Analysis

  • max time kernel
    142s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 19:50

General

  • Target

    JaffaCakes118_d146246e5dc3689634e6691e9afbf198682ff8d022ae0662557db66accc3e9b5.exe

  • Size

    1.3MB

  • MD5

    3b901ad8a508e56be9e9453085f6cdd3

  • SHA1

    4fd624efe04557c69fba0bbad5ce156ba7e1d4ed

  • SHA256

    d146246e5dc3689634e6691e9afbf198682ff8d022ae0662557db66accc3e9b5

  • SHA512

    b693d6e6db976fbde730191ee73ac3d9fa48c6fc9e9cf663af951fcdf6895ed15d5c6b51e14e9d6a136b71499a5564d94b16b5edd58bfd4150c09c51ab4dcbba

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d146246e5dc3689634e6691e9afbf198682ff8d022ae0662557db66accc3e9b5.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d146246e5dc3689634e6691e9afbf198682ff8d022ae0662557db66accc3e9b5.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2564
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1160
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1852
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2560
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2424
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2348
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1612
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1452
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:816
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:792
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1912
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f3YgPfhNWN.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2656
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2512
              • C:\Users\Default User\OSPPSVC.exe
                "C:\Users\Default User\OSPPSVC.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:348
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1108
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:3060
                    • C:\Users\Default User\OSPPSVC.exe
                      "C:\Users\Default User\OSPPSVC.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1688
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2340
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:780
                          • C:\Users\Default User\OSPPSVC.exe
                            "C:\Users\Default User\OSPPSVC.exe"
                            10⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:1736
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0Sh6ipYOoX.bat"
                              11⤵
                              • Suspicious use of WriteProcessMemory
                              PID:1664
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                12⤵
                                  PID:2004
                                • C:\Users\Default User\OSPPSVC.exe
                                  "C:\Users\Default User\OSPPSVC.exe"
                                  12⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1776
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LIqDUaLb8G.bat"
                                    13⤵
                                      PID:2672
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        14⤵
                                          PID:536
                                        • C:\Users\Default User\OSPPSVC.exe
                                          "C:\Users\Default User\OSPPSVC.exe"
                                          14⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3036
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LIqDUaLb8G.bat"
                                            15⤵
                                              PID:1956
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                16⤵
                                                  PID:108
                                                • C:\Users\Default User\OSPPSVC.exe
                                                  "C:\Users\Default User\OSPPSVC.exe"
                                                  16⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2852
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat"
                                                    17⤵
                                                      PID:688
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        18⤵
                                                          PID:2012
                                                        • C:\Users\Default User\OSPPSVC.exe
                                                          "C:\Users\Default User\OSPPSVC.exe"
                                                          18⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:600
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oPL6j2OtN4.bat"
                                                            19⤵
                                                              PID:2932
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                20⤵
                                                                  PID:1764
                                                                • C:\Users\Default User\OSPPSVC.exe
                                                                  "C:\Users\Default User\OSPPSVC.exe"
                                                                  20⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1988
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qpvm5o68kg.bat"
                                                                    21⤵
                                                                      PID:2088
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        22⤵
                                                                          PID:2336
                                                                        • C:\Users\Default User\OSPPSVC.exe
                                                                          "C:\Users\Default User\OSPPSVC.exe"
                                                                          22⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:1584
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat"
                                                                            23⤵
                                                                              PID:2976
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                24⤵
                                                                                  PID:2404
                                                                                • C:\Users\Default User\OSPPSVC.exe
                                                                                  "C:\Users\Default User\OSPPSVC.exe"
                                                                                  24⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:448
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GsZYO5BIqk.bat"
                                                                                    25⤵
                                                                                      PID:2248
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        26⤵
                                                                                          PID:2904
                                                                                        • C:\Users\Default User\OSPPSVC.exe
                                                                                          "C:\Users\Default User\OSPPSVC.exe"
                                                                                          26⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2212
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\dllhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2844
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\dllhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2264
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\dllhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2884
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\lsass.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2612
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\lsass.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2680
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\Downloaded Program Files\lsass.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3036
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2836
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1332
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1680
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:352
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1020
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1712
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\wininit.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1844
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\L2Schemas\wininit.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1420
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\wininit.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2428
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\System.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1944
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1948
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1736

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        25c943eaa5415a91515144676b4d1f17

                                        SHA1

                                        b0160ab5ac4ba36c473607c0343e8272845b6d6b

                                        SHA256

                                        78023d56bc3a524808336e4f294a1eb767a6a89c405921c0bb21b7a645c9c2cf

                                        SHA512

                                        233f1d4b3a48656e999f2fc95b8cb9a231e676aa202cc8f3c8fe3acbef5bcfde5a2099fcfa83cbdda110d8c32caf0b404e1bfeb266e5640db29f2aa4da4895ea

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        22d3120ef3a943ecbf02cf36bfb83723

                                        SHA1

                                        d2a31e8ece59d8b5090276ab6c4a678a8e250a57

                                        SHA256

                                        4f627b714aa934807fa43ffd27c8c4c136f3a0e0b92b9a42ee25652cd5f4215c

                                        SHA512

                                        31114d6acc2479e8feb84b3d036523c2f86070f383d7acabf5b88a19dfd7bae2efe0669699c14afe09fc5497e05c8537f3ff44f7e8aad785f072f7760ca174cf

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        667afdeeaa66d2d94d69d05283844f20

                                        SHA1

                                        773e9b5ab41cda46a1b177667909c27304979ab4

                                        SHA256

                                        9c40838d974bc8cbe0537670505e77f4746433bc7bd480d321b21bd5c12347a9

                                        SHA512

                                        7b6a4f9985879c0768ff8a021d25610cdb50f3b34c264195793d8b1f5507aeeeb5c3a59c002f60ca32488d5078d62e62f8554ae1e7e4c0f969f066768de2d7a3

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        2a4125d1570011fe9d9c9120597bbe64

                                        SHA1

                                        ec18be8bb58ade6badcf6772ceba9a363532df7f

                                        SHA256

                                        4fae480db15346fe192863bc8b55e634a07ecbcd540fabcbc94b356b0d4c750f

                                        SHA512

                                        bf7bf3b9ca1e8b203f3927f2eda229bd3d09f1b6c74046d1b22156529220d70a368f9fe4ca1152a3c1ffd9b70977d84b7373cbce2459f225f58ff82d684e4582

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        8d5bb7027a5ada94318302f2b19ff9e6

                                        SHA1

                                        76088675c1fa7f65689be60808f4bfb588bdf892

                                        SHA256

                                        344d89bf65b08eb886620171ad5c2b7b9d3ce71b44cc55c2ab82791f9890d08d

                                        SHA512

                                        a18df7bec557ff215f07f7ee85429b74a924d026f2fb5c82723dccc14ac8b9b78a3b432dfb497f403f8b8f02c779a12f6ac759039d4a9f7e6d25fe917f69e545

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        aadb7c00f8612b89775be51d617f0170

                                        SHA1

                                        4967ab5063e893353efec7aa8fa0a89ada198e85

                                        SHA256

                                        a6f4b93c56faa197232ce6e778f37300a1f5858c0167d7e79868c9e9fed2a427

                                        SHA512

                                        6daef870839c14ca5704e42fe60fce2f2693499df22892f9ccbc45587e99f3ef9fa62000837713d0bd58579538826b20a13593fc198ea358dd5d6595587a0123

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        853fc9ca102934bda99e6b41c9354fbf

                                        SHA1

                                        223e0cea9a458a4b814e10544992700328c7f6d6

                                        SHA256

                                        22297d8d4356fb4cea2b8dfde5b1439be7a76b0d6d194080589c121f4bd2b417

                                        SHA512

                                        961bc62f7c88098998c705c7f760ea9cdad644ae0a039fce96d1e70a34005f85420e0062bd4defb362fe7a0fd0413e00642084218431dfbb9a3602bc1be287cc

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        9ee2f1ecb23662e74e4f74d355c6aef2

                                        SHA1

                                        a477b6b96ae3ac169c17db960ea58d36ac8e5700

                                        SHA256

                                        931bed6b6b2ffba472bb453dd8a3fa9958711231818583e6cc9703e30177d125

                                        SHA512

                                        c192d5a74393655f640f8001561e5d4498e83fb786f21c73da2b63a9853d26f9aa5274790b8c930749ee01f2b2f3b94f8d65c83434f7ab3ad534a812df900cc7

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        b15904bff78b8d3ed1df8c23c985131c

                                        SHA1

                                        6bef5e20b4906258e8dbd1253fe9b30db481caf1

                                        SHA256

                                        f1f154e492bccaa7d84706879dc11731a35557a2f34a67b801540d2540be933f

                                        SHA512

                                        8dc4b3e741be6df7d3914c8fb988a367bdc6b41ebba6c8d1bf35ce27ea3e05ca63627556bbbad9a49ed3c4c4027f63e86a37bf97b2c441b4f516c1f401bc4cff

                                      • C:\Users\Admin\AppData\Local\Temp\0Sh6ipYOoX.bat

                                        Filesize

                                        198B

                                        MD5

                                        cc746bc941946d90d820a9bce07dceec

                                        SHA1

                                        9eb0b346975da4ea7ea622163eec9ad9c3b895da

                                        SHA256

                                        33815f8f6dc08adc16040838f1aeff2d249d3dcbc29c29dd27a23545259f09bd

                                        SHA512

                                        3bab33a6d16a5e366aa98208b7620e567294d86ed837dc034931ba4d01ec0c32a628d7178ee15dc01e29fb5fc45965c17d1bb39fc809bcc7264af0fabbd8f43b

                                      • C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat

                                        Filesize

                                        198B

                                        MD5

                                        829b6b741dbf9bd74d543d4054d6af8c

                                        SHA1

                                        d17e682f7daacb3de5298bfee373042e13a074f4

                                        SHA256

                                        741a8839eab2da4eb7330e9fa86116e9e3e89b9549fc7757bb91ca4ccfb0a4c2

                                        SHA512

                                        fdccb4a639ee4db9b681fff6f4e69747ff163c4d5dbba4716da7402acacd36014406cdf838534315af20864ee55426b71c7f6dbd2a726345264230ece368bd62

                                      • C:\Users\Admin\AppData\Local\Temp\Cab145D.tmp

                                        Filesize

                                        70KB

                                        MD5

                                        49aebf8cbd62d92ac215b2923fb1b9f5

                                        SHA1

                                        1723be06719828dda65ad804298d0431f6aff976

                                        SHA256

                                        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                        SHA512

                                        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                      • C:\Users\Admin\AppData\Local\Temp\GsZYO5BIqk.bat

                                        Filesize

                                        198B

                                        MD5

                                        8047d3ef2d65029b70e7b18b5c9f84ec

                                        SHA1

                                        bacd5a6bdba57e8d31ab8082b31b0ea8f8e9c252

                                        SHA256

                                        5a533df13cba22090b766e5e25db6c9034bc4dc24f39801028ba5527a80beafc

                                        SHA512

                                        fbec3fae711642fe8ee1007acd13593f847ae2d0049eeed9243248f3bc92ce0145a56ef498583877e9b04d74f96ce43a962233fef5c0319e7b62279c214c20bf

                                      • C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat

                                        Filesize

                                        198B

                                        MD5

                                        5857defe24c82051e051336e91ecc1fc

                                        SHA1

                                        f8546fc31646ff95400ab173cd19c467118bcf7e

                                        SHA256

                                        7d544a286be065d54017de79115d613a7fadb5181175eabe76ae3251fd2e6954

                                        SHA512

                                        c1284d75662b16550a31e948ff65635ba5c7089641d0bee13f3bdc7f739b55b5195348e7255713f059b17f76de87a138cfd21348869ed1ab5feb093ab4ab5124

                                      • C:\Users\Admin\AppData\Local\Temp\LIqDUaLb8G.bat

                                        Filesize

                                        198B

                                        MD5

                                        e1fb67ab3fe916e22c244b544d71927b

                                        SHA1

                                        72ab05f06f744c416122e162869b980130797458

                                        SHA256

                                        2a885266dbfce77ffa2c4531985426666587f7ab368b8d21317a3247d33fd21b

                                        SHA512

                                        76e783cbf769c2bed6e125aa06b77f3788b05b98059fba2ed193b23e2560e24ca6d876f61d9cbc89f27fe182dde278f9f30b94a9de421dbf489dbf8031542791

                                      • C:\Users\Admin\AppData\Local\Temp\Tar147F.tmp

                                        Filesize

                                        181KB

                                        MD5

                                        4ea6026cf93ec6338144661bf1202cd1

                                        SHA1

                                        a1dec9044f750ad887935a01430bf49322fbdcb7

                                        SHA256

                                        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                        SHA512

                                        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                      • C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat

                                        Filesize

                                        198B

                                        MD5

                                        8f6ea170d6c5dce0ed139b73d355de62

                                        SHA1

                                        f0d2b4067391c0d64777cae7b89b7e783368cc1c

                                        SHA256

                                        dbeb2f47426ef7436cd33ad0fda07ba078498bcdf007e35769ec3f0756d2352f

                                        SHA512

                                        130cab270a2f7d65b4742a6da2f2ef973c2af22e3f7e03c250868c54d53eab4a36da612e931c936cf98af6e1df4cc9b665d321f2e05e5aad77050e45ca7ab4e3

                                      • C:\Users\Admin\AppData\Local\Temp\f3YgPfhNWN.bat

                                        Filesize

                                        198B

                                        MD5

                                        a427f0d5306b8eeaf544cfb6e75a7107

                                        SHA1

                                        6009d167e4c1548384c946704ba29bd7e952dd1f

                                        SHA256

                                        7f87c64e1f06cc6582c5df154d5ee11655573319b98700eb6b0b2509fd9f8c76

                                        SHA512

                                        bbd2e97e7f5c490ab18d945db45de52d434386b31e72ba089949e9edb40196139233231092eb8f0c7888590dd2a81245369e8cf49e66a0cd2c380e02773c482d

                                      • C:\Users\Admin\AppData\Local\Temp\oPL6j2OtN4.bat

                                        Filesize

                                        198B

                                        MD5

                                        4cc446d2e55c0b840c18da4abd588812

                                        SHA1

                                        26cd2fa18a4d37785dc99b2ffb2b13867a8cd5eb

                                        SHA256

                                        b88b1d2528c05b82ce40fe6fcdf52219cd35d155bdaca05cbc78385b64bda73b

                                        SHA512

                                        179035e013c08e8c38addd093421707ec888ca29c0fc41d220dbb836acf60956cb25ad64e5d9d7f1938c5542de023bf7cb4da11a6d18265fffbae1885b6bc973

                                      • C:\Users\Admin\AppData\Local\Temp\qpvm5o68kg.bat

                                        Filesize

                                        198B

                                        MD5

                                        67841aee7388bd999cf6ea5901128839

                                        SHA1

                                        8d642f34819b316e06c4c89f09a9ef5f1e76b8c4

                                        SHA256

                                        ab9ed18250e43faf0405db401e634e7e0730a35c344d1e32de6bb7f3d814b874

                                        SHA512

                                        38d988d6b8b1113b56a9786caf63c975221a6b3d12b41b0f5def528efea865dac53d8d388dcab6b0ab7180a088e453b2e0094d4bba33cd591c08bce9131483aa

                                      • C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat

                                        Filesize

                                        198B

                                        MD5

                                        d9dd4836e7d2e009718dafdd31faf82f

                                        SHA1

                                        49a0bfc63a489517ce0a39b6aa40d4a2b4a39e95

                                        SHA256

                                        ef5c5cf97f096f21f431fb23375204652b7672c973c2bbfeeb18a75b28aa334e

                                        SHA512

                                        7e1ca1dcf19d3fdd68f27852a146c586fd244d1480d9a9db2302aa3c0db85b7d49dfc27938ae25db8a156653613250897274c59cc25f25c73ff6638331ba7212

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                        Filesize

                                        7KB

                                        MD5

                                        b47aeeaba9b7d13429095350692456ce

                                        SHA1

                                        0cb381f421da1a673373c90f51e933a76ab98f8e

                                        SHA256

                                        3dc030609ac5878cf130761822d4efffaec317e577814db5341937cdc2715abc

                                        SHA512

                                        b3cad1b879e6609052e8651acef17f32c971dfd3f1056f9cc2d02c3bcdbac4a704edae92c2364ec28d995f2bfea25d0a81c8403821ae8099fde1c8006641e3ac

                                      • C:\providercommon\1zu9dW.bat

                                        Filesize

                                        36B

                                        MD5

                                        6783c3ee07c7d151ceac57f1f9c8bed7

                                        SHA1

                                        17468f98f95bf504cc1f83c49e49a78526b3ea03

                                        SHA256

                                        8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                        SHA512

                                        c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                      • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                        Filesize

                                        197B

                                        MD5

                                        8088241160261560a02c84025d107592

                                        SHA1

                                        083121f7027557570994c9fc211df61730455bb5

                                        SHA256

                                        2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                        SHA512

                                        20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                      • \providercommon\DllCommonsvc.exe

                                        Filesize

                                        1.0MB

                                        MD5

                                        bd31e94b4143c4ce49c17d3af46bcad0

                                        SHA1

                                        f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                        SHA256

                                        b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                        SHA512

                                        f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                      • memory/348-74-0x0000000000460000-0x0000000000472000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/348-73-0x0000000000B50000-0x0000000000C60000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/600-431-0x00000000004C0000-0x00000000004D2000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/1736-192-0x0000000000C30000-0x0000000000D40000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1776-252-0x00000000001C0000-0x00000000002D0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2348-48-0x0000000002860000-0x0000000002868000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2424-39-0x000000001B670000-0x000000001B952000-memory.dmp

                                        Filesize

                                        2.9MB

                                      • memory/2560-17-0x0000000000B80000-0x0000000000B8C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2560-14-0x0000000000350000-0x0000000000362000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2560-13-0x0000000001290000-0x00000000013A0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2560-15-0x00000000003F0000-0x00000000003FC000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2560-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/3036-312-0x0000000001320000-0x0000000001430000-memory.dmp

                                        Filesize

                                        1.1MB