Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 22:46

General

  • Target

    JaffaCakes118_871a40c5088ca95cc838073f8dc372ca764742d34386af947c90cb49b8a6b4b3.exe

  • Size

    1.3MB

  • MD5

    e090284969f9630b6cca5bc3f9565d80

  • SHA1

    bd1d695b0c5c0f426623d739156118b02a4f4cf6

  • SHA256

    871a40c5088ca95cc838073f8dc372ca764742d34386af947c90cb49b8a6b4b3

  • SHA512

    aafd7f2f2ea2003d2a0c3b2fed5f7dab502ab43623ebf130885773d23e135507c05580cb7b72cfc2f841aed21ff1b48134df2266022515a1bb5e5e323bd145e4

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 11 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_871a40c5088ca95cc838073f8dc372ca764742d34386af947c90cb49b8a6b4b3.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_871a40c5088ca95cc838073f8dc372ca764742d34386af947c90cb49b8a6b4b3.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1812
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:484
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2148
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2576
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2584
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2592
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0ms6Q8G3V4.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2004
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2908
              • C:\providercommon\DllCommonsvc.exe
                "C:\providercommon\DllCommonsvc.exe"
                6⤵
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1224
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2108
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2292
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:828
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\WmiPrvSE.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1932
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3CX563UFPi.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1680
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:2312
                    • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe
                      "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1596
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:772
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:2944
                          • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe
                            "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe"
                            10⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:2836
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat"
                              11⤵
                              • Suspicious use of WriteProcessMemory
                              PID:1196
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                12⤵
                                  PID:448
                                • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe
                                  "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe"
                                  12⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2216
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1RNSv4oba.bat"
                                    13⤵
                                      PID:1300
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        14⤵
                                          PID:988
                                        • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe
                                          "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe"
                                          14⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1028
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.bat"
                                            15⤵
                                              PID:2392
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                16⤵
                                                  PID:2864
                                                • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe
                                                  "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe"
                                                  16⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1528
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6SU00hIhBO.bat"
                                                    17⤵
                                                      PID:1976
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        18⤵
                                                          PID:2672
                                                        • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe
                                                          "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe"
                                                          18⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2620
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTtrehocny.bat"
                                                            19⤵
                                                              PID:1992
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                20⤵
                                                                  PID:2220
                                                                • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe
                                                                  "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe"
                                                                  20⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2712
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"
                                                                    21⤵
                                                                      PID:2740
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        22⤵
                                                                          PID:2632
                                                                        • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe
                                                                          "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe"
                                                                          22⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2444
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1e6qhBZ49x.bat"
                                                                            23⤵
                                                                              PID:2148
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                24⤵
                                                                                  PID:2592
                                                                                • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe
                                                                                  "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe"
                                                                                  24⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:2004
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5cWoBfSAzl.bat"
                                                                                    25⤵
                                                                                      PID:2956
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        26⤵
                                                                                          PID:2224
                                                                                        • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe
                                                                                          "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe"
                                                                                          26⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:1476
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AKY6NrPTox.bat"
                                                                                            27⤵
                                                                                              PID:2312
                                                                                              • C:\Windows\system32\w32tm.exe
                                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                28⤵
                                                                                                  PID:536
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2700
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:876
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2840
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2144
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2744
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2816
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2132
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2260
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2256
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2096
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2184
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1468
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\RemotePackages\WmiPrvSE.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1476
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\RemotePackages\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1128
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\RemotePackages\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2116

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            030ab4b49ffdc337d43385702249f628

                                            SHA1

                                            b9050b7d46b14af6974a2dd2995a16e084c1a96d

                                            SHA256

                                            0551c5f6b372e9395823a6a5d4713b4bf27d2d29313188b467d10f8b3a976367

                                            SHA512

                                            dcae3a245ee753c17910bf1be0edeffa1b79fbe1d75a29274a7b907f2a99dc7015aaf5d2f0e6c2abe30e710e5248e4b1f1199d8927bcb0e4b1ab9feef7626017

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            7fdc43c03d6021ec1d3c6326acf44191

                                            SHA1

                                            b5ca9c9cfdec3c9e61aa8d4a42ffd335830f2416

                                            SHA256

                                            9a06a7d030687bc2d8b63d7fe012c16ff59102b78e1234675d12109e84f650b1

                                            SHA512

                                            0bb6619d0717799f249ecf1c1cec86e7074a2d163e44a78b6c33d8ccf7d9b93adfaad54a74088ee4d28c36ada08e98e86fb6dc70ccdb1da175b70b71a9bef4eb

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            4c7310568b1748183fcfb06d16caf63e

                                            SHA1

                                            a5efff6aa938d75be53013f2bc6d36cfae4c1338

                                            SHA256

                                            074ea5066f2aef5be9105603584b75c17132e3a1f6de7ff545edb00c06d105e6

                                            SHA512

                                            fb796f8bcbe9cf26944076d940ba907eac08cd02347431c6fca0cdabcb10f53adc1d6f93f117bd1e489a2d4717ce9ef90bc76b77bf79955bd9820525106677b9

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            13ad4095a362bbfbcc2e75875f4b35bb

                                            SHA1

                                            b79407edc29828d79d47a4f1a8e4855e00e40ef4

                                            SHA256

                                            c2d68d647d1bf8755f480fa24cecd7b3f641e506372abe6896a01ad3421c7512

                                            SHA512

                                            92a1b87361d83a577588a152ce2bb4bebd964f35dad623c70ddea8df06a6179d3ae4fd08deed83ba1661af63c7723caba4f37ceeb4547892f27562eb470d4002

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            2885c5fe80ea3ab30c12d2e83bf94ac7

                                            SHA1

                                            fb2b44667c011cfa99899ab5aa3171f672a63f86

                                            SHA256

                                            48b4168f16e1e4360ed1217630501c5fba0b77bf431829e5a278dfb320b7db02

                                            SHA512

                                            fd158a15604744efdeaaced8fa8b8f0bd879080e6ef5ead696b8bce3a96be6c846458496ab1667d5900a1f50d60dc3395b5faab0ecb2de0c70b6d27c2780cb1a

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            58f45ff77a2855838782ec0d7698c438

                                            SHA1

                                            2e8d19bacad840ee7d41092c6b93f3ab2fd2c934

                                            SHA256

                                            d5bc662fc68721dd10457f4455f9c1b89ec4ceea7f92b39a9a869e3e4cb5dd57

                                            SHA512

                                            6ff1f840f34fe601e5a05367a0ea3c7de2efdfc4d06eb119eac4ba44d7e1ad486ffe9e3243f7b452663707b79ae0806befe0a6460e2c6db0c4f1a25f4106d3d9

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            e066fdfe3e953fd85d755efd08cdbaa5

                                            SHA1

                                            0c7aaf40618c06c78eafbb4b54a6dd97bd765af0

                                            SHA256

                                            d4c3d6299ece0d9d382f06a603a6d46df5311eaf7f4bd27d8d7fcd04320a55c6

                                            SHA512

                                            97f97b7b542d7e43d4395188500c1c985238dc862c374db76ee563f8834454288b79e965f6ca84b24472f27c8b9627fd5dad6873dd0189e206df340b43a6f361

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            30bfb66760fa0f2bb5c67c767a9defb2

                                            SHA1

                                            268a12e52d741dd8629084e21439b48cc8342835

                                            SHA256

                                            a5c8076070b038892e080cf2cf0784612da0e7eed0fd059cfcb2fa838e8a0607

                                            SHA512

                                            5c75acb872c9f19e62b618ac81a1469513d520da70943ee6421409463843b28610556ea476b6840566eedf68b8e1f9eaa5bb579d6bc95b1ab95233d56a28249b

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            55abe24da41c1dd15a6cf6c20e2d7416

                                            SHA1

                                            dd9ae5b2628ba76ad58fe7ca6102951f4e08f451

                                            SHA256

                                            d66e7c0db93fce241703cd130c2f55b63a04db14ae808802b85bee6ef5ad9a81

                                            SHA512

                                            212e9886ceeff0e4a56e51f088765c6a581b33b1558f7b78379e9a3f120ca59e754b82c236a837035d8d1b7876012d90d5c42ed88cbec420160a2a38cf36acb3

                                          • C:\Users\Admin\AppData\Local\Temp\0ms6Q8G3V4.bat

                                            Filesize

                                            199B

                                            MD5

                                            9bf0df597af1342248b98d983ae90d7f

                                            SHA1

                                            f24927f8ad0e628e7266eb6cd7ef68a8bcbcb226

                                            SHA256

                                            f1cac5d614942096d2934c75b95be26c55349a9ca9bd7bb39ca7f59c5bc52cd8

                                            SHA512

                                            6f5bf7ef97161c52a8e5708fe29a64b4d347af736f1ed5db39e5cbc108af8cb3c2a130b685ef907043ca2611307a7b7149c4d350e618d397701fbe1a40143e70

                                          • C:\Users\Admin\AppData\Local\Temp\1e6qhBZ49x.bat

                                            Filesize

                                            235B

                                            MD5

                                            6af85ace3503ded9bd8fbcbfaef658e6

                                            SHA1

                                            e8e4712845c828e8a31281947758f506c7ecb80c

                                            SHA256

                                            b81c31f57c95a394c79ca378e73934e5cd83680830f4811f2b113ed3a8ebdf84

                                            SHA512

                                            133cb4b549b52f5c340da10ea46d209f6f7f6a1df5b411af5f4012d4b82b229e7b0342dbbe491a5d571161c8da5a4fd328a344e585793d611f0ba553b35431af

                                          • C:\Users\Admin\AppData\Local\Temp\3CX563UFPi.bat

                                            Filesize

                                            235B

                                            MD5

                                            37ca0c013a3a03ca62eb8df9b8aaa715

                                            SHA1

                                            e11381cf0990c41d557b5df1b77a57f9becb4fdd

                                            SHA256

                                            f7c68cb611597a3b41cef91b21237f6ca5bff2b9d8b83a6651f2d357b253e3c5

                                            SHA512

                                            d0a9e54415c02d0ef993ccf46de564cb39a1608981f20de24c1a01497a5c28930e5db81c33a20f0d644e9d3c1fe8b43853e1c07d9d72994b48d27f773178cfe0

                                          • C:\Users\Admin\AppData\Local\Temp\5cWoBfSAzl.bat

                                            Filesize

                                            235B

                                            MD5

                                            e9c71ee866c46aeb4a9803abbe38d6d6

                                            SHA1

                                            d09f26f3af35628e465925c85791793dd13bd503

                                            SHA256

                                            3175c7c2e8e035bda46809395358645700e17e9d50afa9d9fc65e4cbdc96dea6

                                            SHA512

                                            17d1c9daf841979152bdf4421fb37b90fc70547f22b42e4297db4c2a9c907d58a36f2776f4c60b6e1c0008f63ddab9aa93d0c007a3a0fdf86b5ffd06603b2a34

                                          • C:\Users\Admin\AppData\Local\Temp\6SU00hIhBO.bat

                                            Filesize

                                            235B

                                            MD5

                                            6705d801119fea5e06562b0e8cce3608

                                            SHA1

                                            65ac50f7a69e83e16e2c4a6e011a69a2ed2cc63e

                                            SHA256

                                            316ba7913912b964cd99d834a7689181ca6f1f6ff793c0ea59e68d7248a12eba

                                            SHA512

                                            9a88f2e60c8c4b3cb819b74c1cfe351ec2fd59fb04a24d3a4c0604108aeae846f918b4b4398ed01c30c151e0995ea8441a71248ef2b2885f06c5921e1d01e903

                                          • C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat

                                            Filesize

                                            235B

                                            MD5

                                            688828b31d79aeb235c5d465ba6338db

                                            SHA1

                                            f21a6777f1ca367b8362e569addc59261c964e20

                                            SHA256

                                            642016f042fe391414e4e7b1cf7fc3153fc33dfde37046e16b727ebdaba0818d

                                            SHA512

                                            2ca35a80f289afc8bf1a6aa5deded73bb7f6a2f8f7f13434a7e2d4df5688e82b91f544c8ec4bf2582102cf6c0c47ae8b4e04795330a0dc4bfbb5a20d2c5022f9

                                          • C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat

                                            Filesize

                                            235B

                                            MD5

                                            f24f2c841ac47406dbe8d1ffb6a0c4cd

                                            SHA1

                                            9bce25c857ee2caece6e5d7c5fe74f414a89c105

                                            SHA256

                                            9ed68db2f6fff388698b757929dfd5790fa3f3543efc116e7be7b14522c4b303

                                            SHA512

                                            895f55bb216679f49d3ec02faf61f98eafdcbe6ee2bd231183e0ca6f25efe72e3ab181b7adb8cdb4dc665b37fc321951390a99f6d14400ab94801add0638510b

                                          • C:\Users\Admin\AppData\Local\Temp\AKY6NrPTox.bat

                                            Filesize

                                            235B

                                            MD5

                                            551bbddff7bcb76ec41f9f7a42f1b50e

                                            SHA1

                                            44ad5fec5151e9b0581e7f44144d5e1b4adea7d8

                                            SHA256

                                            d92bfa1d37475fc3a351b503608cd717fa025106c5aaa57642c4f01569645ad1

                                            SHA512

                                            9c9653a8d5af82f49f8bc2e2c7006f15b93a141979d79aba6910e7a606a11a7c93e0f243ca33c8de95dc33df87e2033efda2bda8daabca50b8643dd7ee216aa4

                                          • C:\Users\Admin\AppData\Local\Temp\Cab232C.tmp

                                            Filesize

                                            70KB

                                            MD5

                                            49aebf8cbd62d92ac215b2923fb1b9f5

                                            SHA1

                                            1723be06719828dda65ad804298d0431f6aff976

                                            SHA256

                                            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                            SHA512

                                            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                          • C:\Users\Admin\AppData\Local\Temp\Tar234E.tmp

                                            Filesize

                                            181KB

                                            MD5

                                            4ea6026cf93ec6338144661bf1202cd1

                                            SHA1

                                            a1dec9044f750ad887935a01430bf49322fbdcb7

                                            SHA256

                                            8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                            SHA512

                                            6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                          • C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.bat

                                            Filesize

                                            235B

                                            MD5

                                            1197adf3d3c7fe0714ea1a24bf14bec2

                                            SHA1

                                            00413e5dcbe442ce9bdaa57c0bcdef3b6b2c632e

                                            SHA256

                                            3b55cbcb2ca8363bae08e79ea882884cd9c01eed9d4c5759534dbaa5ad85c175

                                            SHA512

                                            6ef7abd6dfc99e15961e75ef9b0fff0728124ced83aede19087798075ca795925e55ad6e1f4d52218322d93cb556529d424cef157909d23387bfb60c66af50b0

                                          • C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat

                                            Filesize

                                            235B

                                            MD5

                                            7a677e3b85e79f42f8a8ecba47dd2d09

                                            SHA1

                                            77e616b44ee3fbab6631cb88e738737fd600ea38

                                            SHA256

                                            feec65e693cc2d5b2ab7aa86649f1db9858d507ae79a7949449b7a793a8e9af0

                                            SHA512

                                            c90e4189a4952505185817737fd2110073b02bb55c5d08c8e461e10cea63309dfe8b60bd5027f93cf220609a7490c4c998c556ecf8b18987263434e6fab36576

                                          • C:\Users\Admin\AppData\Local\Temp\m1RNSv4oba.bat

                                            Filesize

                                            235B

                                            MD5

                                            c57b2d3267f328c1af7dfddb784b15fa

                                            SHA1

                                            1b707a792f3f62367f51424de0c32502f6cfefb7

                                            SHA256

                                            57800920d1ff4e857ed868742ebea918cb0ec0c37551666074010de5663453a5

                                            SHA512

                                            c917145b2e9e5b18c5e4e9510f4065c97dbb179e2eecba8ec7760ddd8bc156f0470fc41294e972bfa6073cec135a377f2cb64ae188c591f5be982232fbc9c30c

                                          • C:\Users\Admin\AppData\Local\Temp\yTtrehocny.bat

                                            Filesize

                                            235B

                                            MD5

                                            869f8c274b07f490f59a9ff414f3bc4a

                                            SHA1

                                            4e8f46b3bfdd03aa265d5890c600aa1c989196e9

                                            SHA256

                                            489998cecf46704cfc3f26d2f177b9bd18db9d122e7732bbbad46383d887d270

                                            SHA512

                                            9ffd6ec198f265fc861fffa823762d0c9c95e4cab17287e508e7b9620d159be204d9eea131634cf526d6b6a8e3608846e3cc1e02a5e5453cef8611b9b0177a66

                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                            Filesize

                                            7KB

                                            MD5

                                            a15f8928bebcf7e1771e2d59a6342177

                                            SHA1

                                            4288a77730b317b7456b3c40949243880bee33ae

                                            SHA256

                                            4faaa98c11a61676685338515c28d64c893f8afb3de52389a0b086c54dc07c03

                                            SHA512

                                            ec68957a47ed6bcc74f9b7e4eca46ab3ac6244eaa154213e30091a5fe9b4c976bf701b7a10101d9657c3b2e930007223951ba30c8c3982c084edf56618684335

                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                            Filesize

                                            7KB

                                            MD5

                                            76624376efa8e59c47ffb4c5dafbbe8a

                                            SHA1

                                            a00b07d032e1a2e958ff01bf1329c5445f921676

                                            SHA256

                                            2cbd9641e613bb71847bdc4eb98a6184e7ad05ca3be7d69b2a6bf7cf1fcfebd2

                                            SHA512

                                            ff5ba08dc35e2a4fef3c55ff43e52e4c568eab1500d24153ff1610930389b67e87d3a66808acf1df18d77f9c2367e1163418cbc8f6edcd1f1763d3d148f1383f

                                          • C:\providercommon\1zu9dW.bat

                                            Filesize

                                            36B

                                            MD5

                                            6783c3ee07c7d151ceac57f1f9c8bed7

                                            SHA1

                                            17468f98f95bf504cc1f83c49e49a78526b3ea03

                                            SHA256

                                            8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                            SHA512

                                            c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                          • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                            Filesize

                                            197B

                                            MD5

                                            8088241160261560a02c84025d107592

                                            SHA1

                                            083121f7027557570994c9fc211df61730455bb5

                                            SHA256

                                            2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                            SHA512

                                            20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                          • \providercommon\DllCommonsvc.exe

                                            Filesize

                                            1.0MB

                                            MD5

                                            bd31e94b4143c4ce49c17d3af46bcad0

                                            SHA1

                                            f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                            SHA256

                                            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                            SHA512

                                            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                          • memory/828-67-0x0000000002890000-0x0000000002898000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/828-62-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

                                            Filesize

                                            2.9MB

                                          • memory/1028-261-0x00000000003C0000-0x00000000004D0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1028-262-0x0000000000370000-0x0000000000382000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/1224-44-0x00000000011D0000-0x00000000012E0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1224-45-0x00000000002D0000-0x00000000002E2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/1476-620-0x0000000000290000-0x00000000003A0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1528-322-0x0000000000CB0000-0x0000000000DC0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1596-81-0x0000000000C30000-0x0000000000D40000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2004-560-0x00000000013B0000-0x00000000014C0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2148-16-0x0000000000460000-0x000000000046C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2148-13-0x00000000009A0000-0x0000000000AB0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2148-14-0x00000000001C0000-0x00000000001D2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2148-15-0x00000000001D0000-0x00000000001DC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2148-17-0x0000000000470000-0x000000000047C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2216-201-0x00000000002B0000-0x00000000003C0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2576-38-0x00000000027F0000-0x00000000027F8000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/2584-36-0x000000001B630000-0x000000001B912000-memory.dmp

                                            Filesize

                                            2.9MB

                                          • memory/2620-382-0x0000000001120000-0x0000000001230000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2836-140-0x0000000001360000-0x0000000001470000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2836-141-0x0000000000300000-0x0000000000312000-memory.dmp

                                            Filesize

                                            72KB