Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 21:21

General

  • Target

    JaffaCakes118_d19bbafdd0fe699469222c154ad6c696b9adc6ea18c84fff3e4810b24151d389.exe

  • Size

    1.3MB

  • MD5

    fbc0492478d6a0ce76f09ff19db60c65

  • SHA1

    c7815fb0ffeee30f98b6e762bdeb2c784d14f15a

  • SHA256

    d19bbafdd0fe699469222c154ad6c696b9adc6ea18c84fff3e4810b24151d389

  • SHA512

    4f6b740f9ef5b1fec951aaaeb3563832c95c61144de231f1b0e133bebe9ddf4eb94f071a730477003a9f4a7bb7ee1dcd0aabfb1292607aaabc1bae16356b7acf

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 7 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d19bbafdd0fe699469222c154ad6c696b9adc6ea18c84fff3e4810b24151d389.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d19bbafdd0fe699469222c154ad6c696b9adc6ea18c84fff3e4810b24151d389.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2308
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2008
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1996
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:728
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1744
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1760
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2040
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1340
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:768
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gl9PPr7sC8.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:376
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2152
              • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
                "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2968
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IuwUCT1VMm.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3044
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:2796
                    • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
                      "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2908
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1592
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:2172
                          • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
                            "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
                            10⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:2092
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat"
                              11⤵
                              • Suspicious use of WriteProcessMemory
                              PID:1640
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                12⤵
                                  PID:2180
                                • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
                                  "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
                                  12⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2744
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yWf31kVUUl.bat"
                                    13⤵
                                      PID:2512
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        14⤵
                                          PID:1968
                                        • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
                                          "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
                                          14⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2800
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DhSpfyjZaR.bat"
                                            15⤵
                                              PID:2532
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                16⤵
                                                  PID:1080
                                                • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
                                                  "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
                                                  16⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2256
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\blOcFVMglb.bat"
                                                    17⤵
                                                      PID:2432
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        18⤵
                                                          PID:2740
                                                        • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
                                                          "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
                                                          18⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2008
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1n8esAjYxK.bat"
                                                            19⤵
                                                              PID:1608
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                20⤵
                                                                  PID:2368
                                                                • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
                                                                  "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
                                                                  20⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1532
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat"
                                                                    21⤵
                                                                      PID:2568
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        22⤵
                                                                          PID:2108
                                                                        • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
                                                                          "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
                                                                          22⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:860
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGcIoKmMem.bat"
                                                                            23⤵
                                                                              PID:3036
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                24⤵
                                                                                  PID:1252
                                                                                • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
                                                                                  "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
                                                                                  24⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:1072
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R8iYvsD9nO.bat"
                                                                                    25⤵
                                                                                      PID:2416
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        26⤵
                                                                                          PID:920
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2692
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2000
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2756
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\PCHEALTH\smss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2748
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\smss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1916
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\PCHEALTH\smss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2824
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2580
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1912
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2608
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3036
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1400
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:580
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1268
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2472
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2312

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        f3deae1175568e3baf48d67938e85269

                                        SHA1

                                        a6ea2ffd6e3fc341f806ef1e1741f46741c4aadb

                                        SHA256

                                        16e8996b4d39d1300d0c8c83733fb495d1902c76cbc2e28d660ed9a1fe8a94a8

                                        SHA512

                                        941c40e3e8ed0d00bb04772ff8fed567fca93f3c3dad033006146ceced1567a1513adbc073951f1fe784c807c7b5b6c822c6321393fdcb30e2be5d659a5e4d02

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        8ef201dcebe1b535ff1f3d19293f252e

                                        SHA1

                                        c7f3b53864277d5dc02db72d3aff7e85603483e1

                                        SHA256

                                        e43ab28637ca7aa40a0ebb00f3815b6821afe4da9a936a1a56b47304e9c3ce5b

                                        SHA512

                                        58f8de4ba0bb51cbce390be5c603b1c1a49b13e7c81498384a352bb05ed15c4006958a3c5e7b847811b76dcbc5b14902cd3f9966185a77905f8534b0ea154f75

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        40109ed99b9c53a64cf95260706965e0

                                        SHA1

                                        ff9831b4ab24754210004ecf3c857820478a97fc

                                        SHA256

                                        9bdb180aa28d7ae8c579cd284fb0d572f56f0ecbba118282bc906caf16bc1130

                                        SHA512

                                        e0e2023e588f170ff2e0578800043f505f69835e226204634e7fa0014a44cf206ae946ea16df53636ece65d6ef074e2da0a8562dab799dcec1e6332f4623bb26

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        7ae383526557a434ae7b77f82262db7c

                                        SHA1

                                        a8a759f4df4da7d557979de5facc4197ce7a33d8

                                        SHA256

                                        49e592dbb43555009dd20170e0b530ad414b15e4c1318b11faf0abde37f9bb3c

                                        SHA512

                                        7dd656ff67469f6a43b23f423b37f7fc1f87e66d657f04fa56e43135973070ea549b6c05df739aa6225f15cde77d499b53d690faefb6cfbf2516347431a54433

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        e2c85bb23e6a53c6fc9d1025869573c0

                                        SHA1

                                        cc54a339f93aa1d162ddcb800c84842025847039

                                        SHA256

                                        8ff7c8a8088d516bbf6f1f2ebfeb1cf683c380235429da25a658680c88fa33d2

                                        SHA512

                                        9a7e77f153ca9ce2fbc40eb97fb2f0a89ff3df1c8ce2a53f59e6205dd807d6d6efe60ecf05b202fc665bb93c625b19e074109efc1cd15aa879f82a122103dce2

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        5ff79549a442ab918f3613565d340bfe

                                        SHA1

                                        03f1bb61a30eb1d6e5fa8bcbd2eb48922e9e3434

                                        SHA256

                                        3b5d12553bdab961d3c33ce522075924ac6f383c545e460503e674b7f4bb7689

                                        SHA512

                                        c01fde1e93a41c2f978952e0d8efb4be54021cd9f1fdde999f9d2dcac5c947de9395d9c9a9af8f8e4fad63c10a8b1a24a3bf3349a4442d2a1b844bff91433188

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        e3052d1972e7b324227c20df33e3302f

                                        SHA1

                                        2bdbdf92ae083ddc45c457f4d3bdd04f431cb064

                                        SHA256

                                        94d5ebe0df2c9f4576c3b2c6a467f2e16a0d6ff05fc304b21e661cd4b0b596d1

                                        SHA512

                                        d6bad4eb130dfeaed1bd7bcc9b033c2a847e2ed0eee6807b8892e756ee95797bd6fd96f7dad091b2993876e40762b8a22ec1d8dff5062ae543fd4518f1b56efa

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        021351b34642ad58b94cdbd523d72653

                                        SHA1

                                        a60c643df676cafc8c65a839e2b6f6da93af3c07

                                        SHA256

                                        5b3c71c9887abc9e13abefac34a6ff1ba0e24882758262ed618da0377d6a5ba7

                                        SHA512

                                        56843df3435a3460757fc33b38898370d241448589b8929ffd8e788c90d0967c7372437efccdf96d8505aadca182c68480dc79e59e64b999c80c1cb459134482

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        a7db894f4ad152eee98326649b061d7d

                                        SHA1

                                        5cbe18df6983d38f6d1d1eddaf2a8bd91ffe3555

                                        SHA256

                                        3251adfcb12cf418b229bdead3c07f163398790b78cdec06d006917ae3a4ee7f

                                        SHA512

                                        b5d412fadb88bf0fe55c7932895c9945f0bd202a815acd73c4519025d62a5df1fe937f24cc8d5fe1baf96da39082af42336137cc6900fca524c5d40c8b05ca06

                                      • C:\Users\Admin\AppData\Local\Temp\1n8esAjYxK.bat

                                        Filesize

                                        225B

                                        MD5

                                        998f4d1cb960c5a6edf3f73107ef7939

                                        SHA1

                                        9517b059d1c355d33635f2373392115f84cc96dd

                                        SHA256

                                        5f95bd5792a9c25ee027135876731efd57b5f6b370b38c4dddfed26da07f5296

                                        SHA512

                                        2759b183985cf148b46e396d204466499c9eecccdd13041efb9d89e29b3519730f33ca00d8ad33cdc9ec30612852c6d5fb4c03ed186be381556a50d370a2e6c2

                                      • C:\Users\Admin\AppData\Local\Temp\Cab1316.tmp

                                        Filesize

                                        70KB

                                        MD5

                                        49aebf8cbd62d92ac215b2923fb1b9f5

                                        SHA1

                                        1723be06719828dda65ad804298d0431f6aff976

                                        SHA256

                                        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                        SHA512

                                        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                      • C:\Users\Admin\AppData\Local\Temp\DhSpfyjZaR.bat

                                        Filesize

                                        225B

                                        MD5

                                        4ca8f99c8a6ad161dc2af000744a52c5

                                        SHA1

                                        e62ece35dde3ced763d3f4500590e1c89b6aeeca

                                        SHA256

                                        7d8a788616df8f0be206311cfbd09d1cf8bd4d10662624426222901553238515

                                        SHA512

                                        25db9ae0cac0a172aea3011c5bd8b744fb0924c2bec9e19da9254fcab4976ac0cf03c98190ad5d9a4c8d676fa98a7d845f7c5af2186bfac7493d5244432d2c56

                                      • C:\Users\Admin\AppData\Local\Temp\IuwUCT1VMm.bat

                                        Filesize

                                        225B

                                        MD5

                                        9ecb27a1bc0a55e9ebb743dd56ac3a89

                                        SHA1

                                        073dc81ada5e72c587c9728753f5aec55b19380b

                                        SHA256

                                        b81d8dff97c229c8bde04766728f046f44f84a839b2c6120dfb7cd4bec73b718

                                        SHA512

                                        c073f4fdc44d2931f9ce7e48ba1a950ba06b8767e9b82dc67981db552de0d0d03db8c4e24617924e7a078798fab2436b6ce13d11652323144288bc8203e67630

                                      • C:\Users\Admin\AppData\Local\Temp\R8iYvsD9nO.bat

                                        Filesize

                                        225B

                                        MD5

                                        dd2281b890f80806a72f4c2c73316bd1

                                        SHA1

                                        d42bd0aeb19c666b700c999a2052b5d81b00ac66

                                        SHA256

                                        51714aa5149213cb41b6afa5eb4730b6fdcbf83dc4fda14986abbda52122fb03

                                        SHA512

                                        6dce2cc768789c01afd0f818fa02dec52d181681539e1d2f55077619620e6d6d644bb4ede1b069a2d9544242d55eb32a9c0b64c4670a8f6ba65be6ed0e17cf5b

                                      • C:\Users\Admin\AppData\Local\Temp\Tar1338.tmp

                                        Filesize

                                        181KB

                                        MD5

                                        4ea6026cf93ec6338144661bf1202cd1

                                        SHA1

                                        a1dec9044f750ad887935a01430bf49322fbdcb7

                                        SHA256

                                        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                        SHA512

                                        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                      • C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat

                                        Filesize

                                        225B

                                        MD5

                                        5f60972e77115dbd0497d1fc0a6e3da1

                                        SHA1

                                        2144230492de273cb62d5757e47c91192006541f

                                        SHA256

                                        8cb8d10442e310d83604c839978116a232f8b5603c5a5aaa14dbb86333f0016a

                                        SHA512

                                        6934f24f4711ff5cd001785d4f770da62ec8793f3e3e3e84fa6de312d07e22de8f146b18db2331c82606b1f53baa362a31cd1cc22de5987a2d8a6e7f6daba5ce

                                      • C:\Users\Admin\AppData\Local\Temp\blOcFVMglb.bat

                                        Filesize

                                        225B

                                        MD5

                                        223ebdd6bfc555d36b3e51cf9adb9630

                                        SHA1

                                        5b3894f3bf9092e380dd029875bde9afe5f8ecc7

                                        SHA256

                                        18480fc719d058f540a11aee5c1ab83ce342cd5b261cba65502d86fd305ae375

                                        SHA512

                                        5ca020349c1101e481fe5ce3e0f7340f4f582aaa2a661a687398c5895619e94c02a8bb0683c59d69db33f9995c016e7729e45deaa2dff27762bfe55899d1bd68

                                      • C:\Users\Admin\AppData\Local\Temp\gl9PPr7sC8.bat

                                        Filesize

                                        225B

                                        MD5

                                        884525d728f0f555099fdeb74ec4b7b4

                                        SHA1

                                        e076d05c4b106e287f60a4f4124281b5632d601c

                                        SHA256

                                        6f6a5bd5dd84df9bf98c95c70582ddd1d1ea010f281e5d658af05764ad76f558

                                        SHA512

                                        dd687e788844f106a57d88f32065a4abf3630601ec2ec53c75e72786bb3208ee7ea69416c658a682a0c596ca5c2096614fc278bc65f3aed4834b2318edfe3f86

                                      • C:\Users\Admin\AppData\Local\Temp\nGcIoKmMem.bat

                                        Filesize

                                        225B

                                        MD5

                                        a4bc4fb6a5e0622cb19e68cb699c4cd1

                                        SHA1

                                        8404131726be3d7a0c5d75bb57349b3513fe6de1

                                        SHA256

                                        177690984f555e28a29f9bfcaffdfb60193ce215091ad6bcfcaaf756105d79d4

                                        SHA512

                                        8d3a4220ff91e176762e61fee1dbe55f02cc7f3a215941639729a7cebeb19c85a4e63ee19a9620bfc6f1fa0b7f0cac6583fc4c22c5de41d5937f9b9b6ca0ad78

                                      • C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat

                                        Filesize

                                        225B

                                        MD5

                                        acd196cc21b0128fd5ff3cabc658dc21

                                        SHA1

                                        e4ef04fa773cb88ff70ea304e10b05e2f02f40f7

                                        SHA256

                                        5d911df9c4780667bd90216daaf1e4697bfe516d64b886361c5e086f84f2ed55

                                        SHA512

                                        d6d9d8b9b631111ad46fd9b5eacb0cd8ec717cb97ac286a949284c6855e1b357f34098207af59606faee167dcee5a36d3e8637a8275b9a46f30473e11881043d

                                      • C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat

                                        Filesize

                                        225B

                                        MD5

                                        aced993ff4739069b4a93b77e2e26923

                                        SHA1

                                        4d28d9c8663b2e6c70855ff1779cc4784cf8c958

                                        SHA256

                                        6ce114089960a9e4935a63faef20987cd558bb8c0d9b7e7306c20b0094fcada9

                                        SHA512

                                        0a4e08247d6682698ad399abbf5a2b1b6c315ebf4f9e6804e0e8643720cbcf0757105a1b098fa8156571385db883172ea05a0a3dc43bd40bda8f3bfc05f89cd7

                                      • C:\Users\Admin\AppData\Local\Temp\yWf31kVUUl.bat

                                        Filesize

                                        225B

                                        MD5

                                        8f7871418ebb43c3913eeaf05f6f91bc

                                        SHA1

                                        384477977c1e0b0785b5f3ec00c5a001ad208a94

                                        SHA256

                                        cd39e11a78eab1a32d56f4a19f7ae0a57b95ee8657440b437f52117ae09befa8

                                        SHA512

                                        2ef4c83bbcd8dbfae6dc01d5af0c68f097bb85c63d2837a6232209e69b59552581ebbc80bf7c8e2a5a894774fa6025dcb0c14165af71e79ea2bfa78dee3ec747

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                        Filesize

                                        7KB

                                        MD5

                                        7e0f01b4fd787391ab6ebe82d14ec64d

                                        SHA1

                                        60288cd513e17d093bbe1b52c16c0b96c07c3b68

                                        SHA256

                                        7e5219bcaae68eaeaf8c195b92e9fd7e34a03bf6eeb322d647f4e4888adfe69f

                                        SHA512

                                        34c68eed00ec55a279b44856829a524f0490d17ad8761f14606c4de6a8db826c525eda6cc5ddf00fcd1afabed6878f485e05ff85f871fc9c549e8b297bdd5d72

                                      • C:\providercommon\1zu9dW.bat

                                        Filesize

                                        36B

                                        MD5

                                        6783c3ee07c7d151ceac57f1f9c8bed7

                                        SHA1

                                        17468f98f95bf504cc1f83c49e49a78526b3ea03

                                        SHA256

                                        8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                        SHA512

                                        c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                      • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                        Filesize

                                        197B

                                        MD5

                                        8088241160261560a02c84025d107592

                                        SHA1

                                        083121f7027557570994c9fc211df61730455bb5

                                        SHA256

                                        2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                        SHA512

                                        20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                      • \providercommon\DllCommonsvc.exe

                                        Filesize

                                        1.0MB

                                        MD5

                                        bd31e94b4143c4ce49c17d3af46bcad0

                                        SHA1

                                        f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                        SHA256

                                        b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                        SHA512

                                        f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                      • memory/1532-479-0x0000000001350000-0x0000000001460000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1996-16-0x0000000000160000-0x000000000016C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/1996-13-0x0000000000A90000-0x0000000000BA0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1996-14-0x0000000000140000-0x0000000000152000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/1996-15-0x0000000000150000-0x000000000015C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/1996-17-0x0000000000180000-0x000000000018C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2040-37-0x000000001B580000-0x000000001B862000-memory.dmp

                                        Filesize

                                        2.9MB

                                      • memory/2040-42-0x0000000001E70000-0x0000000001E78000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2256-360-0x0000000000F10000-0x0000000001020000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2800-300-0x0000000000210000-0x0000000000320000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2908-122-0x0000000000DA0000-0x0000000000EB0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2968-63-0x00000000008A0000-0x00000000009B0000-memory.dmp

                                        Filesize

                                        1.1MB