Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 22:09

General

  • Target

    JaffaCakes118_a7eb53dd0d3da29325f07c178efd47722e06ce15a2acc4ffdad69399011a9a09.exe

  • Size

    1.3MB

  • MD5

    0073a68dc63ef47b7b0ce81792ba8a23

  • SHA1

    413f89040eb3839773942476765fbe8f21180c2d

  • SHA256

    a7eb53dd0d3da29325f07c178efd47722e06ce15a2acc4ffdad69399011a9a09

  • SHA512

    b33a3c2550a41aab150697528619766f271db969469145738c62cdce937d62c58f4d8121673e0b9e4402574dd1c8f98ca919791d8f84773fc43f94923dd537b2

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a7eb53dd0d3da29325f07c178efd47722e06ce15a2acc4ffdad69399011a9a09.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a7eb53dd0d3da29325f07c178efd47722e06ce15a2acc4ffdad69399011a9a09.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2460
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2164
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2572
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2776
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2356
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3016
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2708
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2364
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:704
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:484
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:320
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1844
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3fDEC1nc6B.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1304
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:280
              • C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe
                "C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1288
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2872
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:1256
                    • C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe
                      "C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2172
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1092
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:1604
                          • C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe
                            "C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe"
                            10⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:1512
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\y17QM3q8Rw.bat"
                              11⤵
                                PID:828
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  12⤵
                                    PID:1564
                                  • C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe
                                    "C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe"
                                    12⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2364
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat"
                                      13⤵
                                        PID:2700
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          14⤵
                                            PID:2044
                                          • C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe
                                            "C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe"
                                            14⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2468
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\t6OOvELCCF.bat"
                                              15⤵
                                                PID:2288
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  16⤵
                                                    PID:836
                                                  • C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe
                                                    "C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe"
                                                    16⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1900
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\auWhjrprfd.bat"
                                                      17⤵
                                                        PID:1844
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          18⤵
                                                            PID:2256
                                                          • C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe
                                                            "C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe"
                                                            18⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:1328
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\etpQuxQFPn.bat"
                                                              19⤵
                                                                PID:2916
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  20⤵
                                                                    PID:2908
                                                                  • C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe
                                                                    "C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe"
                                                                    20⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:1080
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YUw1O57cI2.bat"
                                                                      21⤵
                                                                        PID:1780
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          22⤵
                                                                            PID:2128
                                                                          • C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe
                                                                            "C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe"
                                                                            22⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2936
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat"
                                                                              23⤵
                                                                                PID:2920
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  24⤵
                                                                                    PID:1576
                                                                                  • C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe
                                                                                    "C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe"
                                                                                    24⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:1628
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VF9LbKHiRa.bat"
                                                                                      25⤵
                                                                                        PID:2964
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          26⤵
                                                                                            PID:2992
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\sppsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2932
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2200
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2044
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\providercommon\Idle.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2668
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2688
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2788
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2172
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1624
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:672
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\IME\wininit.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1468
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\IME\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2492
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\IME\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2532
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3020
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3012
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2556
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Cookies\OSPPSVC.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2888
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\Cookies\OSPPSVC.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2276
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Cookies\OSPPSVC.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1584
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\wininit.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1900
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1220
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2360

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          89358719d4b75dd94db80ade3c574ee7

                                          SHA1

                                          d4f5319ffd81d6357928ca6be9e31ee0992647a7

                                          SHA256

                                          c3f26c158d01459ef4e4591caef2f9a2cbbbae8b6b1a15c68fd04e0c7a50cd76

                                          SHA512

                                          902ae94725a94eb1874ebb885a7d9040ce8ebab2a5996d158455ab00c7ac5a7deeb2618f27976a089760202d45629a754ccaabd19c51cc3a0d83bf4ca741a6f5

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          d707b3a992cae4e37b50ae7aa74a2642

                                          SHA1

                                          6f51cb668d031f19b4c0ad796f3663665359f31e

                                          SHA256

                                          9b2ce8e2163f4dfc8e94365a9ce4ff6980ad4c3c41a62593a249180ba28c2734

                                          SHA512

                                          e04c5e2d83772cdfb31d340348342daab4531269c0ce54ef5399c3c30214b4211e03cb006baf0f60a7285b6c158a13651b8e175d203cb339b009546e93fcd1df

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          a8c78be433094ca0f4ffb81a58c4261d

                                          SHA1

                                          42f73136869219a35327d61af81e1390aa8c11c3

                                          SHA256

                                          26d8096fb23f11c17b2bdeb5fb5b6912bbad92e42185a2ebf9c42a324bb2d9c4

                                          SHA512

                                          da958d2b3a36ba6baffad02248c29e479efeb6bc7a8514ce54558f90c3d8aac13c6927f5549a9add2faf5059880f1029e521809e59376e4ec4e2c093eeea7a05

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          c733728a158fd15077df9e64f29c13b1

                                          SHA1

                                          b0e1464ec27302a2e83ad0bd562320688a7820b7

                                          SHA256

                                          aee0a0ee2502a806b848fc13a169dfc224f05af1ec52c48e354e9bde12de6ef0

                                          SHA512

                                          b8a8be571caf457e7b8e9285672c080ba031d37da6e034ef66622089cd405f358741af734c8c20d0eb2c4bcf9d1a1a9b45ea098af3afd152b9e0ee928267828c

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          8d2c4c09dbbcf39ab76093390e224f25

                                          SHA1

                                          d2069c89e315337016d632c0c7093be97080b517

                                          SHA256

                                          6a75023a4d3cfec19623f34b6bc35ebefcb8c500eeff49bfcea1bd721c81f08a

                                          SHA512

                                          1923241d1e741725bcb1241699b6ad14b6b4200a028cea71720b73956719c45ac7de922821e056fdcaae3a5293f212a00fa799147d2492dda1f5c336b1cba8a0

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          6207cf0624c12b03ae3f332f061dfcf0

                                          SHA1

                                          1c18bae4e726afd9b1e594c26e9423618d6aab56

                                          SHA256

                                          bbd1de0d0907ae12b43c073562fbd5f267072dbc7655ab61fb89f76d6d5e32aa

                                          SHA512

                                          aecc4a0c4a9e32992697660ce18793dcab043ff83306cc25ed9bb681e347e11e96507c1538663975f993e99fc0ccb30e3ad67b42d47de832d6dc175123e5a3f7

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          4da42bb29298faa1d680f066d89ddbf1

                                          SHA1

                                          c6a7c82ad64e73b0dc6027a203f68496793779ad

                                          SHA256

                                          5acdb5d08f429fa2ce0ea5abfa68fed69451dc30a81c6f6814b2a6d8a184305f

                                          SHA512

                                          08409e3d252e3564945fc9f27c23c52fc68252c36de601d48ef91a5e563a5e4f33b514f6a734c37ffedd2124e9c10ecad7d294df6cd8099323ce69d2b925079f

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          1a718139f9d715cd5baa1146a9a1a342

                                          SHA1

                                          3a1039e7927173240a1794a0a3250f831803a5e4

                                          SHA256

                                          379aeb3602cba98046f275342479296515435876cc521e370918f740016c969e

                                          SHA512

                                          ba0df2b7be02126863fbacc0fc2fa38335b1c345fff437732e964fdfdf63af2d74ab8e6b2b5603ec0f9cd9fe1eb2ae036a0aa3d08d5f99f81e81b324c818b55c

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          a204835838e40eb5892cb64e0fc060bf

                                          SHA1

                                          68c91a831cbc964a6bf44424ff2dcb4ce2c4fe5a

                                          SHA256

                                          735627c94c3ef0b2394ecda108925c5530ec28ba333bf3ccc40362f7d7a74348

                                          SHA512

                                          e2184d051e7b74c6c6aece6bdcac169eff4dfa89c5ad69c0c46eb56398fab682629b7edec01dab3a6e67da6ef35611d2ed0b671f833255bec677a663faeb1388

                                        • C:\Users\Admin\AppData\Local\Temp\3fDEC1nc6B.bat

                                          Filesize

                                          225B

                                          MD5

                                          80e6e060cb2d926635c4553d798edfaf

                                          SHA1

                                          9d116c0943e67e7c144fd14908a750b30de791b1

                                          SHA256

                                          bc3b922b74dae263f68e5c4b73855c9d2991fe9f8c8f0b576837b03262c4d0cb

                                          SHA512

                                          d4d5f2a4881d3a4dd9aae87ce4047130f0d88e07533492c8c32ae39e761d992700ef028a2fc19252a6c3af2197d790768d957f7091d6b18bbeadc329bd113233

                                        • C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat

                                          Filesize

                                          225B

                                          MD5

                                          dc5b6ba566ed5eebc507ab2b3961de77

                                          SHA1

                                          bc0b2a738c7c6e193549a480f222a06b299dee98

                                          SHA256

                                          13046a877bd54c66e085ae654027566258b69b6e2759f4d9800496d7899766b5

                                          SHA512

                                          f7d4010c0ddce4b5bac6b8d8f9d881b0b71162ae237b51bf82bc877c8e7b43513e8869d68a8c0850a322d320ae8c1dfb7cd2f2b508748fdc0ec8675dc9109290

                                        • C:\Users\Admin\AppData\Local\Temp\CabDFE6.tmp

                                          Filesize

                                          70KB

                                          MD5

                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                          SHA1

                                          1723be06719828dda65ad804298d0431f6aff976

                                          SHA256

                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                          SHA512

                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                        • C:\Users\Admin\AppData\Local\Temp\TarE008.tmp

                                          Filesize

                                          181KB

                                          MD5

                                          4ea6026cf93ec6338144661bf1202cd1

                                          SHA1

                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                          SHA256

                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                          SHA512

                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                        • C:\Users\Admin\AppData\Local\Temp\VF9LbKHiRa.bat

                                          Filesize

                                          225B

                                          MD5

                                          57ad5ba22b222923c807e63a73f11a63

                                          SHA1

                                          9e2c44c3ccc7ff123e8e51381a2a478457017345

                                          SHA256

                                          a26b5288ce76a3b544108fc74eebe1adc5072d301eb7ac1b9a214dfe533cdaa7

                                          SHA512

                                          4a7d0b37fd941f8ed10c26996af7d2785c8a7770243d06ff61c463e30c92b692aa5b47162b0281520595dc253617d012fd4c1f1c7b76dbb4aa10a87c2c930ba5

                                        • C:\Users\Admin\AppData\Local\Temp\YUw1O57cI2.bat

                                          Filesize

                                          225B

                                          MD5

                                          4ab68fbd51b5ab353904b32295194c65

                                          SHA1

                                          5fd8fc7b2934af80f97c2952659eedc3e920410b

                                          SHA256

                                          8b25dffe75f6217120928a361377a1bc0a2ec3c67bc991db664362dbed631717

                                          SHA512

                                          006ba7ca59c6bb4acdacd8e89ea05257a4bc6d6c0cc015ef47f2fb0edf34c317ebc21bfc7f9cb53c549f968a85755096037bbf46269ccf87ffa93b8143d1d9d1

                                        • C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat

                                          Filesize

                                          225B

                                          MD5

                                          f6520e70bedababeaddbcf7edf42358d

                                          SHA1

                                          7b537ff2b5361c051bfc0db0d615a90368cb3385

                                          SHA256

                                          ef71d528c41f54752bf5056732622bdfb4fd60966a1bddea4f2f484163f43279

                                          SHA512

                                          2975dfdfa1163489a9020e5af88b539f965597558a172a2546bf484f4024b246b2fe1d9e81ca1865a54b2e13b1baf40de992d74145678225eac8501835dcbe85

                                        • C:\Users\Admin\AppData\Local\Temp\auWhjrprfd.bat

                                          Filesize

                                          225B

                                          MD5

                                          ef34ff189523570bb63058d09cb076fe

                                          SHA1

                                          603644e4c59602aeb2c35dfc5e29c86fe178fbab

                                          SHA256

                                          d9b93320c39879112293a05a732c83f5a219e77f1104d1e141924bfd5594b6ae

                                          SHA512

                                          92331b414e7ff4b32ac28d232c24bde1970de737d52d96115b73cf2747e6a0e91ccda5be22afbdbcca32ffbe42c290eade738faa43a113259c690b3c1aba1194

                                        • C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat

                                          Filesize

                                          225B

                                          MD5

                                          856f28b6f7239053ef2e51173adc75a5

                                          SHA1

                                          1e3c09802d86d0c1262c64671f46289abdd47120

                                          SHA256

                                          8c27745c5c64701d219a609c44facc8557017c2f6173cce190438139b20e0e45

                                          SHA512

                                          9017e175925ebce84ef1e7a424c8ec463033a05412699942c4e9b629258df80dec42e6c5289963bdc85d1c5e49bae3769db62851e58c90426e0000688cde96d4

                                        • C:\Users\Admin\AppData\Local\Temp\etpQuxQFPn.bat

                                          Filesize

                                          225B

                                          MD5

                                          465d7b7263942389eea08a64f2bbcb52

                                          SHA1

                                          0f4fa4052b5101529712b39c143164ee0b92f786

                                          SHA256

                                          d4e8aa959a9929eb7aa137d48739c6896fbe482954419d1e7d40d14b8075425b

                                          SHA512

                                          290e0425b912a1744b34aae813821a5753236b6b856ae4b5b7c59a1cdd3afe4b014b7e60413b1e010dda8ad54ab05f153309fdd9b5d8d21a51692fef541bf600

                                        • C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat

                                          Filesize

                                          225B

                                          MD5

                                          a95a29a4fa926e584d2f5ff1d1830e10

                                          SHA1

                                          626b4b5ae874e27838a831a4f28f51d7c68139d6

                                          SHA256

                                          bad8c9d0da7f370a32f2a8d363abbb1638ea5b3ce25388420b482e51d5dd330d

                                          SHA512

                                          bfbc21f147bbdb40c0aefdb533f01ef8153227ced870c11b4fa103c2d0147cdf25e97bdc47434c166594605eb8546b8a3de1106d6afda33316e425e3bcad9e67

                                        • C:\Users\Admin\AppData\Local\Temp\t6OOvELCCF.bat

                                          Filesize

                                          225B

                                          MD5

                                          ab97b100ebc2156a1c8b2dbeb3ba849d

                                          SHA1

                                          fa031a6c5664533db13991f92a774bfd2b4ae2a9

                                          SHA256

                                          b4b196cb69ec19aa05fea1a26f4a19dae6ada03357c2a930e089089c1c7592b1

                                          SHA512

                                          6359e3834ce1bc0dd8cb8353b187c27a473bdbcad2cf05b1f82ac2730d35b0a297edbb383d5003c5c23d01f6298553fadcd52a1a43673509aeac55b11ce06383

                                        • C:\Users\Admin\AppData\Local\Temp\y17QM3q8Rw.bat

                                          Filesize

                                          225B

                                          MD5

                                          83e24d37de499c47559c77d4d7029428

                                          SHA1

                                          87226bc07d1aae67b31d2b27c1d0a7e067fb83b8

                                          SHA256

                                          412200f43d6313b69d3d6d2655b98cb4a480089c7e7b5dd9d65ea27137ed82fb

                                          SHA512

                                          dc7447d8b85653f8f957a86cb26772cc71a0089fe48097ef770c162805c55aa617a71b6a5b88d5f0188a1e8a076795140d82d8aa228259dd435b3330a2a57820

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          b1fee55af8892b8b14822acbb124dbd5

                                          SHA1

                                          7468f859381525d6dadda9746765745ee8d51e94

                                          SHA256

                                          35b06fab65b455db83a02ad872c2e3975d7af957b963c0195dc98b95e6e72319

                                          SHA512

                                          751309673b0e8c3c83cd6b00600e3c6926fcab0a7824155c91d7590954215fac400a6155b5503619ad2f6bf005c205fad79c016f112ff53ff75d77802f8d7001

                                        • C:\providercommon\1zu9dW.bat

                                          Filesize

                                          36B

                                          MD5

                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                          SHA1

                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                          SHA256

                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                          SHA512

                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                        • C:\providercommon\DllCommonsvc.exe

                                          Filesize

                                          1.0MB

                                          MD5

                                          bd31e94b4143c4ce49c17d3af46bcad0

                                          SHA1

                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                          SHA256

                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                          SHA512

                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                          Filesize

                                          197B

                                          MD5

                                          8088241160261560a02c84025d107592

                                          SHA1

                                          083121f7027557570994c9fc211df61730455bb5

                                          SHA256

                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                          SHA512

                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                        • memory/1080-497-0x0000000000260000-0x0000000000272000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/1288-80-0x0000000000050000-0x0000000000160000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1512-200-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/1512-199-0x0000000000EA0000-0x0000000000FB0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1628-617-0x0000000000B30000-0x0000000000C40000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2172-139-0x0000000000240000-0x0000000000350000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2364-260-0x0000000001300000-0x0000000001410000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2364-40-0x000000001B740000-0x000000001BA22000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/2364-41-0x00000000026E0000-0x00000000026E8000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2776-17-0x0000000000470000-0x000000000047C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2776-16-0x0000000000460000-0x000000000046C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2776-15-0x00000000003D0000-0x00000000003DC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2776-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2776-13-0x0000000000BA0000-0x0000000000CB0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2936-557-0x00000000003F0000-0x0000000000500000-memory.dmp

                                          Filesize

                                          1.1MB