Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 23:25

General

  • Target

    JaffaCakes118_cb1fef4694d8e4ea173c464b0f7f23acee7fd8b213e89ff36df383334bd5735d.exe

  • Size

    1.3MB

  • MD5

    70885b3ec9d0f96c662c82849631c434

  • SHA1

    1844199f7a28f059977c5c4c16ee7d50c494af73

  • SHA256

    cb1fef4694d8e4ea173c464b0f7f23acee7fd8b213e89ff36df383334bd5735d

  • SHA512

    8e437fb4e2cf8f3a1fdb8755642fbb397f7702a5decdd8ef669031c5aa057d5de16999e99290afea6f4ab1cffeaf7928a53853166e22e568f3adb1ebdf1fa6af

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 11 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cb1fef4694d8e4ea173c464b0f7f23acee7fd8b213e89ff36df383334bd5735d.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cb1fef4694d8e4ea173c464b0f7f23acee7fd8b213e89ff36df383334bd5735d.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1624
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2376
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2736
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2972
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2992
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3004
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3028
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1960
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1928
          • C:\providercommon\Idle.exe
            "C:\providercommon\Idle.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2140
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1716
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:1936
                • C:\providercommon\Idle.exe
                  "C:\providercommon\Idle.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1624
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwHeC7tSxv.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2948
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:2072
                      • C:\providercommon\Idle.exe
                        "C:\providercommon\Idle.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1992
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:320
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:996
                            • C:\providercommon\Idle.exe
                              "C:\providercommon\Idle.exe"
                              11⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:3020
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qsbi9TUILn.bat"
                                12⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2428
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  13⤵
                                    PID:1344
                                  • C:\providercommon\Idle.exe
                                    "C:\providercommon\Idle.exe"
                                    13⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:588
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat"
                                      14⤵
                                        PID:2364
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          15⤵
                                            PID:2624
                                          • C:\providercommon\Idle.exe
                                            "C:\providercommon\Idle.exe"
                                            15⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1608
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WLCDTNV5Zk.bat"
                                              16⤵
                                                PID:1540
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  17⤵
                                                    PID:1676
                                                  • C:\providercommon\Idle.exe
                                                    "C:\providercommon\Idle.exe"
                                                    17⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1700
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bDGJqXcsCJ.bat"
                                                      18⤵
                                                        PID:2380
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          19⤵
                                                            PID:2016
                                                          • C:\providercommon\Idle.exe
                                                            "C:\providercommon\Idle.exe"
                                                            19⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:1604
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m47JVZSxDi.bat"
                                                              20⤵
                                                                PID:1272
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  21⤵
                                                                    PID:1780
                                                                  • C:\providercommon\Idle.exe
                                                                    "C:\providercommon\Idle.exe"
                                                                    21⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2340
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat"
                                                                      22⤵
                                                                        PID:2268
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          23⤵
                                                                            PID:2552
                                                                          • C:\providercommon\Idle.exe
                                                                            "C:\providercommon\Idle.exe"
                                                                            23⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2292
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat"
                                                                              24⤵
                                                                                PID:2960
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  25⤵
                                                                                    PID:928
                                                                                  • C:\providercommon\Idle.exe
                                                                                    "C:\providercommon\Idle.exe"
                                                                                    25⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:2284
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat"
                                                                                      26⤵
                                                                                        PID:1168
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          27⤵
                                                                                            PID:1140
                                                                                          • C:\providercommon\Idle.exe
                                                                                            "C:\providercommon\Idle.exe"
                                                                                            27⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:1620
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Gadgets\explorer.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2908
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\explorer.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2708
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Gadgets\explorer.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2776
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\providercommon\Idle.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2612
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2652
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2340
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Sample Pictures\conhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2624
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1780
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\Sample Pictures\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:804
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2328
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3016
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2676
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1984
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2836
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2960

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        355b76d408c0cefb4ddfa9c59fb71b97

                                        SHA1

                                        59e05e53c0ebd632c733b946e08bb722b4c811d6

                                        SHA256

                                        6b2e50e9ff6e692d8e384ec0b4e5aa7980714712ee5e64d7b8acfd5005727362

                                        SHA512

                                        9dbe10b17834a7fc28cd91df8af8cc708a6a31d7083b1dee3eae9f61f3635012ab572120f14787cadbb8f4b4607d6af9e0456d27e60f885f4c6ef168146a77d7

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        041da31690c7f964180e40490d2d4075

                                        SHA1

                                        2f8c3c1641fc9d993c22bff35a692bc43d4c6aa4

                                        SHA256

                                        b78e97cab9f77e61cff0170fbdc81b820ca1f5f9c39954aa6defc86048bb9739

                                        SHA512

                                        d8c5de4daaa3710f947c6d1cdc0611fb39d06b84d50b9654358d240a40ce448f8728e714fb5f3e30118059bae56cca4bbe059d39a372cd46ec5fabf885b47b26

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        b32363e5bcdf2f21fd1126b778fcd627

                                        SHA1

                                        2356d8629c2d30df98d6fb5c41ee81740af1cdd1

                                        SHA256

                                        fbc894ef75dd706bf5eccfb3ca6bd3287dd021e054efb97f9d19277970e28582

                                        SHA512

                                        c0bc2896c350a45b1e4a11100549e8ffe71d5dde3492db49df78dd478f99b75b4d4b367e913ef0fbfbaa4bcdb5365634fb18b11f9e0dec13b2e6c52f0c7b84eb

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        e94c0669e2bf59f92c6d2046ccbc883d

                                        SHA1

                                        d33085735e4861c707a606d3e4f735a009b086de

                                        SHA256

                                        16b2558684e7d57862396ee2a9c9d4bb2032502604efdbf58ff89ad7cc41b108

                                        SHA512

                                        356c67ce7d0b7f50d51f4ba5f1d080423e2688552d2460a7502ab2a08dc4eb7ac39cca3cc5ea7540ad4a304882c69ddee37b2771cfbb2997073f348454ad497d

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        c7230ccd419c289013f0c4d773a65008

                                        SHA1

                                        37ec0a7e03ed6fd84a826b72de0b5b56ff9e4503

                                        SHA256

                                        19a536807d2ec2425a5a80163f6fbcfc497640ac47458cd3830cb120f05c7417

                                        SHA512

                                        fb554804a786440ab4a842f9452f6f91a712f64a0788dd7e8626b33dee72c0d3a7a42f220aea84aa232475af81b94aabe2aa01558a3f4a06a8516773806c398e

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        0242b198ac257fd1aed7d24e16449c60

                                        SHA1

                                        bf742c0ce160e819feb437fd74a54f1ad8c89517

                                        SHA256

                                        02676be7f488843e35c6e40031f255ff3cd05ca5316fbf456a24c1f344aca1ea

                                        SHA512

                                        ad070268d397e83ae71d0773edf2542ae9bc9794350e96d9dc251b48dd85396c805cfb67febd7fadce239ae3608f8a92d0a2119d80f6631654e49f37cfded37c

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        17a62ee33b82606140f7cc2783b054b8

                                        SHA1

                                        5900ede530ae51742783ebd91a2b626430ac2af3

                                        SHA256

                                        5bdbe6e9884f474afc089138c6a8eb1c02fa047d3792408759c8e0bb41af493f

                                        SHA512

                                        89f814fac8f87f914ab1a42eaa8ea4785ff02da70f277ee980f58034750b78ca90b24cd630b1f9dc7d449b278a93257b9e19ded565dbf8164a36b69d02f6a7ce

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        b5761c24cfa2d9bbb0c1cb9b8296b6f7

                                        SHA1

                                        44d79f4832ba06de005058b1367e7b1be28b21b7

                                        SHA256

                                        95df9a625496fe7bf6771c4db24b8421027ae0ea9990342fd11a749435bed000

                                        SHA512

                                        07bb54916b72c0a46c8e5583c4269bba13558a81d5f05f046f8a471f69d55592385acd33e158e33d50987c79af71ab240b427b4ca4fd51fd2c7ee9892b9f16e1

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        af8976c6510bd9e3dfe122806e8f674f

                                        SHA1

                                        3198c0347ded5903cf86ca7c660ebb8d9df25c7e

                                        SHA256

                                        a980fe83dcad5f7ce810d47eab46c47636176944dba147f2c0bfed1ac6ddaf69

                                        SHA512

                                        46a4bc874bde26d1ea4b43014abdde02cfa52d605409bbe115904d2d4ffa8eb456872fa6573cbac1a3feaceaa71a8270442fdd5f372c34628b55b9f742766de1

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        f3c4e602d0af377bfdea8a5036379735

                                        SHA1

                                        647d457478764d5370afd9c9c3a1026174faab93

                                        SHA256

                                        aa5b38fa6fcdac1eb5bcb743a5909c7df02cbae8858c567c9c98bd55d61bd4ab

                                        SHA512

                                        aa60c280b4a6864ed09a4ce94deb80fd3c1b0026e24fd5af87d21f9ad93a24b69905e3a9310b8ccafad9e33b01cfb67859bd61f1bd3c20918d6b2e1bd142d60e

                                      • C:\Users\Admin\AppData\Local\Temp\CabCB3D.tmp

                                        Filesize

                                        70KB

                                        MD5

                                        49aebf8cbd62d92ac215b2923fb1b9f5

                                        SHA1

                                        1723be06719828dda65ad804298d0431f6aff976

                                        SHA256

                                        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                        SHA512

                                        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                      • C:\Users\Admin\AppData\Local\Temp\TarCB5F.tmp

                                        Filesize

                                        181KB

                                        MD5

                                        4ea6026cf93ec6338144661bf1202cd1

                                        SHA1

                                        a1dec9044f750ad887935a01430bf49322fbdcb7

                                        SHA256

                                        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                        SHA512

                                        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                      • C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat

                                        Filesize

                                        191B

                                        MD5

                                        51a6a54a3529381ba4ed3a95c9c3138d

                                        SHA1

                                        9bce03420149bc0b271e0a6f259299ed08d94a5a

                                        SHA256

                                        fbb61b2773b07a2dc582cb2db5c7309759ad8159352324ebf601632604127de6

                                        SHA512

                                        cf43f2a3e57b419fd26e154df9ef8699456d21f64ab6efc4afd4d26723718621bb4df54d0100db64354649f0292b65b5157aa538abf5fb3424ad3bd244ba62b9

                                      • C:\Users\Admin\AppData\Local\Temp\WLCDTNV5Zk.bat

                                        Filesize

                                        191B

                                        MD5

                                        878d979c1ec0c1c3cd9feb5393429b0a

                                        SHA1

                                        1b8a345f54c7f29ea11649edbaee3b4831b9eed2

                                        SHA256

                                        3b6b5aab1edcce1d48096904956213b699005d1a2026f179fce814fea0e6fe9a

                                        SHA512

                                        f8f94fbe331d96b942277150ee3cc3dfa108e8669c3488862c1cc69570a45f6506338e11df8357aa153faab0856cc86674fb840b9383c9dc054e24e50f14f058

                                      • C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat

                                        Filesize

                                        191B

                                        MD5

                                        44a7549a9ec3712acc2887f44dfbda70

                                        SHA1

                                        11426bd140625e0c20a9f1d01a40d355d2f8df53

                                        SHA256

                                        4ef15e67088c79fa4a1e384df63fad1688f27950b309ff1269e949d2a6fe07dc

                                        SHA512

                                        88b430423482b8e21f4d18afb5c0a16b4158a6235e6ea715e1a2014484fd4106641a1957ef666298f34bfac41ea7fba10a32c8f8f6275b58623135abe41e5160

                                      • C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat

                                        Filesize

                                        191B

                                        MD5

                                        c52abc88a9bb57ffa61555ba8eefc16a

                                        SHA1

                                        877c9657e7247276a2d1e72a94b1d194e2868329

                                        SHA256

                                        b12b69b04163ad0b26e3c47322be6c355f0687eaa2c418da3b8205daa26fd442

                                        SHA512

                                        2dfa5ed182c8bafa85732bd5adf5f64f166fe8e5492aa5f501e0134da347ef870784af103b048d4602945b7cf1fe3050a09b8599cf266c4f16bf97ab31c09606

                                      • C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat

                                        Filesize

                                        191B

                                        MD5

                                        423f9bb753ccec627afc8a8676b2ea8f

                                        SHA1

                                        6bcf735fc94c299b614815ac9e6eb696adee7edd

                                        SHA256

                                        5547ddafbac563db596b20d5734957d5f623f3f28762707041b00f75581b1764

                                        SHA512

                                        6eddb8b12dcdb4c7ac4b948c07e713df0c19874e54a78f6b7c3a3b073a3628825680e03ffa0bc70754ea53c76236f46c056e4907a1436e5278fc83640fe40a38

                                      • C:\Users\Admin\AppData\Local\Temp\bDGJqXcsCJ.bat

                                        Filesize

                                        191B

                                        MD5

                                        334d9c8644518317283e772286c2b2e0

                                        SHA1

                                        367c57fcf5d418de75190af743a5ad9b3a25d24c

                                        SHA256

                                        68f50956142b5cdf6a1b76b719728830aee6a127f498196c169f7ae647e05daf

                                        SHA512

                                        648b2191b957974bd43a7f9f122545cf8981ed3a958d8ebca97f6a6b4064f155a586486ee729d52998a6f47a90c374ac35e9b84a388fd0c2202e95d95a753b30

                                      • C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat

                                        Filesize

                                        191B

                                        MD5

                                        6f31a78eee2dc8f8f328be8323f4f79e

                                        SHA1

                                        b32c316572a044b772f532007274ada7726eda1d

                                        SHA256

                                        ebed92f877f85d00704f916a50532a0d3a76c2097dc8d6ef354a93020d2f84f9

                                        SHA512

                                        437b30c59dcaf2f73f2f8517a9f03d79dfe2c254a34d4bf68ca2cdcb78f542d9a8937aed477c28fab6cccbe663c25e31e0223019d1c7279caee89f2b62fc0336

                                      • C:\Users\Admin\AppData\Local\Temp\m47JVZSxDi.bat

                                        Filesize

                                        191B

                                        MD5

                                        59ee857d21c000bacc71d382deff4522

                                        SHA1

                                        53147392298beae58dcdc16068d2f219966cf9c9

                                        SHA256

                                        0bd756fea8b32522c970819618e2d00cabff1c92fad692f7251fdf36a0b7de4c

                                        SHA512

                                        cd8ef70f0e2943d01e9d932b6b0b48502b77b06a0cf4847442df1b9010c510228e1c7d899eaf5959710db6379e1385bfbd979a6b00babd1e4edc0fad39e5411e

                                      • C:\Users\Admin\AppData\Local\Temp\qsbi9TUILn.bat

                                        Filesize

                                        191B

                                        MD5

                                        26ab1fe61e87b50008e0516766f17744

                                        SHA1

                                        743ce1c9ae6abdd2e10a1a8bda46bf4a6c7b3c7b

                                        SHA256

                                        6c5888f24324d6eefc1244d2615b9969fd433c6f8ef735bcb6c0035362b934bf

                                        SHA512

                                        5930aa93f7d16b294d0466e9c86ec9cffe37c00fab52693ccfdb789513109e4a2d822383bdc0b79b88ea112ef4afc9fc7f0195047750352a14857a57c0f967a3

                                      • C:\Users\Admin\AppData\Local\Temp\qwHeC7tSxv.bat

                                        Filesize

                                        191B

                                        MD5

                                        6f098c1a58b2ff5a2a872915f177f15b

                                        SHA1

                                        fd9b04f9ec9252d7b6d86c778c71a384596401ab

                                        SHA256

                                        1523a674e83f7bb64eafd9307c0fcef930975a203fa74689bb62c6493c72e605

                                        SHA512

                                        ed905eebe8ad19d729d15836b67bd7aaf72f10ecfd8c5877f14fa52bf19733b34674af43f758fd3457aeda0bb2d9f76d0d4bed56bba9b3fdb09380c5a6b79a55

                                      • C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat

                                        Filesize

                                        191B

                                        MD5

                                        4d667e0f938dfbbc24c9cc5ca1ff8332

                                        SHA1

                                        68bd4390f94af1b7270fb735be68e9b445b5a387

                                        SHA256

                                        a31cf047b334ccc96cf38e4249dcacbc51b3ece72f4c2156fc9f901308972658

                                        SHA512

                                        da4aa7c699cb6e5d45c78b386ab136f9cd33bb8978f93e3b1138069e54c89212564fecf9035eeefda81525718aff80b13961f8b6fd6e5a1b22ece00ebbb95e0f

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                        Filesize

                                        7KB

                                        MD5

                                        5bb6c3e6b34ce0643fe0b75b198543d6

                                        SHA1

                                        155b50870496372a0555dad20252b976c2c3479d

                                        SHA256

                                        c23655683eb505d5e850df90c7ed6f8f1cda2d05dcb36e6223886e2d9d83e56c

                                        SHA512

                                        75492bb68661baa43a8257b467ad7d61552280fccf85dd8bf540099d12613486684bc043a04d2579602ff4e3f48c822db3c78f8006f61f2f86b4512e76323989

                                      • C:\providercommon\1zu9dW.bat

                                        Filesize

                                        36B

                                        MD5

                                        6783c3ee07c7d151ceac57f1f9c8bed7

                                        SHA1

                                        17468f98f95bf504cc1f83c49e49a78526b3ea03

                                        SHA256

                                        8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                        SHA512

                                        c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                      • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                        Filesize

                                        197B

                                        MD5

                                        8088241160261560a02c84025d107592

                                        SHA1

                                        083121f7027557570994c9fc211df61730455bb5

                                        SHA256

                                        2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                        SHA512

                                        20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                      • \providercommon\DllCommonsvc.exe

                                        Filesize

                                        1.0MB

                                        MD5

                                        bd31e94b4143c4ce49c17d3af46bcad0

                                        SHA1

                                        f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                        SHA256

                                        b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                        SHA512

                                        f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                      • memory/588-302-0x00000000000E0000-0x00000000001F0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1604-482-0x0000000000CF0000-0x0000000000E00000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1620-720-0x00000000013C0000-0x00000000014D0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1624-122-0x00000000010B0000-0x00000000011C0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1700-422-0x00000000004D0000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/1700-421-0x00000000002B0000-0x00000000003C0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1992-182-0x0000000000200000-0x0000000000310000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2140-34-0x0000000000EC0000-0x0000000000FD0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2292-601-0x0000000000FD0000-0x00000000010E0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2736-17-0x0000000000380000-0x000000000038C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2736-16-0x0000000000360000-0x000000000036C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2736-15-0x0000000000370000-0x000000000037C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2736-14-0x0000000000350000-0x0000000000362000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2736-13-0x00000000003A0000-0x00000000004B0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2972-63-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/3020-242-0x0000000000040000-0x0000000000150000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/3028-62-0x000000001B640000-0x000000001B922000-memory.dmp

                                        Filesize

                                        2.9MB