Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 20:51

General

  • Target

    JaffaCakes118_8b62f124a265555480bc8cd19f194524e4d3f660431217891098147bcf80db79.exe

  • Size

    1.3MB

  • MD5

    5a0aeea3a948710e406ba5ab73ad36f4

  • SHA1

    4f7ca123a53039d31712dea1d29fe1edc1a8662c

  • SHA256

    8b62f124a265555480bc8cd19f194524e4d3f660431217891098147bcf80db79

  • SHA512

    20cb22496db596c9bf9c80495ba93d05fdf6762bcb69db01820d1bbb218a92fdba89278ab2568d974e1dd96adc7feb03c558b252fdf81224a320078d6703d09e

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b62f124a265555480bc8cd19f194524e4d3f660431217891098147bcf80db79.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b62f124a265555480bc8cd19f194524e4d3f660431217891098147bcf80db79.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2296
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2948
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1984
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1988
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1960
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1948
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2548
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2584
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\HomeGroup\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2792
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2796
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\bin\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2724
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fcjBxfEQhp.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2844
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1808
              • C:\Users\All Users\Adobe\dllhost.exe
                "C:\Users\All Users\Adobe\dllhost.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2996
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2596
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:1300
                    • C:\Users\All Users\Adobe\dllhost.exe
                      "C:\Users\All Users\Adobe\dllhost.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2744
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2368
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:688
                          • C:\Users\All Users\Adobe\dllhost.exe
                            "C:\Users\All Users\Adobe\dllhost.exe"
                            10⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2724
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"
                              11⤵
                                PID:2928
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  12⤵
                                    PID:2100
                                  • C:\Users\All Users\Adobe\dllhost.exe
                                    "C:\Users\All Users\Adobe\dllhost.exe"
                                    12⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1100
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwHeC7tSxv.bat"
                                      13⤵
                                        PID:1980
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          14⤵
                                            PID:2800
                                          • C:\Users\All Users\Adobe\dllhost.exe
                                            "C:\Users\All Users\Adobe\dllhost.exe"
                                            14⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:284
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat"
                                              15⤵
                                                PID:2056
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  16⤵
                                                    PID:408
                                                  • C:\Users\All Users\Adobe\dllhost.exe
                                                    "C:\Users\All Users\Adobe\dllhost.exe"
                                                    16⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1148
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat"
                                                      17⤵
                                                        PID:1092
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          18⤵
                                                            PID:2948
                                                          • C:\Users\All Users\Adobe\dllhost.exe
                                                            "C:\Users\All Users\Adobe\dllhost.exe"
                                                            18⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2428
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat"
                                                              19⤵
                                                                PID:2016
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  20⤵
                                                                    PID:1008
                                                                  • C:\Users\All Users\Adobe\dllhost.exe
                                                                    "C:\Users\All Users\Adobe\dllhost.exe"
                                                                    20⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2716
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XhdmdigGiX.bat"
                                                                      21⤵
                                                                        PID:2404
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          22⤵
                                                                            PID:1812
                                                                          • C:\Users\All Users\Adobe\dllhost.exe
                                                                            "C:\Users\All Users\Adobe\dllhost.exe"
                                                                            22⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1956
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SQTB2Yz9K3.bat"
                                                                              23⤵
                                                                                PID:2368
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  24⤵
                                                                                    PID:3012
                                                                                  • C:\Users\All Users\Adobe\dllhost.exe
                                                                                    "C:\Users\All Users\Adobe\dllhost.exe"
                                                                                    24⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:320
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dwm.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:3036
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2636
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2728
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2772
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2764
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2696
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2532
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2700
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2668
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2492
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2540
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2968
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:384
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:848
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1700
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\HomeGroup\cmd.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1932
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Logs\HomeGroup\cmd.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1744
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\HomeGroup\cmd.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2232
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\dllhost.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1812
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\dllhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1528
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Adobe\dllhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1452
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre7\bin\audiodg.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2396
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\audiodg.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2032
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jre7\bin\audiodg.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1956

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      46eee2af9c38ab4001baba9d5cb6b39e

                                      SHA1

                                      8f5996d9a74e4fa035bd2271112437b0f90b07b7

                                      SHA256

                                      80dcec2227933199e05bea80b406d7698a7916691463494c157751f7ecf372d7

                                      SHA512

                                      6b5b71c4162f4a0185730f5224d9c40de082b011fe8d653714fa0b99b3d4ae5c9ff2ff374e5d4c1bc805316632b42e4cf158fee172f1858b14c32679b2bf20b2

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      a2254e8b84a56ca82dd88725535cadd7

                                      SHA1

                                      4669bfc0d3fe5802a5f2eccd4f50f37b1220a594

                                      SHA256

                                      def54ca9d20a2be98814167bb43fcfc71cd325b0ea8b6034da1278d982785043

                                      SHA512

                                      71e23120c716058551c2fa15e2b16f24b5d791c5b8808763fbeba557d7d3e77bc34581e4b57fc40b7e64bab96a1c0df829e8f2100d7e7ff3285e88f7a4ce1d79

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      dd7fc67d3ca45d6c19b96f9b4ea41e05

                                      SHA1

                                      4b15897c30f73aa1469c6f67e8a6351e797e9f44

                                      SHA256

                                      cb3d93cdc919719b7ef197b58e46d658a93b4e720f601f0909ba8006145109d4

                                      SHA512

                                      d063bad47b836dd3953abac477495b79aef2d1b6ba0e065067bb1117bd01bff735fdb32efeff8cad719ca4725bf987ba2f3a7f05017cb02aad97709ab489787e

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      18a230607bb9d1a012fe00e705fa37ec

                                      SHA1

                                      45229f90ebc20612ed4589551355bb71deaf829d

                                      SHA256

                                      17bd7d6d683bf08e2601a0f7537626df8c4be043a0d60ee7cdd1f084ac1c67cf

                                      SHA512

                                      54cfbf03bc88addfe7066f141714458eb83c5cb00b1339786cd88f413fc0d7f250659b7f341fb1948ac07cd921445d5dd7c4085da193f3aaaa4924e6f6931035

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      b116f46d1478849c8a666626bd840138

                                      SHA1

                                      1da8272105dab865351dc502aac86cfea4c8c369

                                      SHA256

                                      13119ba9df91d0a892384f5019fd4c2f81b753cee2c09ff4e3b081f1216d863c

                                      SHA512

                                      d606789b2366596f2f11d82f7e8a93bd9e2e08f4fcdf9f81d9e5f70bf92cd4678bb3b0cfff860da3d0d9c6d69b5690e0c0c31c421ec7a300b02184bfbd4c404c

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      a8b128b520a875d95221f1c94ea3ec02

                                      SHA1

                                      19a37e137e95152411a37c50161a3d80d71d090d

                                      SHA256

                                      a40bd311d26eabd8d1b8afbbc400f062ad1e8314f0dc91bcb0475fd9afc7bb06

                                      SHA512

                                      b7f0319645cc47b0e0a2f9f1ace16f49fd0a1a9fbf4428ad424f2d597884fee6b7324d6545d187e6aa9e75ece503d516fc4eb8bc51d676a150bb9328e65cecb8

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      5d170fa9e181496043df247635ccfb9c

                                      SHA1

                                      f51a57463f1c4b8173f73bb3e78aed2bd042dd18

                                      SHA256

                                      a292ce457da526d636239e40f10e125829d9ced8639b2e568cad86172d461024

                                      SHA512

                                      637920ffd04a01ea7089fd02304a50806bdcb1d64d7a91973c6f6abfd727cf4cdfa58a7112a36fa1619de31e60de5204edd5438b1cccee7304e96258a0d51dce

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      a1049bb7c07980c1395ff5acdedf819f

                                      SHA1

                                      f30730b8160bcf6c8957260dc80888783a0ce2a0

                                      SHA256

                                      15f2c297902ce34939ef2428056dd1b62a20e72a8adcca965f001a8ef8946487

                                      SHA512

                                      80c73baf83ea9aa92c4679e14de8fb89abb610132625e056f41afe951eee7cc02daf9fda17e1730e038243ae8a304bee72eaa8e2facb5c2e7d497e114c1d1a7c

                                    • C:\Users\Admin\AppData\Local\Temp\Cab215.tmp

                                      Filesize

                                      70KB

                                      MD5

                                      49aebf8cbd62d92ac215b2923fb1b9f5

                                      SHA1

                                      1723be06719828dda65ad804298d0431f6aff976

                                      SHA256

                                      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                      SHA512

                                      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                    • C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat

                                      Filesize

                                      201B

                                      MD5

                                      d565de685c5926d1a89abdd72ab3bf29

                                      SHA1

                                      8657e028e5441cded00de1f5199af91f93af0a72

                                      SHA256

                                      17863dad2998eaed7cb2d6a11ab49c45c71fa112f5532a44d8871c072cb48321

                                      SHA512

                                      943bf62fc452ae2a71f1ae359ce49598cab4a1895f8b2060b301bd3006bf17fa542e98a0d353d077e8b40b72b7d65c3038b56da56bf08fb6f98abc6e5a24d848

                                    • C:\Users\Admin\AppData\Local\Temp\SQTB2Yz9K3.bat

                                      Filesize

                                      201B

                                      MD5

                                      0ce609ff8ad60663be045eef1a939e44

                                      SHA1

                                      a7414d4d5570dc102949892d19ffae1636b0517c

                                      SHA256

                                      b9f629ffcbef09f9741ca72e60e27b56cc352537e0907d317080ea2833f47348

                                      SHA512

                                      daecaa42cef0efbf45f92c9d9d6a58284693f80757ec74fcefcd0582b9954d73b87c1ccfacbb807bfcf6d264475eaede3694ec9105aac83dacc34800873c4779

                                    • C:\Users\Admin\AppData\Local\Temp\Tar228.tmp

                                      Filesize

                                      181KB

                                      MD5

                                      4ea6026cf93ec6338144661bf1202cd1

                                      SHA1

                                      a1dec9044f750ad887935a01430bf49322fbdcb7

                                      SHA256

                                      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                      SHA512

                                      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                    • C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat

                                      Filesize

                                      201B

                                      MD5

                                      33ff9a706a353bfcb5c9b4742d870867

                                      SHA1

                                      cdc09bc22123ee08b546392e67ec41c25e3c80af

                                      SHA256

                                      75dfaedcfc659903208a890619468f2547bc75ef0b88a22b4ce3771fab647061

                                      SHA512

                                      68edcf6286679a8558649863fb1688983fbeb8039252e0947cb418e39fc6a14c70d527f79a16d8f72d71f511c9254dc685ca59cfe02e57054685dd95f09ea9a0

                                    • C:\Users\Admin\AppData\Local\Temp\XhdmdigGiX.bat

                                      Filesize

                                      201B

                                      MD5

                                      be10d459ca8a342d6b6d1a2a129804ca

                                      SHA1

                                      15fd58eab8563c305dceadca78ed22dd03d93388

                                      SHA256

                                      58fb4bf4ad67ad74834be0f23e7b3479479e6b23acddc0fea5b45a4b56225f16

                                      SHA512

                                      35d7e70b9cf581185940404d2a933834d47bfa093680f7b820f7429136fdad6c0e20fed352c782e5880b63d0ab06990396f173521a0cc55ae90ac8fc67501368

                                    • C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat

                                      Filesize

                                      201B

                                      MD5

                                      3b7cc0e074b79895f25a0c77286373a7

                                      SHA1

                                      ed12c8d06c400a7e0dcf6523ab1986825fdaa655

                                      SHA256

                                      0df68536bc21678d15c62407418e21013e8d7b8e6e66052bc89c79f66aa9a246

                                      SHA512

                                      669b3a80693e6934c3f9e7052e768e5b5c316b6812879b69c9484be8b485551dbbfccd7bfe96dfae42f5bbc26df0de7bc1cd18bc0c267b5e72dcae9aa167027c

                                    • C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat

                                      Filesize

                                      201B

                                      MD5

                                      8ffaad6c9988dddd86f9a3caf88bfe00

                                      SHA1

                                      86219e07976c07de132ff45666ea19a9ee181da3

                                      SHA256

                                      73bc4516b4ad1131fd76130845451289ee9230c2dfe5f7a7594f8c0522c759bc

                                      SHA512

                                      486466656a5ec276060337d9c9899b51f933947c20a06e08ff48593aaa1555195c77b0a3f93e27acc4248d0a36f474653868aa83eb5cab047aef0b9dbbb17794

                                    • C:\Users\Admin\AppData\Local\Temp\fcjBxfEQhp.bat

                                      Filesize

                                      201B

                                      MD5

                                      4f18c8ef221dfda703f41592259c0423

                                      SHA1

                                      8cbba39365135dfb026a6797c17d039f2fd6dbfd

                                      SHA256

                                      2da8f25c44d5bfb2f334fc72cb31ff33c650f1da0c2d8cf4810e7c27b15da128

                                      SHA512

                                      5fc461e8b0dee27782511da3b683c967780428c7a45e52d257e948a529de31dc1ad9ece464d214abe94452bb40b8b24cf0460dd775f578ca6b83741a97183df7

                                    • C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat

                                      Filesize

                                      201B

                                      MD5

                                      7796004e174c244f84df667c434b173d

                                      SHA1

                                      2b8f8734f720256cee68a318308956fe0017166a

                                      SHA256

                                      6d9f39503f5ea476203e1809eed56d59933ac93d0ba3e5db74b415fb31aae073

                                      SHA512

                                      f7319aad8488d56f3dad319ad2bab04621970474d0d20850dc055746975e7a19e901765803835c5abf8c1757e887418da33c8a27f08bb52b68c56b06a910fa2a

                                    • C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat

                                      Filesize

                                      201B

                                      MD5

                                      8c2b1aba827027491fac261a6e971bbd

                                      SHA1

                                      a33e018b392658369903a1e3452aab754d237b98

                                      SHA256

                                      5ad3f598dec01e082430eeccde2f96fa3e2dac08a7416316a668cd106336d067

                                      SHA512

                                      47aff350884b993dc6a59a439b0294588ceefea9af33b550846bdae2c4c85a3c5121cdad818d44762d09d1f1aad43c71929bf982196f231129fc52bc15399024

                                    • C:\Users\Admin\AppData\Local\Temp\qwHeC7tSxv.bat

                                      Filesize

                                      201B

                                      MD5

                                      b1c0dd7c22216a45f5ba898d35d5447d

                                      SHA1

                                      f62e99b8c9d3568d5e4e0255c1847d7354677ad3

                                      SHA256

                                      abc434395158b82de957b2d47b3516b5c08676a938f7a7c22dbcea42ed0e819e

                                      SHA512

                                      9a86c21782c74db23f51da0b8d283e25cc99bb29fa801a6e3860dc5cef36d500930507391aaeacc3cd49a34f03dbea29c3809b923174ca5225a5b86f0d090839

                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T868LRX9LEVGX9RRCRAE.temp

                                      Filesize

                                      7KB

                                      MD5

                                      02bb224c2ad7218519887f5717ecd2f6

                                      SHA1

                                      c26c788e94c61fd235894522781c79dcba2f7595

                                      SHA256

                                      c0bdcca0abdcf3887a3c624cc54a9f15e61ca5efafa6cb4a809976332800c63b

                                      SHA512

                                      8eb172960cce3350bb991f005e882bb6a5c631d29ea288ba2717acb1c8ca8b6ac52d859b23469b7ef8a774cfdec8f0f309385ebf690297edfdeca80faeadf5d9

                                    • C:\providercommon\1zu9dW.bat

                                      Filesize

                                      36B

                                      MD5

                                      6783c3ee07c7d151ceac57f1f9c8bed7

                                      SHA1

                                      17468f98f95bf504cc1f83c49e49a78526b3ea03

                                      SHA256

                                      8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                      SHA512

                                      c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                    • C:\providercommon\DllCommonsvc.exe

                                      Filesize

                                      1.0MB

                                      MD5

                                      bd31e94b4143c4ce49c17d3af46bcad0

                                      SHA1

                                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                      SHA256

                                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                      SHA512

                                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                    • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                      Filesize

                                      197B

                                      MD5

                                      8088241160261560a02c84025d107592

                                      SHA1

                                      083121f7027557570994c9fc211df61730455bb5

                                      SHA256

                                      2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                      SHA512

                                      20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                    • memory/284-328-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/320-630-0x00000000003C0000-0x00000000004D0000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/1100-268-0x0000000000140000-0x0000000000152000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/1100-267-0x00000000012B0000-0x00000000013C0000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/1148-388-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/1956-569-0x0000000000FA0000-0x00000000010B0000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/1956-570-0x0000000000430000-0x0000000000442000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/1960-48-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

                                      Filesize

                                      32KB

                                    • memory/1960-47-0x000000001B750000-0x000000001BA32000-memory.dmp

                                      Filesize

                                      2.9MB

                                    • memory/2428-448-0x00000000000A0000-0x00000000001B0000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/2716-508-0x0000000000290000-0x00000000003A0000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/2716-509-0x0000000000510000-0x0000000000522000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/2724-207-0x0000000000A50000-0x0000000000B60000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/2744-147-0x00000000009A0000-0x0000000000AB0000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/2948-17-0x0000000000790000-0x000000000079C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/2948-13-0x0000000000050000-0x0000000000160000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/2948-14-0x0000000000760000-0x0000000000772000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/2948-15-0x0000000000780000-0x000000000078C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/2948-16-0x0000000000770000-0x000000000077C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/2996-87-0x00000000002D0000-0x00000000003E0000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/2996-88-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                      Filesize

                                      72KB