Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 21:06

General

  • Target

    JaffaCakes118_f6b69b8d3212c0af97fab437ebb7c1d6b4476cef0fd9d95f38a65f22b77b0188.exe

  • Size

    1.3MB

  • MD5

    5aa97c66abdc83e47738e8487aa30e9e

  • SHA1

    c9ad68efde9614bf40cef43aa65f1b1db0af45fd

  • SHA256

    f6b69b8d3212c0af97fab437ebb7c1d6b4476cef0fd9d95f38a65f22b77b0188

  • SHA512

    3528930e138340786ade298a57a83a16b3ceee836cc1932edec0d8e395859776b3d9adade30283fe7b6f7df374d0e4742dd848dc752d58046c6555d3c6069b77

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f6b69b8d3212c0af97fab437ebb7c1d6b4476cef0fd9d95f38a65f22b77b0188.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f6b69b8d3212c0af97fab437ebb7c1d6b4476cef0fd9d95f38a65f22b77b0188.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2844
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2836
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2860
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2744
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2108
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:956
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:668
          • C:\Users\Default\lsass.exe
            "C:\Users\Default\lsass.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1992
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g1eT93LUFj.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2668
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2620
                • C:\Users\Default\lsass.exe
                  "C:\Users\Default\lsass.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3004
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i32OxRBhll.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3060
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:2420
                      • C:\Users\Default\lsass.exe
                        "C:\Users\Default\lsass.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:904
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ww4YVzclJm.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2600
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:2064
                            • C:\Users\Default\lsass.exe
                              "C:\Users\Default\lsass.exe"
                              11⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:1720
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BlQmztffGe.bat"
                                12⤵
                                • Suspicious use of WriteProcessMemory
                                PID:1572
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  13⤵
                                    PID:2772
                                  • C:\Users\Default\lsass.exe
                                    "C:\Users\Default\lsass.exe"
                                    13⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2888
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat"
                                      14⤵
                                        PID:356
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          15⤵
                                            PID:2080
                                          • C:\Users\Default\lsass.exe
                                            "C:\Users\Default\lsass.exe"
                                            15⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1344
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DCuC0H4DXb.bat"
                                              16⤵
                                                PID:1292
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  17⤵
                                                    PID:1088
                                                  • C:\Users\Default\lsass.exe
                                                    "C:\Users\Default\lsass.exe"
                                                    17⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1632
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat"
                                                      18⤵
                                                        PID:2844
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          19⤵
                                                            PID:1944
                                                          • C:\Users\Default\lsass.exe
                                                            "C:\Users\Default\lsass.exe"
                                                            19⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:236
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat"
                                                              20⤵
                                                                PID:1776
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  21⤵
                                                                    PID:796
                                                                  • C:\Users\Default\lsass.exe
                                                                    "C:\Users\Default\lsass.exe"
                                                                    21⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2348
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y23Kn3rQqK.bat"
                                                                      22⤵
                                                                        PID:2588
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          23⤵
                                                                            PID:2840
                                                                          • C:\Users\Default\lsass.exe
                                                                            "C:\Users\Default\lsass.exe"
                                                                            23⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2124
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J91AFVPMIK.bat"
                                                                              24⤵
                                                                                PID:2148
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  25⤵
                                                                                    PID:2948
                                                                                  • C:\Users\Default\lsass.exe
                                                                                    "C:\Users\Default\lsass.exe"
                                                                                    25⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:2432
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat"
                                                                                      26⤵
                                                                                        PID:1692
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          27⤵
                                                                                            PID:1284
                                                                                          • C:\Users\Default\lsass.exe
                                                                                            "C:\Users\Default\lsass.exe"
                                                                                            27⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:2668
                                                                                            • C:\Windows\System32\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat"
                                                                                              28⤵
                                                                                                PID:2560
                                                                                                • C:\Windows\system32\w32tm.exe
                                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                  29⤵
                                                                                                    PID:2360
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Default\lsass.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2980
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2428
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Default\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1840
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\sppsvc.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2944
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2476
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2168
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2348
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2372
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:376
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\dwm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1844
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1532
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1508
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\providercommon\spoolsv.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2424
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1088
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2120

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            18ecf9fdeacbee008f9559f5cdebe21d

                                            SHA1

                                            20d58c3154482520688f64c6738c1b04b453c446

                                            SHA256

                                            237712894c8b33f79a4a58f8e37e6f0c1d6493df587f83abdd30bfdb7e2e2475

                                            SHA512

                                            c27b9f333238f4fabb9ed93c7484f0dc8ecdb8a3135708d810c15000eae95721879ca1d7fa54c88eb517496c7df789ecf20a1ddf9c7fed0f5cbe85aeaf0a5a90

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            3bf07d8e518a387b750e3db41ab4806f

                                            SHA1

                                            3ec13814844064661869a9be2cb83acaca9626bc

                                            SHA256

                                            33e938c79626c9cfe4255aee32947b99b4a3ce6140735ce89a780b7b9da6cfe8

                                            SHA512

                                            c99aeca46588f22a38156e54922884bc33cf0725f67bd4618f37590c3a24938b8e82e64d4a64863b351c81f87bfd4ba96db05a2e863bad73add9b48bd9fca3ae

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            9b1e7eb647bf2f753b129de879bf8524

                                            SHA1

                                            dab542f7edd39475d81c41e2a049b664738a1698

                                            SHA256

                                            b26c2fdfc8e63727801f89c8f43bf2f1589abb11e2c7881491229e2d12fdf86e

                                            SHA512

                                            23ac27329598363b84295a898eaa7f4021289627c65aec7881643b03ff5c6162725f42bc6d5f3731c420ed555638a83a6cddc275693f834ed7fa9f7060f2f045

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            03d457b0fca92eea339c92a72b1b3d55

                                            SHA1

                                            0a3e17f8c8f99ac15dff2464aa3e03640879d413

                                            SHA256

                                            d9457cf743c58cae0a7d53adda6e76d48c903b17f776f0e75abc40612644f85c

                                            SHA512

                                            f2c8f9ba17aeb63f0d3679cb402547709ae67187c36caa237f998b6ecfc735195210e019d8f4e1c062ecf4530ee33e31bb2073139fa018f814fa285fc6928af7

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            137aeb01bff7d22cf845615549c81254

                                            SHA1

                                            c605a8098fcb16517749be91ba42487aef8df3b5

                                            SHA256

                                            236acefcd7289eb1d0412b2e75fc7ee28274ad628b8d4300b5bd68d4b5c4e5e6

                                            SHA512

                                            fb4bc10e17cc71c402fc341a5919157b3ce16e4721fc871ef48663ccf650f08edf73acc97af4800c4b3ccb508930bc6ff3299b1bfeedd4cbf070791f0a616428

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            7ab332c6c99661a546581f0d18861c27

                                            SHA1

                                            666fb8c5bc68ee11df0f9c81219e32567fe61dbe

                                            SHA256

                                            24e7d2229f394675df6623a93e06e5cbf5d3926bda44b3ec2dd1683e09983e55

                                            SHA512

                                            d00d6465dee9681e47ba51cb11787939a4e5bb15d6a73f823ae5568d1e5c53ece1865a93b88b751998942ccc507ee7397ce0e04a33ca540cc5555ed3c30230a1

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            48a030f9580e335488fd2723a070c7f8

                                            SHA1

                                            6b6fffd7f7d32d4c7e719736be383a35fb7825c8

                                            SHA256

                                            27861b464403a19f525ae7053103d58676cce9c39b6d768659e1fc2e0aceba2a

                                            SHA512

                                            084721f61fa59936d7d3f6f9de754d6cdb7c67ac1a43e43e531f5a2dc8f2ddfd3561479198681f2d568ffb45e54049fcf5df09938b69687edd43f4630d1bcbdb

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            a3d0e925416277ab34f6bc22bf464459

                                            SHA1

                                            b0850926b65b8af1442580a24dbbe7b14bcce6cd

                                            SHA256

                                            218826d58ee9b653252db1dccf6f117bf7a00693453cd84f7cbf06c4aaff2f2b

                                            SHA512

                                            058863705669d437bf688c7494f23b707c5c325f0e9c7071c0c02d63400d8c252995f53a1cf863e0023720405cc152308f313f46e17cc721f343e9ac5c081736

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            744e78b1b2c7f4b1916edfe11ad97b4d

                                            SHA1

                                            1ee033110ccc736d6683b464d12fb8c8fec7a37c

                                            SHA256

                                            06f90dbf9c508409c17bf2bcedb8c22ba307f6d584393654cf68c9ac79b9d5a7

                                            SHA512

                                            97a43310a054462c3d9ad004bf4112652e4a84448ed5ac2a6b1063a849567f0639dec464abf31b849e375b22dcfb7c57d2cbebbefe5120675bdbb51ae2c2a2bb

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            5ec54e0e13609d4f3265e159257e1bc8

                                            SHA1

                                            847f3369b713eb9b2722741a2572e923712df710

                                            SHA256

                                            245c039680b7e750caf8fad65b05fc7e13dd2690e112bd37a2816ee4c80a8445

                                            SHA512

                                            9a0636e5d077a3f488a4be9157de5221d797e05cb010742ae122fb13ef832b9857d2023d78df09b1a07c9ae663e5685a3c5e11b581c646d48de29004cb3db03f

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            bfdd431d41aa5ce9ae2c363323bf22d1

                                            SHA1

                                            561e1cfa7f20986a76ce32b4231f94e140c35eac

                                            SHA256

                                            c7a79e2f3e2de7915e1f9436ce45269e0b536d37bd84dd1eba9594ef63e844e2

                                            SHA512

                                            cea3244a5f2406e31829a6d6aab33f3012dfcbcb9c3a159745c10f9f878afa8ca69b62320cd93178abf8ec9b7aae8b96bb8610076e0bc2225249b629ce2c433d

                                          • C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat

                                            Filesize

                                            191B

                                            MD5

                                            1096f0411ad5d0549e8314f527d87f4d

                                            SHA1

                                            b996d79fe711f02bd4234e44245998a0c9d1fdc1

                                            SHA256

                                            f8a647ceef200de9f5315e8a1bd351cd38f743c39ec9677698d2a1915c2d5996

                                            SHA512

                                            c2aba66ca41e41704efb30f5b3ccaf868041c3d1d4c6e842b01ed7e6947c50ea570988149b66001f5cbd47e77769a82a09758b294575b555d4846ff0ab79a254

                                          • C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat

                                            Filesize

                                            191B

                                            MD5

                                            aff851ff99555176a86beb32ba310acd

                                            SHA1

                                            0bdebd89b2f8300f8b9f87622a6932ebf3857aac

                                            SHA256

                                            4ead115d6b05bae412f246a507370f432406bd914bf9c7be1e651319616b1d3d

                                            SHA512

                                            a9d968a9d108c9f326473cbfb8272ec267aef78da0dd055fab86fa9a911ea76e722b0bb873c1b68abed23badee25efd100a097fc092174e5422768dbbfafd009

                                          • C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat

                                            Filesize

                                            191B

                                            MD5

                                            575b78e0584ddbae7dbfc766bac48756

                                            SHA1

                                            453210bdd9203bc94302e6dc732f5b9c87a4d099

                                            SHA256

                                            1b9a4ad954c74ca82742175b1850d927ed6ff9e2008101231b3e4b6e77e5be25

                                            SHA512

                                            2b5c9fbe77e3aab571b767e1412a88e6f3962c8dd5a7857c6b1cd917184c126ad554dcb1f51e5b94c160bb191329fc3ed60a29f43f0558779820731f7e89ae1a

                                          • C:\Users\Admin\AppData\Local\Temp\BlQmztffGe.bat

                                            Filesize

                                            191B

                                            MD5

                                            aac8de4779e6811a9945bb2d888d0462

                                            SHA1

                                            ab53ae252882ea8c9b0195ae20d42c1ddfcde028

                                            SHA256

                                            bca895392b47a648707c04c1c058593d38591ae22bbadde052583569e5e21f82

                                            SHA512

                                            2d5106b07e0b597f708aa00ee004e2f5f40c93e6c6781a1669bd140b4cb78b0397fb3c4b64db8ce3a38d4b60668766ebc78f1e2677767955f12ade7aeb21b76f

                                          • C:\Users\Admin\AppData\Local\Temp\Cab3371.tmp

                                            Filesize

                                            70KB

                                            MD5

                                            49aebf8cbd62d92ac215b2923fb1b9f5

                                            SHA1

                                            1723be06719828dda65ad804298d0431f6aff976

                                            SHA256

                                            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                            SHA512

                                            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                          • C:\Users\Admin\AppData\Local\Temp\DCuC0H4DXb.bat

                                            Filesize

                                            191B

                                            MD5

                                            2e299738c2e6d7f41a21a008468af214

                                            SHA1

                                            01f17045e6dc09692f91a4e12c117ea06b3e54cd

                                            SHA256

                                            8126c9fd629f1c9569d3349c9c1d996dac6f5700878a07b5db9f5acf7ec5d4dd

                                            SHA512

                                            6023cfa27cdc80f61b0f220483044d0618c257bf7fa8be9978ece6dd6d1a8add8c3d05b07dc3b6f6465e850a1dd231db86ea963525d5e82e75871a6eeb3484cc

                                          • C:\Users\Admin\AppData\Local\Temp\J91AFVPMIK.bat

                                            Filesize

                                            191B

                                            MD5

                                            e1748edc42aa680a4006062b2dd3eed8

                                            SHA1

                                            4984a0387e81580d094c8a8dd48559399e6acd09

                                            SHA256

                                            ee9e25eca24185c542a1c8d59b34e0a36bdd4bcced42dbaed835d9ef7ea7531c

                                            SHA512

                                            e3457015479905cdec29e3b5c619edb997e2076f9acd658fc3935e7023370bdf37595a30f94a50d77f820568d18e73217028c8dc305bf09511895f58bcf9b6b7

                                          • C:\Users\Admin\AppData\Local\Temp\Tar3374.tmp

                                            Filesize

                                            181KB

                                            MD5

                                            4ea6026cf93ec6338144661bf1202cd1

                                            SHA1

                                            a1dec9044f750ad887935a01430bf49322fbdcb7

                                            SHA256

                                            8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                            SHA512

                                            6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                          • C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat

                                            Filesize

                                            191B

                                            MD5

                                            ccbda76d1ac3f9054ad9e85ee976d165

                                            SHA1

                                            8642ba90aa7e56a2911ec4c6d14f288a2157b2b2

                                            SHA256

                                            d42e3d35b3d640addcbaa9ebe293fd011a0a62ade26271babf884bdb3e791729

                                            SHA512

                                            7a86c90d7c7909aa97cabbd88370226cd246dc267913fbcfb7c5b83630db0312b4ebaba5ea6a44cb22e9f712e36915d523981693b4e17e3fce9818cb2003791a

                                          • C:\Users\Admin\AppData\Local\Temp\Y23Kn3rQqK.bat

                                            Filesize

                                            191B

                                            MD5

                                            cb16b64061ce4014de2570c6c97e301a

                                            SHA1

                                            d00e6ba4b313f536f013763cf0c77c194efaeb75

                                            SHA256

                                            acbe9c50abbc02815cdb5cce03ebdbf6c219625daf11d3ca2766367676746ba5

                                            SHA512

                                            bdeb20b1dabde290edead5e9bedaf2919b17cf4b3f9d71cd6593175e74f2c317f979e5213e5cf7867284e667327d21348d4020123527c76f7cfc779ed9664ff5

                                          • C:\Users\Admin\AppData\Local\Temp\g1eT93LUFj.bat

                                            Filesize

                                            191B

                                            MD5

                                            9c4b5d32624ffefa00c2633f58f57d00

                                            SHA1

                                            ae2d07183017354440ad2fc0b3ee9908367bdc6b

                                            SHA256

                                            0ed63568ae90be7681afda5bd2868a79ad6ee9f44b05294b6926165ab5e6aa7c

                                            SHA512

                                            0643fd430eb611b15616214f13b3a419ebf6f2b127ccb1c6719b4e061e290285e6265856fb507f61dd6bdab2964994959f142474898bcfb794931a3e3b05d9cf

                                          • C:\Users\Admin\AppData\Local\Temp\i32OxRBhll.bat

                                            Filesize

                                            191B

                                            MD5

                                            6fb9a15d0e2af2867610fce989bb56f5

                                            SHA1

                                            e816c732e1d262e9c86fc5a75e92709cf049ba2f

                                            SHA256

                                            ab2b0f5846935fdbd92daef57ccd0841afd16db36aa4d63219e0089876a7c600

                                            SHA512

                                            5e147ca5e7dd5b8f3477d6c6dd668f0589f0f34fbb2e4be34b14cbd7d96e719f8e546131f81a18eced895bf27527cd4b5d7bf341f66aa8f988102edc737c76e9

                                          • C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat

                                            Filesize

                                            191B

                                            MD5

                                            e15daa493dd242a8059472f3bcae0440

                                            SHA1

                                            6ef80839dabac5cffdd19b57346997529bf87dba

                                            SHA256

                                            1c707ffaaadaf924ba618890e99d236c64afb391f30af4001845bd016047b935

                                            SHA512

                                            b81bc731eae698f30c8b64e1d3f492f0fe57e7bce5c583ec1c162fcf38dfb0698f773f5e6ae2d99fb4af5bed64fd5d8fedd638188e5daa87250503edfc4a26fc

                                          • C:\Users\Admin\AppData\Local\Temp\ww4YVzclJm.bat

                                            Filesize

                                            191B

                                            MD5

                                            410d40814b41da6b48521073570dd03d

                                            SHA1

                                            0ec1402be91297311f7a4bad61d3aeca7311cac0

                                            SHA256

                                            87930bea1c410c307258b5dfc850d32c17606038422a57b46a3a6b46ba089096

                                            SHA512

                                            ba519a1c2309b84d16c2cde07522ba4bf57bc472b26a543c485994250a0bc649dc8aec6cb17951de425fabbd2d525ebf220a868c95f394360e2ccdf221dbfd82

                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                            Filesize

                                            7KB

                                            MD5

                                            9cc258b9e4fac3b945647c59f8c795d9

                                            SHA1

                                            026280f6bb5ed67cd1223f7fab73b56ef8cae4cb

                                            SHA256

                                            6f0ab3f39c7beb4a8c1c5235372dedf1133616a8d30618c62234213911c72d1d

                                            SHA512

                                            a9f3d67fe0f5a31d3d2358d0578eed3110ae93181def5e81271201f150d5859ade014fc053b77282dcfbbfc51c0e76dd6805579d015adcc35b00ea1c685a677b

                                          • C:\providercommon\1zu9dW.bat

                                            Filesize

                                            36B

                                            MD5

                                            6783c3ee07c7d151ceac57f1f9c8bed7

                                            SHA1

                                            17468f98f95bf504cc1f83c49e49a78526b3ea03

                                            SHA256

                                            8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                            SHA512

                                            c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                          • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                            Filesize

                                            197B

                                            MD5

                                            8088241160261560a02c84025d107592

                                            SHA1

                                            083121f7027557570994c9fc211df61730455bb5

                                            SHA256

                                            2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                            SHA512

                                            20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                          • \providercommon\DllCommonsvc.exe

                                            Filesize

                                            1.0MB

                                            MD5

                                            bd31e94b4143c4ce49c17d3af46bcad0

                                            SHA1

                                            f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                            SHA256

                                            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                            SHA512

                                            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                          • memory/956-65-0x0000000002250000-0x0000000002258000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/956-64-0x000000001B610000-0x000000001B8F2000-memory.dmp

                                            Filesize

                                            2.9MB

                                          • memory/1344-364-0x0000000000E00000-0x0000000000F10000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1992-34-0x0000000000C70000-0x0000000000D80000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1992-66-0x00000000003D0000-0x00000000003E2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2124-601-0x0000000000280000-0x0000000000390000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2432-661-0x0000000001270000-0x0000000001380000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2668-721-0x00000000002F0000-0x0000000000400000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2844-17-0x0000000000380000-0x000000000038C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2844-14-0x0000000000240000-0x0000000000252000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2844-13-0x00000000009C0000-0x0000000000AD0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2844-15-0x0000000000370000-0x000000000037C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2844-16-0x00000000002E0000-0x00000000002EC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2888-304-0x0000000000370000-0x0000000000480000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/3004-126-0x0000000000140000-0x0000000000152000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/3004-125-0x00000000012D0000-0x00000000013E0000-memory.dmp

                                            Filesize

                                            1.1MB