Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 19:59

General

  • Target

    JaffaCakes118_639905b41b130d400424dfc927ee0c92d19112f1038c4b5d8d9a53d3b881e041.exe

  • Size

    1.3MB

  • MD5

    f6c59a68cd83fc2707dbd04b33395149

  • SHA1

    54c4b461747a56b4cb94fb1bd7e68f5b25b9c387

  • SHA256

    639905b41b130d400424dfc927ee0c92d19112f1038c4b5d8d9a53d3b881e041

  • SHA512

    2743f7c5cb515bfa3e4b1c62717930b4fb33a51b77a1d59662fb94145732adda7f39f9124fb00e61ed5c73fcc91a5f0bd71a7b5b336fcdad9e70c4eb2f224702

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_639905b41b130d400424dfc927ee0c92d19112f1038c4b5d8d9a53d3b881e041.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_639905b41b130d400424dfc927ee0c92d19112f1038c4b5d8d9a53d3b881e041.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1748
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2484
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1880
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2520
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2172
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2268
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2068
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1940
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2716
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2372
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Tr1H9JjvN.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:836
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:772
              • C:\Users\All Users\Application Data\explorer.exe
                "C:\Users\All Users\Application Data\explorer.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2012
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hc9iMPvVJ4.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1808
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:2016
                    • C:\Users\All Users\Application Data\explorer.exe
                      "C:\Users\All Users\Application Data\explorer.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2472
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1748
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:2708
                          • C:\Users\All Users\Application Data\explorer.exe
                            "C:\Users\All Users\Application Data\explorer.exe"
                            10⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:1604
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat"
                              11⤵
                                PID:2164
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  12⤵
                                    PID:956
                                  • C:\Users\All Users\Application Data\explorer.exe
                                    "C:\Users\All Users\Application Data\explorer.exe"
                                    12⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1880
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat"
                                      13⤵
                                        PID:264
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          14⤵
                                            PID:2924
                                          • C:\Users\All Users\Application Data\explorer.exe
                                            "C:\Users\All Users\Application Data\explorer.exe"
                                            14⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2296
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GsZYO5BIqk.bat"
                                              15⤵
                                                PID:2132
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  16⤵
                                                    PID:1108
                                                  • C:\Users\All Users\Application Data\explorer.exe
                                                    "C:\Users\All Users\Application Data\explorer.exe"
                                                    16⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2508
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat"
                                                      17⤵
                                                        PID:1184
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          18⤵
                                                            PID:1960
                                                          • C:\Users\All Users\Application Data\explorer.exe
                                                            "C:\Users\All Users\Application Data\explorer.exe"
                                                            18⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:1136
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lg1oIatdTn.bat"
                                                              19⤵
                                                                PID:2956
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  20⤵
                                                                    PID:772
                                                                  • C:\Users\All Users\Application Data\explorer.exe
                                                                    "C:\Users\All Users\Application Data\explorer.exe"
                                                                    20⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2896
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat"
                                                                      21⤵
                                                                        PID:2844
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          22⤵
                                                                            PID:2072
                                                                          • C:\Users\All Users\Application Data\explorer.exe
                                                                            "C:\Users\All Users\Application Data\explorer.exe"
                                                                            22⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1612
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat"
                                                                              23⤵
                                                                                PID:2188
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  24⤵
                                                                                    PID:276
                                                                                  • C:\Users\All Users\Application Data\explorer.exe
                                                                                    "C:\Users\All Users\Application Data\explorer.exe"
                                                                                    24⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:1088
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat"
                                                                                      25⤵
                                                                                        PID:1348
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          26⤵
                                                                                            PID:1464
                                                                                          • C:\Users\All Users\Application Data\explorer.exe
                                                                                            "C:\Users\All Users\Application Data\explorer.exe"
                                                                                            26⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:1668
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2804
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2888
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2984
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2664
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2616
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2696
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2324
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2404
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1028
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2028
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1108
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2036
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\providercommon\smss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2992
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2004
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2848
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\explorer.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2836
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2824
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Application Data\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2832
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Public\WmiPrvSE.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1864
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1436
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Public\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2132

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          6f91fb3a71a3b720407f5a0266a3d8cb

                                          SHA1

                                          f32f26cf62b9cf4070e9b44ae4223e6688fa57aa

                                          SHA256

                                          ac0abfb54ca5e2ccff8d42c3ddc67e590431bad60f5c3245f505ed34c0fcc691

                                          SHA512

                                          ea18d36ca73f5606252c80ff6e6df3fc0c36de0c9649202bad2a177cc5394275b1be8cc1b8491c7b327629e663f66723388487d36851544a94a283b885d856cc

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          514f5266241e1251d3fe9f9d80d8852f

                                          SHA1

                                          89cdab9964026aa74a1dd6ea557ab658a0e817ea

                                          SHA256

                                          09dfed1b77473755d0a1e3cc31077130e15aca16eb4932905fac067f5b160aae

                                          SHA512

                                          6ee41cb85740bdd256cd236f6681aebec264d65ade585c10c6ff0d20b85e3692e4df6db85d2afade2237d7c070e4216333c333c2261eaeed361399157c16be5b

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          6a14b741b4121afdd8593dfeabd82309

                                          SHA1

                                          559bab55c35be31670478d12ef57c32ca3d4f549

                                          SHA256

                                          982e2df86a53aabd4adac635679b127c14a4bec04609d442b71123e80a0421aa

                                          SHA512

                                          e3021d9a09498778cc1a21f3650c58788880510a04ed84b1d384fd295adf88fac8f653dfff5bee20587a534e154b73b7111a885bed4fae99c32c093228c24c7c

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          98c95cfacc4204915da53c27d38bde56

                                          SHA1

                                          347f5cc4b92c3f48321f2b1b3100e9e35b0299dd

                                          SHA256

                                          ba4931429a06422ec11b0ada5a031b33d3bd004a2f871f5c5bcf9ee8dd830f74

                                          SHA512

                                          6726006e13de15cc0015430a2eef7abc704c7d8163000d58c13f9e011def47a6fa403ddd3988cc27bc748d9e2ece5be64fe542dcc83f83d664aa4d7ae892989a

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          92eb22a69b797f02fadda86bea7a8e84

                                          SHA1

                                          cd81ebed377b1bbc19c628d65b4739de227febdc

                                          SHA256

                                          7db05e64e82f0fcb03113e1de97801ae6b58bcd025656976751836717ec5b251

                                          SHA512

                                          d6d71de86ac862e90097041e22f6279bf67148d1e1be1c5d8442cf28fabefce1f534e8aae24aa3d74c08a989eb9fb4b858a84301c8046161b6a63da737f59712

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          ed0c7ba9fc536e47d1ace7d2c902b31c

                                          SHA1

                                          9e4c52555019387a0b400f7be0c951a6b5aec568

                                          SHA256

                                          9c371312ea0969cd35f6ba7aeb90fc197a800d36e10b823d950a6088fdc43b12

                                          SHA512

                                          799277db17415dcda21b906973a02ac254490b8b63d8ebea4f25116324c5713a304141144e97bcc0baeaeedb87bca90ac50778ca27615ff5a818d9f440cda819

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          95e1cee75bde8b8ad8d2a4de8f334388

                                          SHA1

                                          e21e7b0654a62413af657a88bfbacf8f340a9497

                                          SHA256

                                          258a869cd6a3a22ea28a629adadba52e450eb7f6c3b6ac367ae2220b007e6758

                                          SHA512

                                          c78f8642d69c8c5055067e4b6642ae5c016bb082936771fa4734ef64e18413ec27c7960463caf888834fe535e0a6c02214c12a01617bd6ab8832af46d2435f5a

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          762565e6e5d9ce27331439dc04aabfc0

                                          SHA1

                                          d0556d94808cd2f2caa2bb9b4c932d496816669a

                                          SHA256

                                          8b57fa2c7f95bd935ea96ca2ec8f614804e4f1a27322d710989f9463706fad88

                                          SHA512

                                          828d7f662ad43e285b6b67423edb3ffde8797f1ffbbdf62d28796c6803d02b2e1604bf2203032f01176450d184ce7894ffd2a4f88d3a1572120ed7995cc70de8

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          f616b174f3d4a1841c329cef6784998d

                                          SHA1

                                          fa6b0f4f6b41f752fd471a7835496dcd18b9f4d0

                                          SHA256

                                          1d8126fe14b8135fbd02f40e4707e5543f371459c65dcc1b5e65bdf4390a7dd4

                                          SHA512

                                          e30f27fa855ee57a8a5484b686d7c9d16a0cb878bba7d7e9216d88eb511f4d74c366b5cac329e93e0d6246cb18677fb7b211e042d1e3127c5fea12945567d7a8

                                        • C:\Users\Admin\AppData\Local\Temp\1Tr1H9JjvN.bat

                                          Filesize

                                          213B

                                          MD5

                                          57b2d5dbf5aa5c4006f572dea6429ccf

                                          SHA1

                                          87f1c5910d1be6f02cc92d353d9b7d4d223ea125

                                          SHA256

                                          12f59773b06b603991790181367386326ff5825729d6f727e44105754e5b7e55

                                          SHA512

                                          5f1b428bde5710c1302e8ea8450ec1da2eba4174b9738fc5c24a1b6b480137a6c9f7e66e8e44c1725f9aab3323fe4e12bfa3b76d4115b09e233da14b7dcf8356

                                        • C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat

                                          Filesize

                                          213B

                                          MD5

                                          91e4a5689e961ee6666ae817faa06299

                                          SHA1

                                          6975c5bcab9300b9f6619b1ac87c1616482d6300

                                          SHA256

                                          600b5989b1e63e270e45b4200ee7ef504b60a820807c90b9d2b46c17a073ca3d

                                          SHA512

                                          0e862605587e8f1416efbe6086e6a857e4ca4c12b0f7ecdcecd68fdba82f6d418b1464b9ee124684624b3fa38051e7dd27b4c6c1781fd41379403096c14d699c

                                        • C:\Users\Admin\AppData\Local\Temp\CabF1B1.tmp

                                          Filesize

                                          70KB

                                          MD5

                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                          SHA1

                                          1723be06719828dda65ad804298d0431f6aff976

                                          SHA256

                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                          SHA512

                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                        • C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat

                                          Filesize

                                          213B

                                          MD5

                                          2608e6d717d3cc3e72fa5bf4cbfaebdb

                                          SHA1

                                          220f80acb32d5059b121305414d9d066b92d0a5a

                                          SHA256

                                          be6ea3dc4075bd722067d463739a49009f7055ad5ba739657efb701bfb122e86

                                          SHA512

                                          6c0ba9daf9c28e8b818c348ba148702a3ae3cb1de83f0fd050b966a0867e914bcf0c869874e3982a2612c5d76c78d60af95107b5c4c06a0d0b0a478b4e7a2a2a

                                        • C:\Users\Admin\AppData\Local\Temp\GsZYO5BIqk.bat

                                          Filesize

                                          213B

                                          MD5

                                          93071e49ace418ab55380be59a781ea6

                                          SHA1

                                          2cc76fd9300963cf31b8c14f0bf53ed071f05242

                                          SHA256

                                          72a91858d7b3d53a6dd1fe363db71a22cd23c328adb00cd6980e515294fb0e3f

                                          SHA512

                                          bb5fbb75e4dea2d1bf253401220231e4142ffaab9160f0da51da20fe3971502664b67da7bf2e41948a1aa8e3151f87fc760d3907406dcb6d5737d2014d19d345

                                        • C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat

                                          Filesize

                                          213B

                                          MD5

                                          4b56cdf7d1fe32a9195b1b37d48d5dae

                                          SHA1

                                          210ad30d6ea30290e77f31933079d6d27d66e925

                                          SHA256

                                          3a51e62e9ff272ba0b2242244ebfd6850b5dfe8fe69245aa4e2639bef4d37a4b

                                          SHA512

                                          478f2ef2643fcf7933592b10630e57a3c82ba0e481eef0006164b00a5cf302875d5a4712d33b783b22fe827019acf6e393077eda935dd62c7759b158770c68d4

                                        • C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat

                                          Filesize

                                          213B

                                          MD5

                                          067c24d5b926c99eb6a36c471085f3ba

                                          SHA1

                                          069cf7444339781fb5ce760091210c0766ce4955

                                          SHA256

                                          adbae9efee2ca7645e9c94e7c83f8581e7ae68b911e0d7f730064ba380c013ed

                                          SHA512

                                          e2b001672a625e8ad6302f276f07f12564f9b36b3fd4bf58fd0a446ad721591391708dffddd5c247001efdf08cdfb842ded556181c941b42f641051408fbc69d

                                        • C:\Users\Admin\AppData\Local\Temp\TarF1C3.tmp

                                          Filesize

                                          181KB

                                          MD5

                                          4ea6026cf93ec6338144661bf1202cd1

                                          SHA1

                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                          SHA256

                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                          SHA512

                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                        • C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat

                                          Filesize

                                          213B

                                          MD5

                                          792cd1accefc618eff3a214eaeba6a68

                                          SHA1

                                          576fdd79e1f7ae96e1734e0550af65c9e6091610

                                          SHA256

                                          617492227b4b6cc4d86af56a4337f5122440435bb8524e3c9178059b53f50617

                                          SHA512

                                          fe80e63f499f3d1d28fccde637a1daba6a53dca8ae05fa6941212ab410e5fb87fe76e3f4bf1c9ed99a63765dad560a0a707db508dfb5a1d281a23e0c6fb6c05e

                                        • C:\Users\Admin\AppData\Local\Temp\hc9iMPvVJ4.bat

                                          Filesize

                                          213B

                                          MD5

                                          1b98979a6b17c3fbf5e4203a11bc7004

                                          SHA1

                                          8ebc1c07be35426a923265fa989b14aa9120ba3f

                                          SHA256

                                          a1ec11effb454d17c6373b9d25cf7d3ac2490b82192af0a5779a46d642e4e465

                                          SHA512

                                          4f017643f0ebc6f702f0acd10ee4741ccd16db7b079cb0927eea6423d49c7aa477a1d6ac3a8ecdbce763bbcf0ec08f87c21b20e4c23c378a1bb97b2c54631d95

                                        • C:\Users\Admin\AppData\Local\Temp\lg1oIatdTn.bat

                                          Filesize

                                          213B

                                          MD5

                                          84dcae0a4d186fab971de1515430cf01

                                          SHA1

                                          e93324792dbe11bae2d484720521393d1131bdb9

                                          SHA256

                                          c8043c7bb02e71e73569655218406ab7b8e2ea1a86ff7c49c04df61fe8e56a54

                                          SHA512

                                          ac8f21b95a315ea075f1fc48a239eb589d69ff5323338c6e332f6a07b4545ad871a4bd241067b625e1e691ecd7cc886df268e823704528485ab2b6443e4fe650

                                        • C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat

                                          Filesize

                                          213B

                                          MD5

                                          4ed6b40f5dcff075ead52842ba507d09

                                          SHA1

                                          66aa16a0976694caa2ca6cb4935600caddd59860

                                          SHA256

                                          9fe77b773248b37507971e8d17d1a8aee044551128b3b32bc4f529777bd61628

                                          SHA512

                                          7e34f05ad316e509d4497b67f5cbc42fa34e5098a7f9b4d91731d2a1ac3a4ac92aec9c493ca104f18dba1f006d1cd560c1cf6fe142c5d41b88d02439c12df0c2

                                        • C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat

                                          Filesize

                                          213B

                                          MD5

                                          0b2c3f3d9a15baacba859882b33fa082

                                          SHA1

                                          a0a2e2d76c14f4348e91a23977ba53a10694ec1b

                                          SHA256

                                          0809cf9d60a134d46f548bd2c03738b74f38eece246922fe9602fd7ca42a8df8

                                          SHA512

                                          edb47f06d46be7395fd2a231f46a85ac8b671b5ab502f8d1fe8c2fd7b3f2d2bfe8cc9b1f3ffaff4e76f4750142c4fef3a4452f5d364a689dc07d242b64828b2b

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          fd3ae21bcbe6c37139396a8cd4078760

                                          SHA1

                                          604a3d508727d42544b0d26472cab77465d3db02

                                          SHA256

                                          068c2948516bee2c81390a0a7d67ce75841aa2f29e2191e06c28bba03dfea34f

                                          SHA512

                                          c5a6b6d5b5f53e3063e8a5018a66e494a72f56bdc7b1a3fd1a56a41bcefdc84eb04538e1cffc6387a625f1f76a0d7e8f46f6f70b99bcfa6bd15334d529c4436d

                                        • C:\providercommon\1zu9dW.bat

                                          Filesize

                                          36B

                                          MD5

                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                          SHA1

                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                          SHA256

                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                          SHA512

                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                        • C:\providercommon\DllCommonsvc.exe

                                          Filesize

                                          1.0MB

                                          MD5

                                          bd31e94b4143c4ce49c17d3af46bcad0

                                          SHA1

                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                          SHA256

                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                          SHA512

                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                          Filesize

                                          197B

                                          MD5

                                          8088241160261560a02c84025d107592

                                          SHA1

                                          083121f7027557570994c9fc211df61730455bb5

                                          SHA256

                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                          SHA512

                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                        • memory/1088-616-0x0000000000290000-0x00000000002A2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2012-80-0x0000000000F30000-0x0000000001040000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2012-81-0x00000000002B0000-0x00000000002C2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2172-39-0x000000001B560000-0x000000001B842000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/2172-41-0x0000000002220000-0x0000000002228000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2472-141-0x0000000000340000-0x0000000000352000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2472-140-0x0000000001340000-0x0000000001450000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2484-17-0x0000000000380000-0x000000000038C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2484-14-0x0000000000350000-0x0000000000362000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2484-13-0x00000000011C0000-0x00000000012D0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2484-15-0x0000000000370000-0x000000000037C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2484-16-0x0000000000360000-0x000000000036C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2508-378-0x0000000000440000-0x0000000000452000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2896-497-0x0000000000530000-0x0000000000542000-memory.dmp

                                          Filesize

                                          72KB