Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 19:50

General

  • Target

    JaffaCakes118_cddbcb6405986e2582059fd64321db1c7e14dd50c5c3ea4c68c4ca915a676a24.exe

  • Size

    1.3MB

  • MD5

    e612b8edfd6f0747bc2c37257c7a31c9

  • SHA1

    2b6284e7202c6c288ee3e8242761ad27532cda92

  • SHA256

    cddbcb6405986e2582059fd64321db1c7e14dd50c5c3ea4c68c4ca915a676a24

  • SHA512

    f19a2ff333be0c2167898dd87a54fc345bda97ca8b72c780130ef87b145617a6256158382f0e93c7d132a328522c6f30b5595375749fb99919b0350a5b31c3e3

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cddbcb6405986e2582059fd64321db1c7e14dd50c5c3ea4c68c4ca915a676a24.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cddbcb6405986e2582059fd64321db1c7e14dd50c5c3ea4c68c4ca915a676a24.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2136
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2952
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1760
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2748
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2896
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2820
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2736
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\es-ES\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2620
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WMIADAP.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1936
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2928
          • C:\Users\Default\smss.exe
            "C:\Users\Default\smss.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:448
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uxMZkGAiOs.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3048
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:1664
                • C:\Users\Default\smss.exe
                  "C:\Users\Default\smss.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1324
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5AjNu1Vgdj.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2408
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:2820
                      • C:\Users\Default\smss.exe
                        "C:\Users\Default\smss.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:788
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6oaLUsZTY.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2928
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:2176
                            • C:\Users\Default\smss.exe
                              "C:\Users\Default\smss.exe"
                              11⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1760
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat"
                                12⤵
                                  PID:2476
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    13⤵
                                      PID:2640
                                    • C:\Users\Default\smss.exe
                                      "C:\Users\Default\smss.exe"
                                      13⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2728
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat"
                                        14⤵
                                          PID:600
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            15⤵
                                              PID:2828
                                            • C:\Users\Default\smss.exe
                                              "C:\Users\Default\smss.exe"
                                              15⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:1596
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat"
                                                16⤵
                                                  PID:1644
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    17⤵
                                                      PID:1668
                                                    • C:\Users\Default\smss.exe
                                                      "C:\Users\Default\smss.exe"
                                                      17⤵
                                                      • Executes dropped EXE
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1504
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat"
                                                        18⤵
                                                          PID:872
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            19⤵
                                                              PID:2892
                                                            • C:\Users\Default\smss.exe
                                                              "C:\Users\Default\smss.exe"
                                                              19⤵
                                                              • Executes dropped EXE
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2752
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kwOVarqRTQ.bat"
                                                                20⤵
                                                                  PID:2300
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    21⤵
                                                                      PID:268
                                                                    • C:\Users\Default\smss.exe
                                                                      "C:\Users\Default\smss.exe"
                                                                      21⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2212
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat"
                                                                        22⤵
                                                                          PID:912
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            23⤵
                                                                              PID:984
                                                                            • C:\Users\Default\smss.exe
                                                                              "C:\Users\Default\smss.exe"
                                                                              23⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:1608
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ewVMycoP0v.bat"
                                                                                24⤵
                                                                                  PID:2616
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    25⤵
                                                                                      PID:2096
                                                                                    • C:\Users\Default\smss.exe
                                                                                      "C:\Users\Default\smss.exe"
                                                                                      25⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2396
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\cmd.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2868
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2876
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2744
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2600
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2604
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2560
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default\smss.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2632
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2216
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2732
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2044
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1092
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1048
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\es-ES\cmd.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2032
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\cmd.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1964
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\es-ES\cmd.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2516
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WMIADAP.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1056
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:316
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1676
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1940
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1144
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1796

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      bc6b80a8cf1031a490715737f55d2156

                                      SHA1

                                      403ea6314710ffa962ccb1fb93c4c595a5a550d4

                                      SHA256

                                      600b607797fc89256107c38948ba1a39bcda588783ec4458a8781627e4f2b37f

                                      SHA512

                                      3bf529cd2eb17142a4c160d50521537e2b701e73923b0ffb385cb34cc04fe8e5750a240a63c65e086fe1b300d5e77f619cf9e41ee6587c96c9fd9a1c31832aac

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      fb975b05153fa9d50c506892dd57fec3

                                      SHA1

                                      bac9647d331db68ddeb0d2de04c9951a01e9207f

                                      SHA256

                                      50e20802df30b8f9004a797e819f01338e643bb413f1d5c19463aa6c16486810

                                      SHA512

                                      6da069f5b96a0f3acd73948b55378a63b01e1c8f3edf3c90eecd1d60da23f73cebb13ab82dce79e06579ec53cab3f2ab7adbc74783e2d2c8f66d5104acec6451

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      2a57d70c58952f22158e614445dfa901

                                      SHA1

                                      c277fec1e0a0d9a6418078b672bb21276b0bd076

                                      SHA256

                                      ebbcd7b9604143ff1420e593888407e4a5e0666c7f8ed5629f52389280797a41

                                      SHA512

                                      f73a91d28b3e361f46562ecd5996beaa19474ac3b0f02a89f6bd0cd0164f2779124b9cbf36f114c5974099a4c193d50dcc18993b43351267d8e9f53e4bbe7279

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      df4452bba29f3c5aa47cb1e9dd3e9a16

                                      SHA1

                                      8403f42174dac2c98c317f63cb9007b24709731e

                                      SHA256

                                      eaa12e8ef3dae76fb612a129069fe4be0f854cf3c4b64069da50ab32c6396806

                                      SHA512

                                      f9343b08aaf1a2559f6ed825a96222bde22c92194b76db86f0d552afa1e8342c227f7fd9bcb3115145e68f9169faba886ebcd918b0a246950f8ccddc48ad170c

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      645314f99b7b19ad802ca53559b1d421

                                      SHA1

                                      3bd7e261789628dbdbd3c1fa65f10b631186ced3

                                      SHA256

                                      348aa5780a54362ef7b0ca7dc6f9a2acd0cd843d9036540dd1266588755c030a

                                      SHA512

                                      a3a5b5365050cdf72264b0ee05bcc2e90d0fd8970ce7d6d0d9e4898e059232c8688ad698200bbe3b365ccd541770c58f706d8f0c8c633f686ebd09f0a8ed54e4

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      f78ead3ba55f2eabe253d18b913f52a9

                                      SHA1

                                      cf3e133c8a9b98a84c0f7d927a52bb2a02d08a39

                                      SHA256

                                      29fa6250f683d1668b94d9d6e65f3883cba86c9bb1509102221e9b1c76415f03

                                      SHA512

                                      21d1d9b7f53e4df96aa7aff20ad70a1188667b7e91cb74fa452d560b9d4d542ad0df019dcf4859653b6a859fe08d2bc7ad26d39658d509e49ca9a7fe7c14cc9f

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      78139e91335e0ffc00ad17a0599feb2b

                                      SHA1

                                      710dc688caf8c83f162a1c3f74d094cfe142fae4

                                      SHA256

                                      a2f236c82e802242174258cb954cc497612221e0d582dca6b58209fb9e829a96

                                      SHA512

                                      e9923a73d81293a94bf34b049794370d4312f20357027be32645ea50bbc54883ab6359901de5289a756c6170ffeb90bbabe0672895e1da40fd9bd7f25e940c14

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      ab412a6755ce255e774ff897349c946e

                                      SHA1

                                      180b1292e659c80a9683f4e66088a58b387cd6f7

                                      SHA256

                                      f52dbd0b11fa01be9e28067529805c7d8fcefee915cd2f0d442f42840572a674

                                      SHA512

                                      d4236a2eb797724f3634019ffaa6457a7f303dd2d75e5f5bce005e162cad7a0b2d7ac20f4292e6760f1af81b8517fde9171004da548a019c01834bd29741f585

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      cf4081ed36bdc88ab1cde59907428e76

                                      SHA1

                                      c3f924d6d307d022c6bdbf0037b09cc86633a03b

                                      SHA256

                                      917c524d5f5077b5fd460c2dee8defd97237ee8778f37d58bbd039df49caf29f

                                      SHA512

                                      57b872a883664d2e706eaad495d82ad97d6b23a8f7164e933e70523e6f25228a34436c36344e397e422d9c5a4277265d61ea2059a31118d16ce3dabeb3dc325e

                                    • C:\Users\Admin\AppData\Local\Temp\5AjNu1Vgdj.bat

                                      Filesize

                                      190B

                                      MD5

                                      a502f811e9c4207ac27ad36acffba64c

                                      SHA1

                                      9c502a394f626ec7f22d896520d66a10c92a2c5e

                                      SHA256

                                      4ddec2252033c970fdb71e63c06e1fad7aa123068d477993df565f869204f8a2

                                      SHA512

                                      fff557b87e3b7fe4dbbdc06c8cea7ecd71b4f022a375f82864ff0a5d5e978c328c9cb44a03425c18668ee20a461a7537b2c8e858441aa313c67cf2dc90ab3248

                                    • C:\Users\Admin\AppData\Local\Temp\CabEBA8.tmp

                                      Filesize

                                      70KB

                                      MD5

                                      49aebf8cbd62d92ac215b2923fb1b9f5

                                      SHA1

                                      1723be06719828dda65ad804298d0431f6aff976

                                      SHA256

                                      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                      SHA512

                                      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                    • C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat

                                      Filesize

                                      190B

                                      MD5

                                      62dc16ee42ea768c90df17dbeefa205d

                                      SHA1

                                      06e4128c301f03d308faee2295d18f7bb1c4ad6f

                                      SHA256

                                      62d3b3f1f81b36eb8d8b3ee65c00e331ba8dac187f1a9c7cf098524c9cf6a056

                                      SHA512

                                      4ce2eae77558ef4e883e319ed0c2d830877129fdf64e0df123c9d291837d7afec70f83ee60a3f73ece447b1f65d8aedb61d6aac47c87162705b564bb851c5ac2

                                    • C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat

                                      Filesize

                                      190B

                                      MD5

                                      0c1d870a7a4eaf3d21b832d0776ae4df

                                      SHA1

                                      b5606f09a40136d4ef9d6ce291698ba1b57983cd

                                      SHA256

                                      e7c8a1d280b9a54dc9315ac228461218ad8b5f5d68b4fa3ce20c83d591c897f0

                                      SHA512

                                      c850030c18654ab0e21751799bcde6291fe3526f41aa72bb0c345f4aa2cb6ce8d64e773c51d58139fe984a8c7f4ff00e40975318dffa85596cc95a2f560b4032

                                    • C:\Users\Admin\AppData\Local\Temp\TarEBBB.tmp

                                      Filesize

                                      181KB

                                      MD5

                                      4ea6026cf93ec6338144661bf1202cd1

                                      SHA1

                                      a1dec9044f750ad887935a01430bf49322fbdcb7

                                      SHA256

                                      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                      SHA512

                                      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                    • C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat

                                      Filesize

                                      190B

                                      MD5

                                      f32b2689a8d1515537e9698eaa66a456

                                      SHA1

                                      f65d481993a13d3edad3d7839833b0b831755e33

                                      SHA256

                                      bd5159848053570527bb42462cdbc055e2a5f4b626adbb24164f896570747743

                                      SHA512

                                      c116de9b2903dca6930f1865316dfbe34ef96d724e414c0b81b937630627be765010044d66ce911269e72138d70f89c9e2a62e99ebc2a74ade3eae54d6e822f2

                                    • C:\Users\Admin\AppData\Local\Temp\ewVMycoP0v.bat

                                      Filesize

                                      190B

                                      MD5

                                      8ae3eefd6e28ca18b10d63ebd8dd285c

                                      SHA1

                                      3b842e32dcd3fc7be0d37b3a99d24389c058469b

                                      SHA256

                                      3dbd8407a8c037b8f8053b30f054a86203915f3e21ca74c6f6f1d011271219c0

                                      SHA512

                                      6dcc57f1242e6225d458fd0c85adc9bcba39b8ccc9e610f009872e727f1c9e637d7d7cc66b25ec3ca8d0449debad8e15a4a0f57993f9ccaaafc33fe73f2b4154

                                    • C:\Users\Admin\AppData\Local\Temp\h6oaLUsZTY.bat

                                      Filesize

                                      190B

                                      MD5

                                      9455e9e7633cc576e159ee248f13463c

                                      SHA1

                                      d4c644c62ceccab195a3d97485c174d8bcafac4b

                                      SHA256

                                      61db138cc3cf8a581a1d1b1f8ae69713ad145882ee48f5b980014c9859bdccf9

                                      SHA512

                                      4184eadbcd7e4bdfca3058fba41097bf0eebf3ca149fbbe51c9d7db5d2dae790a8ffd5451cbc0a596839c0a2020f69e3a4e13d4c2b2f344e12108a4ab4848094

                                    • C:\Users\Admin\AppData\Local\Temp\kwOVarqRTQ.bat

                                      Filesize

                                      190B

                                      MD5

                                      e902853ebe3f38058fda741642058801

                                      SHA1

                                      97e5e889d87d556d1201c23962286c72dfb5406f

                                      SHA256

                                      52b883ddf2e4f5d8b986f3e71ea97a6b7feaea58f018a8ecb9859002292449ff

                                      SHA512

                                      d8874aa1e93316a840a5a6f49d54e3c1e17725e3aa916726033d72d60c234a4910520d8a08e8ff8989d089609df548e228b101767f0ff53dd620db3b5ed4e266

                                    • C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat

                                      Filesize

                                      190B

                                      MD5

                                      6477089a9bd8e033c16502bfce7bfb6f

                                      SHA1

                                      2f5ff18a41c846bf5fd12335813854d58337de9b

                                      SHA256

                                      aead4cfc2e765dd49227857bc72c1b5da075bc6e58d3247e1536aa4e95ed97db

                                      SHA512

                                      dc05c2673d57d6b0ddb7ec1c1d3e21736b96b69a61726e40a2e96981b8a65aa9b4bccad8652a6b2ff70931ee05740e7898d79fb18b3f93e9c8f17375850e00e7

                                    • C:\Users\Admin\AppData\Local\Temp\uxMZkGAiOs.bat

                                      Filesize

                                      190B

                                      MD5

                                      e2ba803b5b81d549d1ec7ecef5304bb6

                                      SHA1

                                      0d649c0b70ba5fb3161ad7e8cc3767dde7cc8a15

                                      SHA256

                                      dbc393ca8f0cd931b14824186c20215d35dd090c522fb40180656274775be1bf

                                      SHA512

                                      1331a23401b96a42c3125c353270df1ce1818b035c829a9795d673a8afd04307e4639e5fe7e56401e288f6189ca702db29e8cae787e6e46dae67bd7d0acefdd7

                                    • C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat

                                      Filesize

                                      190B

                                      MD5

                                      57274bb74297777f79c0c60b8d010a8c

                                      SHA1

                                      9c9855c1630944caa38d9367e7b34c9af4e8da51

                                      SHA256

                                      979994a209807f2548c6d95e5fc0882b39e004627aa9f2dfff491d170cc583b2

                                      SHA512

                                      2e6f89aca3f77a70b5162a2ab99c3836b254d6cded2154913935892ed29eb56694cb95630a47780ed20491cb53ca2aa01f209077f0894a1908b9ecd6e0298134

                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                      Filesize

                                      7KB

                                      MD5

                                      f69434e9ad5275b4f2e88f530439d60c

                                      SHA1

                                      a54fa7e2e5763f53bddd4b306c73356167034dbe

                                      SHA256

                                      1bde099f6a99a5f5c489898b8ea04119017741389fa4b843cd1c57120550a7bd

                                      SHA512

                                      dbbbc0bf921cad4c5df4b5b100ab6f469e3f144dab469fc10c25e24d90ac49c416c18aba00161fee80d39f2a5dd4e34bc3673395592eca43c47ab96a5f4b4658

                                    • C:\providercommon\1zu9dW.bat

                                      Filesize

                                      36B

                                      MD5

                                      6783c3ee07c7d151ceac57f1f9c8bed7

                                      SHA1

                                      17468f98f95bf504cc1f83c49e49a78526b3ea03

                                      SHA256

                                      8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                      SHA512

                                      c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                    • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                      Filesize

                                      197B

                                      MD5

                                      8088241160261560a02c84025d107592

                                      SHA1

                                      083121f7027557570994c9fc211df61730455bb5

                                      SHA256

                                      2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                      SHA512

                                      20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                    • \providercommon\DllCommonsvc.exe

                                      Filesize

                                      1.0MB

                                      MD5

                                      bd31e94b4143c4ce49c17d3af46bcad0

                                      SHA1

                                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                      SHA256

                                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                      SHA512

                                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                    • memory/448-43-0x0000000001090000-0x00000000011A0000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/1324-138-0x0000000001240000-0x0000000001350000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/1324-139-0x0000000000670000-0x0000000000682000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/1504-436-0x0000000000240000-0x0000000000350000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/1760-258-0x0000000001260000-0x0000000001370000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/2396-674-0x00000000001E0000-0x00000000002F0000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/2396-675-0x00000000001D0000-0x00000000001E2000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/2752-496-0x0000000001370000-0x0000000001480000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/2820-49-0x0000000002390000-0x0000000002398000-memory.dmp

                                      Filesize

                                      32KB

                                    • memory/2820-44-0x000000001B5A0000-0x000000001B882000-memory.dmp

                                      Filesize

                                      2.9MB

                                    • memory/2952-14-0x0000000000350000-0x0000000000362000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/2952-13-0x0000000000090000-0x00000000001A0000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/2952-15-0x0000000000360000-0x000000000036C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/2952-16-0x000000001ADA0000-0x000000001ADAC000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/2952-17-0x0000000000370000-0x000000000037C000-memory.dmp

                                      Filesize

                                      48KB