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2356
-
-
C:\Users\Admin\AppData\Local\lsm.exe"C:\Users\Admin\AppData\Local\lsm.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wxi7FenmH.bat"20⤵PID:2844
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2188
-
-
C:\Users\Admin\AppData\Local\lsm.exe"C:\Users\Admin\AppData\Local\lsm.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat"22⤵PID:3000
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1036
-
-
C:\Users\Admin\AppData\Local\lsm.exe"C:\Users\Admin\AppData\Local\lsm.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat"24⤵PID:1772
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:236
-
-
C:\Users\Admin\AppData\Local\lsm.exe"C:\Users\Admin\AppData\Local\lsm.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\providercommon\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\7-Zip\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\providercommon\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\providercommon\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ecb24cc40d7550a6252b171c84f16bb0
SHA1e7d13e7f681155cf77454f833fe28a3befe338cc
SHA256a0971c61cdd7f53e1799e4d5c5f683e17da4eae2e900902df995c475cb8d69d8
SHA5123c126479b31084a07018cc542bb75acb588867ec7f3664800b643d6a715d16bee47fb3ed465f0ab4c5be39d830e7518d60c1d34e9e886b7e14b2ea1b802802cc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b30dbae8890194aef2ef45ba267ca7b9
SHA1114fb10ea2e3ca72b411cece6a03dee520b42f29
SHA256b20d81d3f4f4da5865d5a965f018aa5acdee4a2ffbf6efd5da6ced4ef719b7b7
SHA512e4422b286299b38eb2dca02b353b56c74d2cd2befc7b8e3a09511be05655e02f49fc4aa047fcee36e4badd3c93971e44903b8924ea24438534ac723e464b54ad
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5de8b249dc274942549da5f7d2d3ad1da
SHA133328852cb405433608c9d2fb9c34c1958a00f2c
SHA2568019f86c00ccf3648be35e7821ce9dcef473885c4973f54484df1561f81aaac3
SHA512e2f679e4da69c76a05bd45719cd157d13aa95841381b02e1bbf5bc6373ba92f459824dcdb4186294abc0889179675bd95d4c7cdea70e480abc55abc0832e8126
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD598415e74b2f4d0303094c498a008ba13
SHA177a6d5c61460408330179bb6d78b6daf52e2eb17
SHA256852b59d23d77421831c0db4dcec9560c09f8a03a6db7786663d2e555848cdbd5
SHA512dfbc99ef9a0a949f1a206a34ff0938b42223b0a1234c5d4c5bf213a62055b7377030cbf0dcce8290358415af7aa6970d585c165fe9d92f05540b6eb43ce89271
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51b8fb973e5a025c4e6cba4312c510dc6
SHA121b0c5bfd0f10ca68d9366ee451eb119bada8ab8
SHA25677343d772c56155859588c03c2c87e3e09c423cb7542f508f507d82eb94a9281
SHA512583b659bde5d660fbff9b5dd1ca6e2e908e252cda79ca4f904e3caeebc88e7d2bfc9b3897bbc3c7bc1afd4ee2311efb9b3f7d9fa5ec37b2528a0f6df932a8318
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54eef62609a4bae74dde7558a2db17ce3
SHA14a0c61ff8c2f0a51658d5ae01fe0c93d7a2f53fe
SHA256f356147ae88f7eafe9b41fb745fc86f05b1064b0d39bd7d2a9aaba91e027c75c
SHA5123deb69ba8dd5f1f957d81fa1152219f54146f6457a5323b8d660aaee8ae2dac0e6c3b197d9cd6e72c04f82e4ff0861e3b036b23a33602f67e0c709cbaf2739fe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57085f5dcd4658a1b7a5a782cc8bcc222
SHA1942d5f4dc515e9e650780ab1c675d7b0dac55bc0
SHA256f4f8e8dee5b9daf679a19904eede0786389d8f9b18bc5cb2308298153947d156
SHA512ea84698cf38e5a0d7d7b8a3df97ad14db864a1b8cec98abebcac66cb34053b99c7c2d612bf2ade97a00eeb23dd420689d5f2f18912bfad5a179ddc57e98341b4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d4561ed7b8e5e7687acc2697ab014692
SHA15fea9da8a9141559321291b1be04a29116db5f04
SHA2567c9d5575547139c2df9a2610d9261c9eb569d48cce009866292dea3984be7339
SHA512708567bef90167d699aa7643460e180be314f354ee734d2ec79eb2e84a7093b10533fe9d63082b4a5e5252aeade05599ac037c0684497bb8e745dc17a7019413
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fbe3ff1c8b67c79896849718acf659b6
SHA1c1ea603554291dd9be35e65a418a62e7abe93dbf
SHA256fcf626ee579483486be678ce8a3901611349113d95a29cf6156fc087bc864170
SHA5121f74080406b6cc6e2813d37fba03c918fffc60d6cc705ebd919dcdcf6a9b0a1e5970f723c2b172b0517ad1f5e61e0d4f7cd6cba5c2d1648831efe0bbc746900a
-
Filesize
201B
MD546e2747fede4b340b33800fe7268e661
SHA10eecc9dd207572f4cdfcd0e5f4cdbb869e556030
SHA256eb1d58c843d634b0c041aa8f424effc9823ba75cc0d4c1ca3b328e0243f55a89
SHA5124fb786d915e714c2b15bc3f388c115d64def91856a0e419f7a16bf7b06171a4d4112bf3c205a37f671c1b383def943005502b27006762d8e9996105d145af964
-
Filesize
201B
MD5a7a41826154afe59f4e060478583803c
SHA161752c4940062cb1802b9d47655ade460d182e54
SHA25686d50738ca25ce1c19ab99d9dd979f65788a50eb15d36689ede4760aa77d5e2f
SHA51247ac1c65503cb471ed8ab8101cf2e012b7452ef10ab02d0490f692903534bf94d992a5aac35b0adec7a8b9a512777b3d9b48ebe1347c5a7efc3bb6c6592a76df
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
201B
MD5bc0fcc5c7fa71eba10a54b11c27472f6
SHA1fe67b48d0724731cbcc85a58ebe71ab6047ef2df
SHA256751c2365301f396e60dbd32e76de1eae843261acd45d3eef41c3394724a5a106
SHA512a5bc4c1b14179826b26cf8a44f782fad6525a848051fb42f9a3778afd47eaeac013f14d1acd21cb5619354532cbc57b995530c32cbdb84d29c2a569349d5a7ad
-
Filesize
201B
MD581f21bc3eaebb55712064214af6126e1
SHA149a9d4047a480ca3d02e15b0ac39b80fba14c628
SHA25691b3511d6487b47076478403aa076aad6dbf385a19fde5b41bd6efdfe3794f32
SHA512e923415b0666efdefddfc600ec7e1656b624fe9dc24194effc47ffa3a813dbb6ae1028eb1f28c1af4c4918ca521a81482d5c30fc91814ece043ba0f9e09b736d
-
Filesize
201B
MD54647100d7660a9133df75201ed057997
SHA1020a04da5075c5c6b053d0bc8fe01950d581f120
SHA25685cbd0153bd882bedbfe0d39da466cedb5d69dd90521ea2d3268ca5de54a5e35
SHA512dedf2d11e4a8926cc6ae4a313b0d7bd85bb33472614b16b5a04d23ef13d4b31c7c300c016dca8c8fa79ab4672d5ecc4b3795ae34e71c02b38fb4aa73c5778ef8
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
201B
MD5a6089311c50e86c4485f624ab55c25d4
SHA19895035b93f64af8c37ce02db8c9ffa1e1850fe1
SHA256ccd7ace21e3690190f40adcbfc47de7c67e400a70558aa1440c6444507e515a7
SHA51270d63159d0ffe7f76739871d6e010f33115e6458bd4d69386473455cea00899dbba4e2107e6e6ff7df0ac62d37a90b2a3e9b97c0d3c8eb7c601319c889574825
-
Filesize
201B
MD57c077d097b2a26a34cc28636cdedbf71
SHA139b32c4b0886da40366a8c04e81238671b06fe4d
SHA256d95b122925dd5ab138247d12320105a37596e9585120b41802e1b06da3af89b3
SHA5124eb81420cb4930c24e0a67d6aa052fe3b928e6ef6a3c6da2a6dfdc4455a9f9e5a6418e76d274d4b73a68901124d1a24e4abaac59ee8afbf9207bdce15532b774
-
Filesize
201B
MD5d6dd93fa373194d37eb0ff2ad271839a
SHA1a46bacc7bdaf83f61a7d6e02f363c56022bdbe20
SHA256f7e09187a1b5703f2d7054b1ce8682e6ef45fbb871575ec7117b118ec4306ba2
SHA51231781855d4daeed1e6d4d8e7b0e0f258e97dafb4a9e5a576d6719dbd09414f46ce4c24b93e0bf2ee76d437cf797f0bd389e454d2168c84782acd1aa082e6f5c7
-
Filesize
201B
MD5e314a3d6ba5973cbfd663e163df8f640
SHA10a4d5fbeec4823213b3819d7dbe37e29b09424dd
SHA256430b644e5399787ccb064e834bf15db984ddc9399664c89e1d7c21d8798be912
SHA512b75be15ce022bf374d0ff6b4d696fc495e4a866acc69fd4572426595ecdb6b99aa7ca61ca60257d9473f9c5e70e829af5fa2347e426dfacc1570f5df01d50fa1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD586c8dd5d16f23b41e6d62d10863b16a3
SHA1e46f108c036e9b6f7e8aea6031d8f8945937a96a
SHA2562dd5036c66ec335cb86ef5bcbcafd10dd69daedb47aef062dd0e5ce2cf6d30ee
SHA512759e01374ec1669fc379b7d815117428674eff493d06154f540d915e7cbcb089184a370cc17112aa1ac06b88e1d34a65678ec28ce4eb6e97526c8463e1889515
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394