Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 17:46
Behavioral task
behavioral1
Sample
JaffaCakes118_41052e8a35b445c4ea256b0938e354ec44537049730476d5b5c5980c29c26ec9.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_41052e8a35b445c4ea256b0938e354ec44537049730476d5b5c5980c29c26ec9.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_41052e8a35b445c4ea256b0938e354ec44537049730476d5b5c5980c29c26ec9.exe
-
Size
1.3MB
-
MD5
5e44b89b39c58244d07e53f6ed7cc212
-
SHA1
7dee7a8cb4049ebe460d1c4101c9e05bf67b5cf5
-
SHA256
41052e8a35b445c4ea256b0938e354ec44537049730476d5b5c5980c29c26ec9
-
SHA512
9ad165c96e362b135fc7f767d931a71f6e1316e9267574f02508a98e3d6aad076436a8547b5e2e53fbd898942b8c3c6b404628c49a9b2c40c8bb1cd0d2933dad
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 2972 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 2972 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2972 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2972 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 2972 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 2972 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 2972 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1072 2972 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 2972 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2972 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 2972 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2972 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2972 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1236 2972 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 696 2972 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1756 2972 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 2972 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2972 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 920 2972 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 2972 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 2972 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 576 2972 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2972 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 2972 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2972 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 2972 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2972 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x00070000000186ed-10.dat dcrat behavioral1/memory/2568-13-0x00000000003F0000-0x0000000000500000-memory.dmp dcrat behavioral1/memory/1956-44-0x0000000000280000-0x0000000000390000-memory.dmp dcrat behavioral1/memory/2224-92-0x0000000001310000-0x0000000001420000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2556 powershell.exe 2328 powershell.exe 1772 powershell.exe 1852 powershell.exe 3040 powershell.exe 2196 powershell.exe 2264 powershell.exe 2376 powershell.exe 1608 powershell.exe 2920 powershell.exe 1916 powershell.exe -
Executes dropped EXE 13 IoCs
pid Process 2568 DllCommonsvc.exe 1956 DllCommonsvc.exe 2224 audiodg.exe 856 audiodg.exe 1752 audiodg.exe 640 audiodg.exe 2712 audiodg.exe 1596 audiodg.exe 1872 audiodg.exe 1088 audiodg.exe 2012 audiodg.exe 948 audiodg.exe 2220 audiodg.exe -
Loads dropped DLL 2 IoCs
pid Process 1676 cmd.exe 1676 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 22 raw.githubusercontent.com 29 raw.githubusercontent.com 33 raw.githubusercontent.com 4 raw.githubusercontent.com 15 raw.githubusercontent.com 18 raw.githubusercontent.com 26 raw.githubusercontent.com 36 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\Services\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\Services\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\Windows NT\Accessories\lsass.exe DllCommonsvc.exe File created C:\Program Files\Windows NT\Accessories\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\Services\csrss.exe DllCommonsvc.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\PolicyDefinitions\ja-JP\System.exe DllCommonsvc.exe File opened for modification C:\Windows\PolicyDefinitions\ja-JP\System.exe DllCommonsvc.exe File created C:\Windows\PolicyDefinitions\ja-JP\27d1bcfc3c54e0 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_41052e8a35b445c4ea256b0938e354ec44537049730476d5b5c5980c29c26ec9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2716 schtasks.exe 2740 schtasks.exe 2684 schtasks.exe 1072 schtasks.exe 2776 schtasks.exe 3048 schtasks.exe 576 schtasks.exe 1688 schtasks.exe 2224 schtasks.exe 2272 schtasks.exe 2112 schtasks.exe 2736 schtasks.exe 1920 schtasks.exe 1756 schtasks.exe 2104 schtasks.exe 2788 schtasks.exe 1632 schtasks.exe 1236 schtasks.exe 2668 schtasks.exe 1648 schtasks.exe 1552 schtasks.exe 2792 schtasks.exe 696 schtasks.exe 920 schtasks.exe 2528 schtasks.exe 1640 schtasks.exe 2520 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 2568 DllCommonsvc.exe 2376 powershell.exe 2556 powershell.exe 2328 powershell.exe 1956 DllCommonsvc.exe 1956 DllCommonsvc.exe 1956 DllCommonsvc.exe 1772 powershell.exe 1852 powershell.exe 2264 powershell.exe 3040 powershell.exe 1916 powershell.exe 2196 powershell.exe 2920 powershell.exe 1608 powershell.exe 2224 audiodg.exe 856 audiodg.exe 1752 audiodg.exe 640 audiodg.exe 2712 audiodg.exe 1596 audiodg.exe 1872 audiodg.exe 1088 audiodg.exe 2012 audiodg.exe 948 audiodg.exe 2220 audiodg.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2568 DllCommonsvc.exe Token: SeDebugPrivilege 2376 powershell.exe Token: SeDebugPrivilege 2556 powershell.exe Token: SeDebugPrivilege 2328 powershell.exe Token: SeDebugPrivilege 1956 DllCommonsvc.exe Token: SeDebugPrivilege 1772 powershell.exe Token: SeDebugPrivilege 1852 powershell.exe Token: SeDebugPrivilege 2264 powershell.exe Token: SeDebugPrivilege 3040 powershell.exe Token: SeDebugPrivilege 1916 powershell.exe Token: SeDebugPrivilege 2224 audiodg.exe Token: SeDebugPrivilege 2196 powershell.exe Token: SeDebugPrivilege 2920 powershell.exe Token: SeDebugPrivilege 1608 powershell.exe Token: SeDebugPrivilege 856 audiodg.exe Token: SeDebugPrivilege 1752 audiodg.exe Token: SeDebugPrivilege 640 audiodg.exe Token: SeDebugPrivilege 2712 audiodg.exe Token: SeDebugPrivilege 1596 audiodg.exe Token: SeDebugPrivilege 1872 audiodg.exe Token: SeDebugPrivilege 1088 audiodg.exe Token: SeDebugPrivilege 2012 audiodg.exe Token: SeDebugPrivilege 948 audiodg.exe Token: SeDebugPrivilege 2220 audiodg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2396 wrote to memory of 2420 2396 JaffaCakes118_41052e8a35b445c4ea256b0938e354ec44537049730476d5b5c5980c29c26ec9.exe 30 PID 2396 wrote to memory of 2420 2396 JaffaCakes118_41052e8a35b445c4ea256b0938e354ec44537049730476d5b5c5980c29c26ec9.exe 30 PID 2396 wrote to memory of 2420 2396 JaffaCakes118_41052e8a35b445c4ea256b0938e354ec44537049730476d5b5c5980c29c26ec9.exe 30 PID 2396 wrote to memory of 2420 2396 JaffaCakes118_41052e8a35b445c4ea256b0938e354ec44537049730476d5b5c5980c29c26ec9.exe 30 PID 2420 wrote to memory of 1676 2420 WScript.exe 32 PID 2420 wrote to memory of 1676 2420 WScript.exe 32 PID 2420 wrote to memory of 1676 2420 WScript.exe 32 PID 2420 wrote to memory of 1676 2420 WScript.exe 32 PID 1676 wrote to memory of 2568 1676 cmd.exe 34 PID 1676 wrote to memory of 2568 1676 cmd.exe 34 PID 1676 wrote to memory of 2568 1676 cmd.exe 34 PID 1676 wrote to memory of 2568 1676 cmd.exe 34 PID 2568 wrote to memory of 2328 2568 DllCommonsvc.exe 42 PID 2568 wrote to memory of 2328 2568 DllCommonsvc.exe 42 PID 2568 wrote to memory of 2328 2568 DllCommonsvc.exe 42 PID 2568 wrote to memory of 2376 2568 DllCommonsvc.exe 43 PID 2568 wrote to memory of 2376 2568 DllCommonsvc.exe 43 PID 2568 wrote to memory of 2376 2568 DllCommonsvc.exe 43 PID 2568 wrote to memory of 2556 2568 DllCommonsvc.exe 44 PID 2568 wrote to memory of 2556 2568 DllCommonsvc.exe 44 PID 2568 wrote to memory of 2556 2568 DllCommonsvc.exe 44 PID 2568 wrote to memory of 1952 2568 DllCommonsvc.exe 48 PID 2568 wrote to memory of 1952 2568 DllCommonsvc.exe 48 PID 2568 wrote to memory of 1952 2568 DllCommonsvc.exe 48 PID 1952 wrote to memory of 1784 1952 cmd.exe 50 PID 1952 wrote to memory of 1784 1952 cmd.exe 50 PID 1952 wrote to memory of 1784 1952 cmd.exe 50 PID 1952 wrote to memory of 1956 1952 cmd.exe 51 PID 1952 wrote to memory of 1956 1952 cmd.exe 51 PID 1952 wrote to memory of 1956 1952 cmd.exe 51 PID 1956 wrote to memory of 1916 1956 DllCommonsvc.exe 73 PID 1956 wrote to memory of 1916 1956 DllCommonsvc.exe 73 PID 1956 wrote to memory of 1916 1956 DllCommonsvc.exe 73 PID 1956 wrote to memory of 2264 1956 DllCommonsvc.exe 74 PID 1956 wrote to memory of 2264 1956 DllCommonsvc.exe 74 PID 1956 wrote to memory of 2264 1956 DllCommonsvc.exe 74 PID 1956 wrote to memory of 1772 1956 DllCommonsvc.exe 75 PID 1956 wrote to memory of 1772 1956 DllCommonsvc.exe 75 PID 1956 wrote to memory of 1772 1956 DllCommonsvc.exe 75 PID 1956 wrote to memory of 2920 1956 DllCommonsvc.exe 76 PID 1956 wrote to memory of 2920 1956 DllCommonsvc.exe 76 PID 1956 wrote to memory of 2920 1956 DllCommonsvc.exe 76 PID 1956 wrote to memory of 2196 1956 DllCommonsvc.exe 77 PID 1956 wrote to memory of 2196 1956 DllCommonsvc.exe 77 PID 1956 wrote to memory of 2196 1956 DllCommonsvc.exe 77 PID 1956 wrote to memory of 3040 1956 DllCommonsvc.exe 78 PID 1956 wrote to memory of 3040 1956 DllCommonsvc.exe 78 PID 1956 wrote to memory of 3040 1956 DllCommonsvc.exe 78 PID 1956 wrote to memory of 1852 1956 DllCommonsvc.exe 79 PID 1956 wrote to memory of 1852 1956 DllCommonsvc.exe 79 PID 1956 wrote to memory of 1852 1956 DllCommonsvc.exe 79 PID 1956 wrote to memory of 1608 1956 DllCommonsvc.exe 80 PID 1956 wrote to memory of 1608 1956 DllCommonsvc.exe 80 PID 1956 wrote to memory of 1608 1956 DllCommonsvc.exe 80 PID 1956 wrote to memory of 2224 1956 DllCommonsvc.exe 89 PID 1956 wrote to memory of 2224 1956 DllCommonsvc.exe 89 PID 1956 wrote to memory of 2224 1956 DllCommonsvc.exe 89 PID 2224 wrote to memory of 2788 2224 audiodg.exe 90 PID 2224 wrote to memory of 2788 2224 audiodg.exe 90 PID 2224 wrote to memory of 2788 2224 audiodg.exe 90 PID 2788 wrote to memory of 2392 2788 cmd.exe 92 PID 2788 wrote to memory of 2392 2788 cmd.exe 92 PID 2788 wrote to memory of 2392 2788 cmd.exe 92 PID 2788 wrote to memory of 856 2788 cmd.exe 93 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_41052e8a35b445c4ea256b0938e354ec44537049730476d5b5c5980c29c26ec9.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_41052e8a35b445c4ea256b0938e354ec44537049730476d5b5c5980c29c26ec9.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\ja-JP\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5oQSJwSTU5.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1784
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Services\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dllhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
C:\providercommon\audiodg.exe"C:\providercommon\audiodg.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2392
-
-
C:\providercommon\audiodg.exe"C:\providercommon\audiodg.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:856 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\goxiuQmrpE.bat"10⤵PID:2688
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2684
-
-
C:\providercommon\audiodg.exe"C:\providercommon\audiodg.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B7rL9EqqPR.bat"12⤵PID:1636
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2248
-
-
C:\providercommon\audiodg.exe"C:\providercommon\audiodg.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aTd08pZfDw.bat"14⤵PID:1632
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2216
-
-
C:\providercommon\audiodg.exe"C:\providercommon\audiodg.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\goxiuQmrpE.bat"16⤵PID:2700
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1496
-
-
C:\providercommon\audiodg.exe"C:\providercommon\audiodg.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat"18⤵PID:2372
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2592
-
-
C:\providercommon\audiodg.exe"C:\providercommon\audiodg.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n3vYZhDjEH.bat"20⤵PID:1992
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1656
-
-
C:\providercommon\audiodg.exe"C:\providercommon\audiodg.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat"22⤵PID:560
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:848
-
-
C:\providercommon\audiodg.exe"C:\providercommon\audiodg.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat"24⤵PID:2612
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2008
-
-
C:\providercommon\audiodg.exe"C:\providercommon\audiodg.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat"26⤵PID:1452
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:2748
-
-
C:\providercommon\audiodg.exe"C:\providercommon\audiodg.exe"27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\ja-JP\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\ja-JP\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\PolicyDefinitions\ja-JP\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Services\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Services\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\providercommon\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\providercommon\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b5eb00a730fb1dbc5a5f87556cb8ab0c
SHA138a66b5333e089125239f8ee048b2fb588837a7d
SHA25616908a00400536e73fd31d39cd58bdca7e04f74dd8f582be349c90faccf35e83
SHA512900dbadac8ac96c1ccc297799f2ba76f25006188b5b170f25d6e539a1cb7a10a4c23377a3e635ccff86603c7c01c01b3a47736764966eca1262432db6cefa9e4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59790de75f7cd09bae295ae397e31c1a0
SHA194bfa8708b0875346381e61346226e0bb7d4d417
SHA25605bad19a5d7b6d877e23048364f02b445a48d32f700bb4e8b30dc1ebd8d2c6d3
SHA5123dab2ce52e006d3e232e2bb0c59984c0f996b54169a5f452d80860aef733a21217eb21fd12f013bd98310541d37e5a18e852b5d0f08dc1b72d1e744ab1fe3db0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58587a4db2e7df6d3d0096cac34be01f1
SHA127bb8e389ef14c94ad66ab34f49849b4b16e1d65
SHA256413fb27705874f40c4989b35ecbad6ada9d9f9a50a29198c10cbe5a51cb51be4
SHA512e27485198ee592494e5a77d7791c250b4b3d2cc36dc003bb0c5a59068b41cb098e423f631b6487eb5a226d72897acb8550f77e6d6daacdf4e8d7f7f33f82d954
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50e580e9ea7aaae428a8153de2da4de93
SHA144c3714bef5d6dd5f7e65b21ff919355eecb02db
SHA256f18c11a1fec05157a838913ef7c80a48ab262d4c176b4a3ebf8633e9277df061
SHA5120a1c91e01d4dafb0c777792deb4566f1599e3e46123b2c2e5d5366b7875eb1a2b669603d9017ca5f3191f13907d89476e8c645409542a1a710d78a04431e9ee1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55d09033e28f613d4e6d1a29051ad0c2d
SHA1bfcf0c4f3f8a44b619f30a65c2e20b4f7d8412bd
SHA2568868feda1a4a39cf99a5b6d40a699b5141d283c7dfeb583be0eca059a22f7731
SHA512252bdad6c73c050305e8909c934800339d637d4065fc033b74a0837cfb422c8c268075c2d6c54bada6677cf10a00b772417e8d44356d46b1627fbb1cf821170c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5734d97d78e25873388ae3fa06f83aac1
SHA15588c69ed7d95afe2ec366b8c84a5e97704e9957
SHA2563fc8b602dcdca478c9eed1986e02564c12da59050412d40f5f7d184977e494e5
SHA512fefbce8e9d36f20184d4139c9d8c30e895ed9da197fe96d944cbfea8af8a22bb1e3f809d751a472317ee81c607fbf743494a5f4205ed1ad1a9faef5afb3bca1d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5469443a9e0f468713885bbf0d054b8b2
SHA1362b3b77b8f62e72e8eff6b909fad62f1289e0ff
SHA25643c58c5ec7b5100ad54abacd8ce65885457664be8d405b16c6b6846a7bfca2aa
SHA512a140f2440b48b13901d4c4badebf10906b3fa2d146d514bfe1371560e1f48dda80df392e66eed01b5638b7dd4bbb9615b053783416e195022a39902eca460ba4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5df74f20934479604783da47b8a72e0a9
SHA1c6a1285a0a8bc727ebb1d581914c346449acb99f
SHA25669967d5ab6e5bd0be6b67a37289a623014161fe79cb74f47ab1ced0be6841a25
SHA51271b2fd38e61035c78de1f2fbffc7ea37f43084bcd9dc7a40fbd8a06925057c668d21293ec270d66d759f7e31048babf6acfebb1524d67730a7289e3a0347a3da
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58dbc1f5b9c64fdf11335459e16e83e54
SHA14d6ece5b1b9fe8b547ae6451ebc8cda4a51b296f
SHA2565c9ba296856b9deeaba0d118e5622f434170ceffa697cfddea88fdfdbca28061
SHA512624635a9133bbaa6cf740150f964ec2d961678b5e3bdc55092b7ae3323965ae1be05230651cc524979a5ed67fe99ff46e5ab05b7ecf459fd8349f5960bc6caa2
-
Filesize
199B
MD54205300563381855ac7d9bf3a21c0277
SHA127954f2c3dd819cbbf23f986aeca96c26d798a7a
SHA256d3590d2f2e02704a6d02dbcd71093ab2c947b1e855f5603afc6fa78c099b7204
SHA512a32bc2d30e0c18070e41b88e7f61b470fa2dca0aa54e6d833bdfbc51d97e74ffd079454eea2f10130d340a5d3ccf545f993a2cd0fea4148823e213c5be4ea3bc
-
Filesize
194B
MD5d0ff93ee4caf3153bf7f9bfcbd18e4f4
SHA121483972233b3e5fcfb6ba5e5d26aaf94c303af6
SHA2561d6464489c925306290044de4a5fd6261809cb38bf864871043da0319eda288d
SHA5127e884725f3974a72a0cc76c1862fa86230d5d9644244a91240b65dc4b1388bfcf91922dfcec23c57312ee4fc5df13b5262c6842b41520ea84450d1f9e76f7d4d
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
194B
MD5d21a24d309219b06aa883bc66737f140
SHA1061e25b5f92f8f138827a4e3ab0e30b6f3016296
SHA256b5c2fc4bed330f915acdd8c16d1e64de9f8c44bcff538285198424e87a3c795f
SHA5127812c08d446e7e3385ce032997c7c76dc5d7d3431cd7427efebb7363e9e50de61e3e35aea22a38deb2bc021d972ac54bf3f7100e01433c1517f58f47c7d9c95f
-
Filesize
194B
MD53f368d94311c8eda6e63dd2430d71248
SHA1531d169ad4a86287950d15bf674d99fc9d39960f
SHA2560e105e54e53f59f4424526dea46e8f88af828aa8f52355be583e8da357d43ec0
SHA51256cb6dcccc17c59daa6ff8291b3a366628a909e52c27249fd05685c74916f5a46fa91bb86293e8fcca3f449c8ac233dc0dc840f9e8cb1b5e920f938bbb331906
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
194B
MD5f089a221950b649cf19f5e1da24b3b6b
SHA1d9675f6562ab65b6e12b76758105c4e2d4ee6d8a
SHA25652b9ef8321faab148868569e5da68f0e14800e54ce6b30be670dbbdd966d7cc4
SHA51288c052b6db759a6d7f3f0c8b1db4cc3d59c4d570e2cd38553f059f009105f07b3230661d3b82609bf3f9b71653614099edc3bdaff6de207df416f63312eddb24
-
Filesize
194B
MD59c60b19642120f297058ecd74361e524
SHA13ac24623a5734675cfc1fda54cd8d992e8263f9b
SHA256cdb5c254078fc798bc691d901cde9e0324670440a3dee7517a2bde119f88b08c
SHA512f64bec12376d704648edd82bf8d268d1674f48c1cdb364b375014f9a2461b9ba221c081b382ad4afe7333322c9d326d49148260b1569949a35d219f7c7f7e5b8
-
Filesize
194B
MD55c1dd581ce89a5a80955434a61a532f7
SHA1e15e65e406ff733e734cc2db86f5f62f1d3de367
SHA2562a22f473363e4398bc86cecddcfb7ffc2b679650c614d8cb57e21aa517843c61
SHA5127a2808e7e9f58c2e2beee0e8205a2b216d8bd0d120c0e1fd7ec8ff2dbebdb7ed99ca640363683c0a23ea6504a0a9b93799207606bf61cb7fdefe6ab31d469919
-
Filesize
194B
MD5166ad83827d05190143fe21093076984
SHA1ae88b852d82f4ff90dc3c93aa89046b2572ee6fb
SHA2561bca4b6e8b3474e247de7f16a8e12a22be5cdb933905beea005dfe78d93ca677
SHA5124253761b702e5c48ab064cd6185330b65ed1d98717f208cc05fbe744bca0d4522fbc03e1fd49b300f5f4a7463b72a7c0d20ec46ac0e04e10e277da1d4e23e5ca
-
Filesize
194B
MD5ae1eaef5568f925764bd6558288b085d
SHA1d881890a90036e3a4b7ec0a0763cbc1fc405fe61
SHA256efaa6e76d8ebe78cd34694bab8270e6130643812475ed63cf3c559c2648add90
SHA5126ecd2964c62ac33e7bd3009aff1d3cde9b8456b352954a5b7f4fb2d059bcb4e8ccdeb9f3d426f71bd46497f927adb67399dc1efd64da63196ac76c04d7339d39
-
Filesize
194B
MD5de8ca61232879ef985912dd151f97f72
SHA1dee6c71e03ec9708a1877ffa967352dbdd9df9da
SHA256d47b457e158db45a15bdfcf8a080938bebce5c0c14262e863e97f6cce78c4371
SHA5124c193e9102647d8492cd7a2837b892c51e667a9042ec720221cc87ebf8c9df81ccbd260d426d9c1ef34a2573062bd5c59c84e8e29e6f6738d787dd877b78b7eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD531d700dd16be1689cd1d77a81e7693d0
SHA1dabc52ee99675bffac69cfab10bfc87df66b5bee
SHA256f7161b5bbe624cd6f0ac72395eabf397f294ba318091c3dc061de4c3a258aa06
SHA512b4d390be9286af158300c6217efcbdf294cf95ffd263a34cc6edfbeb0275449f2528318139321412af71575e0b87aa48d9356486fd3156a8e8186d3fe75e9ede
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD587200d97d806a25f86b0f340cef13654
SHA120c4034c55c56d377c97a6d22268ce26ffd0f8e7
SHA256d53b2fff150756b2ef9d4eb1eee548a2fbf2706c5c3685bf77ed98df2e815b15
SHA512a1331828afd2583de25b5efc91970b6b133332e396bd076d777f76f04f977bf7f798773b02d79f19171a8344d8db39ce3ca3350710ea033bdc87b82a779a18b7
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478