Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 22:10

General

  • Target

    JaffaCakes118_2f5d8b60f57f1700923ea656288371c44a9308d919fe4f9dc0e744137c7def26.exe

  • Size

    1.3MB

  • MD5

    9c5d6205bcf77f2e6e9d3646b81c30c0

  • SHA1

    95f5f5502c886279b02b7ab9f649de270762ce4c

  • SHA256

    2f5d8b60f57f1700923ea656288371c44a9308d919fe4f9dc0e744137c7def26

  • SHA512

    38bdbb41021650480e7931418a268cf2b6950f873563751cdf8b0b1a92505a707e73a719f6fe7061690d7f077590d5176c94a5a20cec6a28f9a6ab68fd6cc2ca

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2f5d8b60f57f1700923ea656288371c44a9308d919fe4f9dc0e744137c7def26.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2f5d8b60f57f1700923ea656288371c44a9308d919fe4f9dc0e744137c7def26.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2916
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2964
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2844
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2876
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3008
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2896
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1560
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1512
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wMvxJuE7fS.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2752
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2004
              • C:\Windows\Registration\cmd.exe
                "C:\Windows\Registration\cmd.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1548
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2300
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:2756
                    • C:\Windows\Registration\cmd.exe
                      "C:\Windows\Registration\cmd.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3052
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1836
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:3012
                          • C:\Windows\Registration\cmd.exe
                            "C:\Windows\Registration\cmd.exe"
                            10⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:2056
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gMBHdlpNUB.bat"
                              11⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2184
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                12⤵
                                  PID:2828
                                • C:\Windows\Registration\cmd.exe
                                  "C:\Windows\Registration\cmd.exe"
                                  12⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2608
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat"
                                    13⤵
                                      PID:2472
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        14⤵
                                          PID:2920
                                        • C:\Windows\Registration\cmd.exe
                                          "C:\Windows\Registration\cmd.exe"
                                          14⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1080
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uP802u8Cku.bat"
                                            15⤵
                                              PID:2148
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                16⤵
                                                  PID:2784
                                                • C:\Windows\Registration\cmd.exe
                                                  "C:\Windows\Registration\cmd.exe"
                                                  16⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2972
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat"
                                                    17⤵
                                                      PID:2000
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        18⤵
                                                          PID:568
                                                        • C:\Windows\Registration\cmd.exe
                                                          "C:\Windows\Registration\cmd.exe"
                                                          18⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2140
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MQa1PIx8rY.bat"
                                                            19⤵
                                                              PID:1608
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                20⤵
                                                                  PID:892
                                                                • C:\Windows\Registration\cmd.exe
                                                                  "C:\Windows\Registration\cmd.exe"
                                                                  20⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1812
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VF9LbKHiRa.bat"
                                                                    21⤵
                                                                      PID:2728
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        22⤵
                                                                          PID:988
                                                                        • C:\Windows\Registration\cmd.exe
                                                                          "C:\Windows\Registration\cmd.exe"
                                                                          22⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:1844
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P9uKrkSNlp.bat"
                                                                            23⤵
                                                                              PID:1492
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                24⤵
                                                                                  PID:2160
                                                                                • C:\Windows\Registration\cmd.exe
                                                                                  "C:\Windows\Registration\cmd.exe"
                                                                                  24⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:2040
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hiVaTihpWK.bat"
                                                                                    25⤵
                                                                                      PID:2620
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        26⤵
                                                                                          PID:352
                                                                                        • C:\Windows\Registration\cmd.exe
                                                                                          "C:\Windows\Registration\cmd.exe"
                                                                                          26⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:1520
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat"
                                                                                            27⤵
                                                                                              PID:592
                                                                                              • C:\Windows\system32\w32tm.exe
                                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                28⤵
                                                                                                  PID:1452
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\OSPPSVC.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2788
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Tasks\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2708
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2652
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\Idle.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2728
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2400
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2240
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2024
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2388
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:900
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\cmd.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2320
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Registration\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:568
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3024
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Cookies\explorer.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1348
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1584
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Cookies\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2872

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            daf540861f5efa2f00c1e27e5989d5d2

                                            SHA1

                                            0fd13ea3997aeefc767d1e1b3bdf18d006579f1c

                                            SHA256

                                            796e0b50a98aeea370542f5c0b7d881e058b00298527c1818932421a956ffdce

                                            SHA512

                                            299a8ef78724528bec484974a1e6e1a5d203b0c5f8c3e59247933703759c972d5ad8d86114eb457ff3c3f01bc4613bc35763f599b5db1f672728a6454d8479b6

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            52e5374433235a0779d211d83b3c9038

                                            SHA1

                                            de84c1b24df6347ebf5498fd10d87c79d9b078ee

                                            SHA256

                                            6965e58146a4c3829c3ce5d672f85388e6d16d4cecc230028a089188b147a446

                                            SHA512

                                            430bdaf8b8517624afb413a5bcefdaa2678392cba98dae00e893fead4c1a933bb064732383ef8ecdf4987a6973cda04009c9aac1f0adca752f660309f96f3797

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            c37728432896b5259517a75ab1521007

                                            SHA1

                                            2a21eb9a8ac049ff9d17fb50aba4468c3aaf4d6d

                                            SHA256

                                            a4b52b3782862130341bb6b5af50efb2c416d72943f77cf448a9b7c4fb8f587b

                                            SHA512

                                            838f2e7bbd59c7b3786c332a15952ffec0c822a4200ee15c461c9b4a84d0b04aa7b8d0c386f8ae924d2bbfbae993e6a2c464df770931226b8eeabea7bfe1521c

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            85878485e31bfa91db3f077e03c7f47b

                                            SHA1

                                            bd52149354fca7569aad36de87ffe8f6c6b9e634

                                            SHA256

                                            4e71c649618f78c82cc427668ef4ca9bf2020c6540dace371a72b2af6d3193e1

                                            SHA512

                                            1d987a71c0afdc0b11a15271b5e9e9beb171f445d11a92b9b562b2ac671ea437028bb9f8421edd1ceb9d160612770375301ff0ae38b31aa8dcc8b18d91dc2cb3

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            0a29071f6d3d0c4883044f89b1a6b4da

                                            SHA1

                                            c16b1fece3bb701f009c411e2425e4e171bae926

                                            SHA256

                                            99c011a992385d2e6b54666c74d2a6ba373c0ea1e4d8daab1fa5059fab7e840c

                                            SHA512

                                            c2eb88af8d78e30a60337248171c5e086941216f73734cd2e65f7be3c5c69e96cab577780fe21d11a653122ecec74754d37736121cd38c1a31c5f4e85eb8c7ce

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            7eb6b45ef55c0bf6392cfb76dfe8d11d

                                            SHA1

                                            451dbc2e5d72dc6d6bfcf0d03f5186927b5973c4

                                            SHA256

                                            a58cec06d872f63cdce0258634bc55fbe73d78c3cb28976a84bf7468a297f03e

                                            SHA512

                                            49f4cc1aec59a324da7b2ab6b6d7d1cd4929fdfed435e14039d1a31a60aca2db64fd1d45f8999bb0e8883a8e5e20fb13cdba34d379e50f2e9863d7186701fc04

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            be1c79eefe54206cd6ec187ac7afb0cf

                                            SHA1

                                            6de4d3099ea07467036565e43c80fb0c3d8d1cbd

                                            SHA256

                                            ba94bf9587b37cdb4ecb7c219a0d303b710a776bdbad97577fc9426d03e02de3

                                            SHA512

                                            acf4fbe114a171e5786e5f6829cfab06b2941e5230344bcb8c11e94e6514b3d12db3d57521f7df377c77fff57c5a0546d6d748c5a881d4b6f10beafdd952016f

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            5dfd59155494b801205bf24d024db85f

                                            SHA1

                                            497138dfe7525607b4b97df2421db2ae3d052369

                                            SHA256

                                            cf87f58c8775d3ac3b72a4da124ea421883a8c44cdc1fd9049823e91d5cdeedc

                                            SHA512

                                            a44033ba96507b597aaeeac3a3f6bacb655cb3f399e49eaf009fd9732d1c073d502f86c02c015b93b70d273fa3fc76553a1f168fdb6c735b2814ba22ae953616

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            78314b530fed79da0badb4881c4d0341

                                            SHA1

                                            ed34ddc8763cb1b2f8bcfee761c4b65291c180b3

                                            SHA256

                                            b495b20af164146eea987ef48ad2841b649060ca89b57ee618ccd1e5b489554e

                                            SHA512

                                            eeb8beb1d428b527f741ae505db1c0a68638324c0a7e978f5d09d90994e50549537faf8b692d013e230256773414cdf72a9ee86228ed0c99267d7da45354e607

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            4cc83329fb545bd6d0eb0cdec6ea13c2

                                            SHA1

                                            19e04fe8e53ad88bc1a33945ad5c67d45499046b

                                            SHA256

                                            548f35dbf476709f1f0ff061844eef81104393c0fd84b85b411f212b089e6d6a

                                            SHA512

                                            78aa8b534265f9d89f7312e7364615c03f9b9647c93de528a939a68b628420fdfbc5ad9197b27141a1f64ec70cc43d1aacffeed21b8653d8febd7ce5d677fcf0

                                          • C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat

                                            Filesize

                                            196B

                                            MD5

                                            0ea1c25dfd486678488e003997be493b

                                            SHA1

                                            f6b77be52fae79d5dea62ea571e8b697b0ff564d

                                            SHA256

                                            cb55d4f53d1bffe9671a1bfa3349b60db18a775147c6dae361f7583c2f9feb35

                                            SHA512

                                            8d04fbc24564053bca849dc647cfb46a0a7d0e0132c8851de8fb169355ab0517f2a97ca94f9fed336b69248f8d6b7f0ad77f820beec2ebbbc867db84f32f35a2

                                          • C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat

                                            Filesize

                                            196B

                                            MD5

                                            c4cf3d725cb7417fbb028fee59b33b62

                                            SHA1

                                            3a927dde01f5e0ae82f25c9c322a9000ece0c4d8

                                            SHA256

                                            59a26b7b5600ac6d29cadb42a58e669bb3f9c20e6c4825b039a469a3c847b9e6

                                            SHA512

                                            e32525d6a19743d1762bbe8a33aa832594a084be0d5f172e1c16796f6bd83ac424df8a31a73d101367868dac553087e35d9702b83854b193cdb2c33d4cf164c4

                                          • C:\Users\Admin\AppData\Local\Temp\CabFF96.tmp

                                            Filesize

                                            70KB

                                            MD5

                                            49aebf8cbd62d92ac215b2923fb1b9f5

                                            SHA1

                                            1723be06719828dda65ad804298d0431f6aff976

                                            SHA256

                                            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                            SHA512

                                            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                          • C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat

                                            Filesize

                                            196B

                                            MD5

                                            3085af1de0f07c98ac7243a8ca98e41e

                                            SHA1

                                            e4e42f5f0ecac9577c6720593dd0fec8abcbda40

                                            SHA256

                                            8191ace655d2feb3348ddd6674d16539027cc7fdddba7834af2bfc4fa6dbad0b

                                            SHA512

                                            a670de526c585961dca7241f13c1744898357fb2f9c35fd1ea0312388f776f640a1b340272fa46a8e1b64dc0275796390813d9c49a2565ada4eb9948f6ecda59

                                          • C:\Users\Admin\AppData\Local\Temp\MQa1PIx8rY.bat

                                            Filesize

                                            196B

                                            MD5

                                            3d8df2d3f77744fd38b38054cd1cdf41

                                            SHA1

                                            8483ad8049c7f5d413042e45533a34ab1cde57f5

                                            SHA256

                                            c93753889083cc5471059658c69ee4a6c9871a4d7f82747771bb97940f9da127

                                            SHA512

                                            33ff5672531f25a44b14af7b35f3848ba6815b5328b2d5a942c53a41bacf78c613589895927e2789fedf067447ed0f0deffe97387e2b08f6ad21789e55c00638

                                          • C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat

                                            Filesize

                                            196B

                                            MD5

                                            10cc86eb07cdad712895cb4d5b151b16

                                            SHA1

                                            d5515f43ccc852ccfdecb4034d7a526b68daea2b

                                            SHA256

                                            887c35a8f52b9ded19a88947a8c4f1b243c2ee73458ab8ebbee1751a9c7e3409

                                            SHA512

                                            62f33934eeea6be2faf4a984b786685de0937ef722291f3dc968b5deea03017627ae5292bf6e642ca08241c77aa09ff4e91bcd5bee434c0b4ad8e9fd683e1426

                                          • C:\Users\Admin\AppData\Local\Temp\P9uKrkSNlp.bat

                                            Filesize

                                            196B

                                            MD5

                                            3ec60240ed322630f44bae6dbedc8f58

                                            SHA1

                                            ef87a824c0ac02f97f93f5f5cf31694fe83ac13a

                                            SHA256

                                            9ab50f9c1078e3bf91d97f6ce5a8d8cbe6cda29025f738d928fa3e96bc4dd2ab

                                            SHA512

                                            c15fe40554351064339dc027d86a544a4f67e3c42200fbe7c19686805cfe55f725c3351555fd6f0abea3551dfb86c8feda6e336c6e38e991020d9fbcacb2b604

                                          • C:\Users\Admin\AppData\Local\Temp\TarFFA8.tmp

                                            Filesize

                                            181KB

                                            MD5

                                            4ea6026cf93ec6338144661bf1202cd1

                                            SHA1

                                            a1dec9044f750ad887935a01430bf49322fbdcb7

                                            SHA256

                                            8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                            SHA512

                                            6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                          • C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat

                                            Filesize

                                            196B

                                            MD5

                                            1b18362a55d1dbee4b28a279c5e2805d

                                            SHA1

                                            12469eb458cd6c57a0bd32c00a758b0601dbc732

                                            SHA256

                                            ac4b6051af607a7728148c449c6be2d7c0f49c4f3e124d938feff8960bf9cd09

                                            SHA512

                                            604acfc5e98f3a5816389a51b67817e4c85f808ab22e7164d7eec498ee14fee0d9ea4d12fca7396278b4945ff81ba39fd463f88ab798d2081e160b3e9206bfdc

                                          • C:\Users\Admin\AppData\Local\Temp\VF9LbKHiRa.bat

                                            Filesize

                                            196B

                                            MD5

                                            dea41afd14f592a554f17480a1351676

                                            SHA1

                                            6e74083d86163ca8217d7b4631abf679940cb08c

                                            SHA256

                                            f962f13df8d409bb68a647fb7838571aec642ef41f4fe74f5933b61f083ef9b1

                                            SHA512

                                            ea1e07db31a85241e304383bec5b334bd40a97b0398f4c5e1fe03d88bff90de268ec65b16f1525fb7a26878dcdb709a727aba7ab3e016f64f75fc475bb74fd22

                                          • C:\Users\Admin\AppData\Local\Temp\gMBHdlpNUB.bat

                                            Filesize

                                            196B

                                            MD5

                                            038a3ccdbc4716c67a6634dcfc8ff48a

                                            SHA1

                                            8f5da0d70ab91a6318d6789696e52559c4391550

                                            SHA256

                                            26f2f3d01d56d5cac8fa8ebd1d74dc87ba4d84f1cd12d49f47af1b0e3cf74777

                                            SHA512

                                            7122b63335fdaec0aca7bb1525a9f8b3e8488ba042a4f42d47957f245ad2ef2748782fe4cb4d5ebf7904398c479f6f30420635ce3f28c1047168d21182af88c8

                                          • C:\Users\Admin\AppData\Local\Temp\hiVaTihpWK.bat

                                            Filesize

                                            196B

                                            MD5

                                            48943f96c1e2a4fcacb16d29b2dc43c5

                                            SHA1

                                            551092ce59a9570356528be18c76e7bbfb26daa6

                                            SHA256

                                            f1fa1ec9a9f996551773815215619ec52d2e245cb88b172e9354e2f158fbe88d

                                            SHA512

                                            aa112a1abe6f00d0e74064ed6686967923a952d80fb89d38c6c5138997ef94d3115726499a17e15626d35bc911f89ecc5d96a1a3ef732f60035fd9bf513adb81

                                          • C:\Users\Admin\AppData\Local\Temp\uP802u8Cku.bat

                                            Filesize

                                            196B

                                            MD5

                                            b8732b484bd5b02809383b1d7d20930a

                                            SHA1

                                            c0f597d0b9ba571315e24c14bb063a09726966ca

                                            SHA256

                                            42fc88557ed07a859bac2a2c6c177dabd2fc428e42d53aa3535dad00495e2f7e

                                            SHA512

                                            e9be5161bf408ad626a6e764f829a88ec153797b6863e4e3da19223e6b210ff569172e9ba1e20ee7c6a13278052d7a7991d6fe6be5417fe1f124f90d4aa655bb

                                          • C:\Users\Admin\AppData\Local\Temp\wMvxJuE7fS.bat

                                            Filesize

                                            196B

                                            MD5

                                            fab2e44ec9f08a446fc54e63840ccae1

                                            SHA1

                                            45c35a7ca9b239cded63694eee0025c25cf518db

                                            SHA256

                                            8ef81cc00306a224e9018664d74316ddf549ce81e7d92aaf69ce7f2834abbab2

                                            SHA512

                                            a523159b396c62a3fd320aacf3d90180842dffae5874ad061cb0595e1b9cbe9a18981b0cae2c311e1ff8515df5e0fd28a8935664e1c26ce94b66239ab80a189d

                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                            Filesize

                                            7KB

                                            MD5

                                            bee66c3a8c99cdcfe160c74eec5795a7

                                            SHA1

                                            ca8e888af5cfd8626792f6ae89ddc6a81dbf6c69

                                            SHA256

                                            e6c2824f8592ce2543eaafef2e23fd2bedcb334f6c180d808a152ff14976c410

                                            SHA512

                                            e666c604281c3cfa7bb598bd0555d7696e0a589ca85c22c8ddb6d9db583ec57317dd78bc3e9a31dd42df9c4aaf22086c12d7dffae46d218afb372ff75a8ca09c

                                          • C:\providercommon\1zu9dW.bat

                                            Filesize

                                            36B

                                            MD5

                                            6783c3ee07c7d151ceac57f1f9c8bed7

                                            SHA1

                                            17468f98f95bf504cc1f83c49e49a78526b3ea03

                                            SHA256

                                            8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                            SHA512

                                            c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                          • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                            Filesize

                                            197B

                                            MD5

                                            8088241160261560a02c84025d107592

                                            SHA1

                                            083121f7027557570994c9fc211df61730455bb5

                                            SHA256

                                            2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                            SHA512

                                            20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                          • \providercommon\DllCommonsvc.exe

                                            Filesize

                                            1.0MB

                                            MD5

                                            bd31e94b4143c4ce49c17d3af46bcad0

                                            SHA1

                                            f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                            SHA256

                                            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                            SHA512

                                            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                          • memory/1080-301-0x00000000006E0000-0x00000000006F2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/1512-42-0x0000000001E00000-0x0000000001E08000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/1512-41-0x000000001B770000-0x000000001BA52000-memory.dmp

                                            Filesize

                                            2.9MB

                                          • memory/1548-61-0x0000000000920000-0x0000000000A30000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1844-542-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2056-180-0x0000000000BB0000-0x0000000000CC0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2140-422-0x00000000012B0000-0x00000000013C0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2140-423-0x0000000000240000-0x0000000000252000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2608-241-0x0000000000510000-0x0000000000522000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2608-240-0x0000000000CE0000-0x0000000000DF0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2964-17-0x0000000000620000-0x000000000062C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2964-16-0x00000000004F0000-0x00000000004FC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2964-15-0x0000000000500000-0x000000000050C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2964-14-0x00000000004E0000-0x00000000004F2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2964-13-0x00000000002D0000-0x00000000003E0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2972-362-0x0000000000140000-0x0000000000152000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2972-361-0x0000000001100000-0x0000000001210000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/3052-120-0x00000000009F0000-0x0000000000B00000-memory.dmp

                                            Filesize

                                            1.1MB