Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 18:46

General

  • Target

    JaffaCakes118_6dd584fc700a6eb471099e0dcc35ea4aec45a5abb4bca19be7da2317e0598f15.exe

  • Size

    1.3MB

  • MD5

    718e3d0dc5c404d7118e97ac85d754f6

  • SHA1

    a4ee7e06c49a3935a0192ace8abe2b849509fe2e

  • SHA256

    6dd584fc700a6eb471099e0dcc35ea4aec45a5abb4bca19be7da2317e0598f15

  • SHA512

    fce2a782de420252b00f02ff16f942216a65d86e90c328b79589bd90b4fe0b88951bd27622506a1ca221864ed273a620f9b0314c26754a1ce3f706f6686ca2ed

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 14 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6dd584fc700a6eb471099e0dcc35ea4aec45a5abb4bca19be7da2317e0598f15.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6dd584fc700a6eb471099e0dcc35ea4aec45a5abb4bca19be7da2317e0598f15.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2516
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2080
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1012
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1752
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2968
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1924
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:308
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1632
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1508
          • C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe
            "C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2276
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2728
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2696
                • C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe
                  "C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2488
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2732
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:2076
                      • C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe
                        "C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1052
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2284
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:448
                            • C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe
                              "C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"
                              11⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:1700
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6n1oUPmZQq.bat"
                                12⤵
                                  PID:2908
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    13⤵
                                      PID:2888
                                    • C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe
                                      "C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"
                                      13⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2840
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1e6qhBZ49x.bat"
                                        14⤵
                                          PID:2072
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            15⤵
                                              PID:2740
                                            • C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe
                                              "C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"
                                              15⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2724
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wx0Tv0d3iA.bat"
                                                16⤵
                                                  PID:604
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    17⤵
                                                      PID:2088
                                                    • C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe
                                                      "C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"
                                                      17⤵
                                                      • Executes dropped EXE
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1636
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat"
                                                        18⤵
                                                          PID:1592
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            19⤵
                                                              PID:2664
                                                            • C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe
                                                              "C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"
                                                              19⤵
                                                              • Executes dropped EXE
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:876
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat"
                                                                20⤵
                                                                  PID:1616
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    21⤵
                                                                      PID:1040
                                                                    • C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe
                                                                      "C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"
                                                                      21⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:488
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat"
                                                                        22⤵
                                                                          PID:1568
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            23⤵
                                                                              PID:2648
                                                                            • C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe
                                                                              "C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"
                                                                              23⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:1472
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat"
                                                                                24⤵
                                                                                  PID:2080
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    25⤵
                                                                                      PID:1764
                                                                                    • C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe
                                                                                      "C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"
                                                                                      25⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2548
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4oJokgKWVw.bat"
                                                                                        26⤵
                                                                                          PID:2856
                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                            27⤵
                                                                                              PID:2944
                                                                                            • C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe
                                                                                              "C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"
                                                                                              27⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:1548
                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdN2yJpTNi.bat"
                                                                                                28⤵
                                                                                                  PID:2676
                                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                    29⤵
                                                                                                      PID:2504
                                                                                                    • C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe
                                                                                                      "C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"
                                                                                                      29⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:2624
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2620
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2932
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2672
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1916
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2596
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2660
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2428
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2752
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:672
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dllhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1560
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1292
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:332
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\lsm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1724
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2764
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2832
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1896
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:948
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2804

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              60505c769d8a015965153369d6418237

                                              SHA1

                                              f9ac320a647756b2b2ca835dfd7699be7e3e258f

                                              SHA256

                                              f97962135c5656c70400fefb744eed3d70899e40c576e7a42adcac6b0394088c

                                              SHA512

                                              3ac29f732938193ba2e587a3be2214423d358f7a1cf56d3f6d88dc05bb76e7a96a1cc90acdc0c203c9ae1126d229f09261d6d32267cd31927e5574a6e12d3cb3

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              153360963d526d5562b2bb173a09cd3e

                                              SHA1

                                              980dfa142633d5eeaedeff86cfa620e70f6585ec

                                              SHA256

                                              a05ca088b7791f845b157126286af2bbf617a5ee98ff63b61a7c2e4b5342ddad

                                              SHA512

                                              f45c38956db397100a74b944b15197511e90bf642991e90436fb994563aa2c38f7fda59cf4a3a2118e6cf409c1d18b16bfd29b1844f589482af842f33dc92b84

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              1c75a0b427fbcea1f77205a01d8e0962

                                              SHA1

                                              fdbf8507fcb09ff149359f519bfbb2e2ac4dad57

                                              SHA256

                                              37ae835c0c2bc1cf2775f07f455ab0df50be22edb90c33566fad3794e2a3cc87

                                              SHA512

                                              056f794d76ee01dd28a2d0fa2dca9c11101fe61e6f676314bca2b71d75c4a69d087da0817e9ed2586f79008207c1c140a3f467045ff5aab7a0d618e4cd9cb09a

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              bc27775dace419080cf9ace9a20d0eb3

                                              SHA1

                                              9efc0d4c91333be6cd02f92a906b9caccdc2af6a

                                              SHA256

                                              d8183de07787c3c76059ac5f6921cbfbdbac3f0f74c10217d124a4e1a46f0582

                                              SHA512

                                              ee152ab896ed32abffd5b605803860b08dd4d993a8c442f66dde8fc3cf7c26ffb55f64b15e140bd15991d4f421d70caee5c3c5868546bf578ac5dbc21254e274

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              fc9c93a0786a6e3e0e659c5977be2680

                                              SHA1

                                              13e7d959e11fe2b43dd5cf2ca46add3a2c1afd2e

                                              SHA256

                                              cdb936bc04a461a7ac8c9388edc606d3edce0fe9deec47cf91d8f5bf7e710d1b

                                              SHA512

                                              1c745186eefc9a27dd34815a8b7b0d37b4e37f68a1c6f3470a9fda1301027d0a6458491d267dbfda7ae69902a93eac5cd44015a93464098c65ac1fb701c3d95b

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              3143126807d2c3d932183d7ab4970895

                                              SHA1

                                              87c0c4c9c3729a522afcaabef5c45179e97c5773

                                              SHA256

                                              450d7daa8645e51f18187860681778b33ee03be3752036f28af757260c3f4c7d

                                              SHA512

                                              68ab5e5c059ee3d2b3667c0e9db1fa17c4509650bce06d2f6d9006bac3ba329c1300138fe4e2b85531274e688aa5a384671ac817751975b73a9a6fd5724442f2

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              ba315ba5ef7d94a7cf663038ea2d6ea7

                                              SHA1

                                              17a8fa21171d29f5618f3d30fd7cceb6e3057611

                                              SHA256

                                              6681a655b1916081cacea6d90a20ea7c8e085128ee52691fb9e8fbafb169b560

                                              SHA512

                                              0dd2895c1e7e3936d8ca6216c5f8affb74ca745994cb523146b1fad918778d004042f4306577e32ce79f8536a08f210294ae310ac75fed99a94f1d41c22336ab

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              405bfa0957281891f66fe528b01f6d53

                                              SHA1

                                              41909e2da369e89b7c56692dfb6cbdf1350aaf53

                                              SHA256

                                              6ec58e30e641437084939a4e27569ed50c4e6b735b7c4a41b5ae1081bea2996b

                                              SHA512

                                              85b98dbfb2ff064bb4336144956024311c83bf7827614a132a1595c23091a685e2db5424dd9abee7221b60b0b6504e1e77113fc54cd592fdb4131d2ca9060848

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              35fff023531e8d0f8aa714c5d7d29427

                                              SHA1

                                              114afd29282004534674b77f902bdab593639feb

                                              SHA256

                                              d9411ef82bab909b9cf78c54279e743d6af480c902622b7f26266917c00624f5

                                              SHA512

                                              def108aaa36e56e25eb2f8b916b83280ecf84653aa74696cf80105cbfa73191fb0dde8470346dfc7c7f485fcf71099103b902ab0886d40edf4c50d2ebce50168

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              bfda1348bdaba919d05b11d47d9dd22b

                                              SHA1

                                              1728ed2f6edf26a0a068a334bed1841134b5a419

                                              SHA256

                                              530d4fb5938d5d53c686dffc4c19587c8d917dd1416b445c82c2f7cfa47e8324

                                              SHA512

                                              0f44ebb631b363b1f491b6f6d9fe7afcd65242873843d188f8f13449f68501df2b35c6fe8c1ce34127329390aec3fb14b8981f41723f407f27008ca22de1167c

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              92332d46849a9b6d843041c8a70a5b90

                                              SHA1

                                              f6db084911f833c0738bec2ec4349b69f37f8b71

                                              SHA256

                                              79e7e9c753833e9a92d97bfebbaa7d5cf8a9bea33eece2c43ef2d4c713f5270a

                                              SHA512

                                              9ff6178949a624f88b76b4cb96666bb19a17cf0a487dcda6b338cf09ceed3031f7a20e3dd69ddb0e29c531215e52874288db4183f1eb91fd915bf39c6582b3b2

                                            • C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat

                                              Filesize

                                              213B

                                              MD5

                                              6908662cafbee6d3cdb51fbc2e1084b7

                                              SHA1

                                              5761991bd3cc493e1cd7809af8ce7017c9d12bd4

                                              SHA256

                                              1018d8ccbd93c8edd27fe823188aaad3972a4cbc9cab94d1676c582678e41e69

                                              SHA512

                                              a50bff652121a84bf92c2ad4a3d438a50f1fcbe0fcb52830870708bd5d106606f422992f183d71fc32740e75d32cf9205ffcbc5b7509eab637fc5ec7b27d5e22

                                            • C:\Users\Admin\AppData\Local\Temp\1e6qhBZ49x.bat

                                              Filesize

                                              213B

                                              MD5

                                              382a893a30343e88f5e7e7090212843b

                                              SHA1

                                              5e164a6b8bb7691fd315e194edb8a6fb790c9454

                                              SHA256

                                              ac40b17573853a044bc816db0ff196bf5e97e6352098445835c33fcf3ca7cf9b

                                              SHA512

                                              ba318be07cfdee5d5610a106d01a74042dc662c1f3be9640c7fc9924d911b25703b3b5b07a5898eb7acceaeb07298c74a647b7ddeb9a8ef9774ce2b83f9c80e0

                                            • C:\Users\Admin\AppData\Local\Temp\4oJokgKWVw.bat

                                              Filesize

                                              213B

                                              MD5

                                              fd914643d1116229ea1e6d8a465e1c9a

                                              SHA1

                                              71922476a84fd3680dfdc903767c35e3dd010020

                                              SHA256

                                              d8f3a8ca8da2faca316f4729d0cc157bc9df5a5e073df4f7c5d347e92a8cff64

                                              SHA512

                                              18e144c63664fedc6fab823231b6dedced408c65b725e3d97af366bbd5bff8e14d699dc171f98570bec2c7726e8fa8603af5827e4f1189c20ad1bd4526271904

                                            • C:\Users\Admin\AppData\Local\Temp\6n1oUPmZQq.bat

                                              Filesize

                                              213B

                                              MD5

                                              54138fa746f47f74c3d31e89f65e358a

                                              SHA1

                                              a47b1f9574cbd4e402d7fe1d25b0969ed4079e89

                                              SHA256

                                              63d972f21fbb7bc60d064bb9874f76560c63b9871b9a11561782bd65bee30001

                                              SHA512

                                              51ff43a05c2fedc0640da960fd7a1f4c6ef7686c4c5de5c673b7891606142369f2ac39fe83308503c9e060f44415a70af95ee7ac1f7c4b615f36d11d9bdbe626

                                            • C:\Users\Admin\AppData\Local\Temp\CabC6E9.tmp

                                              Filesize

                                              70KB

                                              MD5

                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                              SHA1

                                              1723be06719828dda65ad804298d0431f6aff976

                                              SHA256

                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                              SHA512

                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                            • C:\Users\Admin\AppData\Local\Temp\LdN2yJpTNi.bat

                                              Filesize

                                              213B

                                              MD5

                                              e1fcab8d6b96253e9017bc277657fb25

                                              SHA1

                                              8faa6a161eb696d9076f7493284762cf828c0596

                                              SHA256

                                              807eceb70fc04f0beff05730d94618a71e7f36f609ed4edea00064206c1b2703

                                              SHA512

                                              299883448a12dd2ab462fd729373db83e0d35d6aa1137d36d7d628ae9e6b5f1f447e9bf98b8927b8db6649a7a114df564553208497b725ebf48b39a62f4c2cb0

                                            • C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat

                                              Filesize

                                              213B

                                              MD5

                                              49539393ef1a2a2faf95772baf6d47c4

                                              SHA1

                                              d09aed97c805b8ce6a5699200c8ab17463e9ffce

                                              SHA256

                                              d5ff938b85e107aa47975b6f981b3dce5c1a1374fb9682666de78ea8438aa5fe

                                              SHA512

                                              773348dc15cdb9083979e475887495b038ae29294f3989f6a3128430a98733be9e35f2d1edfb1883cfdc411373bef16584e8b00c986d53916dd5a18dcef8bf47

                                            • C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat

                                              Filesize

                                              213B

                                              MD5

                                              26b5d347539caa533f1a5109ae35918d

                                              SHA1

                                              852e72a93651474ee3c12eb7351ddd79106d2892

                                              SHA256

                                              2fcdb2e038842ee9f13e2ca09754e77d191ddbd3c5ce96e254a85a5dc4d6095c

                                              SHA512

                                              a0410326daba519baa22bb0d8b1b358e9cf6ab6c0f7e1f8c8295d3b6cfc5cf05a43b5ce9d480329c82f991bde4d500ab0808de151cc45a1fc358749c47120eca

                                            • C:\Users\Admin\AppData\Local\Temp\TarC70C.tmp

                                              Filesize

                                              181KB

                                              MD5

                                              4ea6026cf93ec6338144661bf1202cd1

                                              SHA1

                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                              SHA256

                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                              SHA512

                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                            • C:\Users\Admin\AppData\Local\Temp\Wx0Tv0d3iA.bat

                                              Filesize

                                              213B

                                              MD5

                                              10dac95deb81c690dbf0c8f71f539dce

                                              SHA1

                                              b4883fecef439f2aff31c3455c0ec237cc515922

                                              SHA256

                                              e2403152a6c9f96ff059cc7a489d47a01cee842d54b7fbaaef34d6554eb02989

                                              SHA512

                                              cf4a624962d53375f3926c2d37f123237995ad47e93e8a763fcbf6b83708a5d727828a37336462f7ee217d8216e74c2e198d8946347d37fd23e4ee8e7512f329

                                            • C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat

                                              Filesize

                                              213B

                                              MD5

                                              5d3cfe8591d9519e86fdb7c28ad40cbd

                                              SHA1

                                              c0bb07980c3dce0d48deab19ed5a3febb8c910e2

                                              SHA256

                                              4d238e420552d128130ecc73543caf269fd0b1e00f955e68fc2daf4acd0f5603

                                              SHA512

                                              e26cc6809c79b51180fea6e400a067c2136cd929813b845b5f47ff609ce89963071b90a0e5593543336c70a9bfa0a43c80609c4f8a2635b46ca1b836b8556d46

                                            • C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat

                                              Filesize

                                              213B

                                              MD5

                                              f124b9fdedf086e0e7aed6aabaf0c342

                                              SHA1

                                              f10f5bef012317fb618dc3802c0af37d75bdeb4b

                                              SHA256

                                              fce74e1d8325af19b9bc476339618e2507151d4d3518afcca72776b19b8a0946

                                              SHA512

                                              1ad9aa98c64a3a2f913a7c2b0807e9ef084b76b80990fb91b6b155029f678a18fad9607c91226e57c2bd53ea3d87f3f12068316cd44f8fc0782af2245da4c523

                                            • C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat

                                              Filesize

                                              213B

                                              MD5

                                              e862031a705de96749962546c0ccb0ff

                                              SHA1

                                              0afb7f38dca29d54dbab84df18127a413d40df29

                                              SHA256

                                              a0c6c06d7f4722ec48c3dbc5a0f7190fc4fbed102ea0e31d7878c68e721e4ed3

                                              SHA512

                                              2daf46ad77767594b48d766931cd4d0ab4589bad52ba7b8d4dcf144be21724afaf24e181b6e681ff149fc1b0ff155fe87c286fa9ac42c8fee8af8e8f02b59cc3

                                            • C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat

                                              Filesize

                                              213B

                                              MD5

                                              dbceb58d9b647afe9d4fef9a232e4d67

                                              SHA1

                                              34c7c432b35529effd1587f3b8d4195107f049ad

                                              SHA256

                                              34dafd8c4973a5babf9e8fbc2949a4ebccd9c9bdd9c5257112b3785a90ce9476

                                              SHA512

                                              eb1e65bc8cd0bea00332fbb90ecf33ef0e4657dfb95b2d7321915561007a85c80cc0ff60eaeae1a66aae46fddd43fe4d91efef1f164d09f0b698a4b9cc1260cf

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FBZYVPRHV46J525KTYHF.temp

                                              Filesize

                                              7KB

                                              MD5

                                              8f3cc03d6961b8572bb6837441cf37ad

                                              SHA1

                                              b6a3930a69bcc9e7f38820ed416475dd2085fbde

                                              SHA256

                                              d7296b80b18c10dd1cffdd37b3f7f2539e8ac4ff80da2125e65ce72fc5061199

                                              SHA512

                                              2b00664415f6976df9842ad300d67e1f7dba283db20ba6f5552b002455f60e1ea1fdeb0704033d1c0002fc53ff01875b1f9bbec355b6fedb92557bc062d90115

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • \providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • memory/488-550-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1052-192-0x00000000013D0000-0x00000000014E0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1472-611-0x0000000000550000-0x0000000000562000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1472-610-0x00000000011B0000-0x00000000012C0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1508-66-0x000000001B520000-0x000000001B802000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/1548-730-0x00000000001D0000-0x00000000002E0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1548-731-0x00000000001C0000-0x00000000001D2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1632-67-0x0000000001E70000-0x0000000001E78000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1636-431-0x0000000001040000-0x0000000001150000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2080-17-0x0000000001F30000-0x0000000001F3C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2080-16-0x0000000001F10000-0x0000000001F1C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2080-15-0x0000000001F20000-0x0000000001F2C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2080-14-0x0000000000550000-0x0000000000562000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2080-13-0x0000000000900000-0x0000000000A10000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2276-73-0x0000000000330000-0x0000000000342000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2276-41-0x0000000000DA0000-0x0000000000EB0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2488-132-0x0000000000240000-0x0000000000252000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2624-791-0x00000000013A0000-0x00000000014B0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2724-371-0x0000000000330000-0x0000000000440000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2840-311-0x00000000002B0000-0x00000000002C2000-memory.dmp

                                              Filesize

                                              72KB