Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 00:05

General

  • Target

    JaffaCakes118_1197d6191e1899c47d8a17b899f03dcaaf7f3105db196a6d514c469e1b3bc9e7.exe

  • Size

    1.3MB

  • MD5

    662eb62315bdd0c75616d1890a2e2717

  • SHA1

    7fd0a233add6c42bc6bcb14527de31027bf21cc6

  • SHA256

    1197d6191e1899c47d8a17b899f03dcaaf7f3105db196a6d514c469e1b3bc9e7

  • SHA512

    620afbf5e6704d5a5c35731c47ea06acbb62d74021e30f821d188212dfa9341798c6a7e6fc599e9de72407fe340dec272c7bbf5d60b5402ea9cd7d85f6550013

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1197d6191e1899c47d8a17b899f03dcaaf7f3105db196a6d514c469e1b3bc9e7.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1197d6191e1899c47d8a17b899f03dcaaf7f3105db196a6d514c469e1b3bc9e7.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2340
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1644
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2424
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1812
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:304
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2648
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1056
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1748
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1072
          • C:\Windows\Tasks\dwm.exe
            "C:\Windows\Tasks\dwm.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2916
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2528
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2396
                • C:\Windows\Tasks\dwm.exe
                  "C:\Windows\Tasks\dwm.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2664
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3036
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:2252
                      • C:\Windows\Tasks\dwm.exe
                        "C:\Windows\Tasks\dwm.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1164
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEvQv3iUx6.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1748
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:1348
                            • C:\Windows\Tasks\dwm.exe
                              "C:\Windows\Tasks\dwm.exe"
                              11⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:1980
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat"
                                12⤵
                                • Suspicious use of WriteProcessMemory
                                PID:1712
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  13⤵
                                    PID:2192
                                  • C:\Windows\Tasks\dwm.exe
                                    "C:\Windows\Tasks\dwm.exe"
                                    13⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:344
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat"
                                      14⤵
                                        PID:1188
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          15⤵
                                            PID:496
                                          • C:\Windows\Tasks\dwm.exe
                                            "C:\Windows\Tasks\dwm.exe"
                                            15⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1808
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat"
                                              16⤵
                                                PID:2756
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  17⤵
                                                    PID:2628
                                                  • C:\Windows\Tasks\dwm.exe
                                                    "C:\Windows\Tasks\dwm.exe"
                                                    17⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:952
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat"
                                                      18⤵
                                                        PID:3012
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          19⤵
                                                            PID:2388
                                                          • C:\Windows\Tasks\dwm.exe
                                                            "C:\Windows\Tasks\dwm.exe"
                                                            19⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2372
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat"
                                                              20⤵
                                                                PID:2800
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  21⤵
                                                                    PID:2428
                                                                  • C:\Windows\Tasks\dwm.exe
                                                                    "C:\Windows\Tasks\dwm.exe"
                                                                    21⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:344
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat"
                                                                      22⤵
                                                                        PID:2008
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          23⤵
                                                                            PID:1768
                                                                          • C:\Windows\Tasks\dwm.exe
                                                                            "C:\Windows\Tasks\dwm.exe"
                                                                            23⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2900
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hlHmrlOhE6.bat"
                                                                              24⤵
                                                                                PID:2244
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  25⤵
                                                                                    PID:888
                                                                                  • C:\Windows\Tasks\dwm.exe
                                                                                    "C:\Windows\Tasks\dwm.exe"
                                                                                    25⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:804
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat"
                                                                                      26⤵
                                                                                        PID:2592
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          27⤵
                                                                                            PID:1948
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\dwm.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2832
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Tasks\dwm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2824
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\dwm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2748
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\sppsvc.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2616
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\de-DE\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2572
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2604
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2104
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2520
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:808
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\dwm.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2524
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Registration\dwm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:300
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\dwm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1524
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\1033\services.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1708
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\services.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1164
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\services.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2304

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        1fc78150b3bff60f30edcafd3977a1a9

                                        SHA1

                                        2539a680241ba21d95ae0032d15292956d444a70

                                        SHA256

                                        1f080c97705c60d2190f51c5225021ad9d6168d07bb3fb75967d843aaa2660b0

                                        SHA512

                                        fade88714c010c6d3d795b3e9f6b416aa4176b7a2443d80f7726f81872c89b134c0004b17c2d3e20fdedaff7c6b962535df37dd25f645de79b37470be049f585

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        b000e31b717be85893d9136195c17528

                                        SHA1

                                        75d574c7850384e4c747ff7c5f5c08a1bc972c26

                                        SHA256

                                        1fae6c5682a990749c200d7cb66ebf3bef2c6fe1e57a59b21bc1c1a4c2e1d856

                                        SHA512

                                        571f327fd7f951265fe5027e469dde93c96fe01f1d86e229890d3642b899e752e627ab95a097bd07caad31e5a94b5f3a704adab091c985f0dbdf1c90015c06b1

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        98d96646effa77d86aa49d68718db75a

                                        SHA1

                                        c214e5a5dd88209a73a921706400701f7c2209fd

                                        SHA256

                                        d3c1a20545973deb51376daa5715f4a78ace1256700c6eacb9403865e33b0416

                                        SHA512

                                        dfd5306e9e80c96d04d5182c966525299299856d9c43a31acbe2085895ccee396a1cc20fd3d3c24f811d37bd8f7beb056f910c74ac511bcc4b20c6bf0a1e4d02

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        1b81bc9c5c6ebf45a51a9c19906c34f8

                                        SHA1

                                        f0c755c33cec759172afc131d56a5160b715d57b

                                        SHA256

                                        9fee3c3139daf6a87c3832e3ea155f4e79400fec600d4e907cf5437d45b87aff

                                        SHA512

                                        e6a0bcfdb3b4c75e2127eb06a819fc595b40afd23b0ea89d72c03c35da98745a5c3b7378f5251be59bec1df79c9a29a24aa7104d2fc990c80c9ea11cd833c67c

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        c2c9963256f7dd708a389f0dc25d7f88

                                        SHA1

                                        de6a154952122bc674905b1a9b3098ba001cf391

                                        SHA256

                                        ca548a6ed8018bcba8d3992eb566ffde441e032b75063b588436efdcdc8544fa

                                        SHA512

                                        27caece9813e33373037e619393bf9334b56cb6dfbe3a0cbaee385179051682308147ac3199204dce817133da1c8cae27fd7fee6ef02f9dba7d6b4041d6142c4

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        95d162013a4279a59dcdfeb952694490

                                        SHA1

                                        08e38c291e25f767730d3c2f4bcaedcd01ae340e

                                        SHA256

                                        967fc5ea89a3c88c3af6b291d51ff0834bf096507859b24e93ecabcfdbebb348

                                        SHA512

                                        c568008dddac981dd1a48faef14e862ca2ff91ce9b112b1fc82c19c3f67cf52123085241406955317fa527d82a990fd71c7d3dd160efc46c209c5126fa47c27e

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        9d57ce4de4d6c59343ded471bc15ff0f

                                        SHA1

                                        ee571c00c0ce11df66f493e4908cf890f2815602

                                        SHA256

                                        e982da0d1a089f81bdb03c1d55bfc72cb8e9cd9c9616bfb4000c970ef38a513f

                                        SHA512

                                        f55b0207742b7115800ef60358dd4cfbeca088aa48ecde7ddafa2ae71f9167d167f36b0813ec2db7f7797668b7ba3c85d0b79626fc80dfcd6ff9f0555d85341a

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        797788a4312f27583ba1d83f79c8b8b7

                                        SHA1

                                        7c7c4970ac328910f2da60094e11635b9643a598

                                        SHA256

                                        a39f532c1492490ee5c4fde6db106c88168624725d741c044ee8f0f012e2b443

                                        SHA512

                                        045671365e7693791b9ec70a9e67e4a65fee329bd83e5c9f96e9622821d9cc8698f05b25f6c6e4b6a1408345b784119c288c39a7b532ad65573fd870e22d5b1b

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        5bcd9864d37b11641dee013ec3e46927

                                        SHA1

                                        a78ab260ed297d5061860803d77dd01e8f058e38

                                        SHA256

                                        88dcbdd9b077515018a1a5d6d7d527e8b62858abe4d3d84d18b46d88cb9fb287

                                        SHA512

                                        32544ada1eb6ad5a65443143577917b36ec7639799322bb409d2d983d1c7b2a6836a258c607d30dfed7e40ea8703f5fb483ca8982d8d9f48d447d35439bd3b66

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        97edadec3c054af7b0098d70b2ca6ff7

                                        SHA1

                                        ce95bd3a3d9f5bd40a782a02e74ae3bc71dac03e

                                        SHA256

                                        26b715581ca036937094d824e2461f5b70211591560defc77b2df640380f2e6f

                                        SHA512

                                        8803bd704a25ea3e401e1911b3761496f51723a69fcdc1931c0d020e606f1ee795d68be7c42fa96eea38a755d768dd7722e7f8b370f57f5bce6b7b0df3fa1950

                                      • C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat

                                        Filesize

                                        189B

                                        MD5

                                        9c469b481fb28c0440ce854fc4e0f7ce

                                        SHA1

                                        e2a581f701cd6de5b563f0a40b6605124c0cce8e

                                        SHA256

                                        6969a10dfd68cdb887e5ba8148f1241dadf0d7dd5c1f0fdf34b8910bdc610ad5

                                        SHA512

                                        d4ccff5430f4a8a2eadf2f3d8c90b936cee12155db9d7bd8d9a1df27c6270b32de86ba418eab7726b3f1aa6feb7fd1744cdfe9c3c1bbf470807038d30a9f8974

                                      • C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat

                                        Filesize

                                        189B

                                        MD5

                                        54714cb835817a4e9410d3bcbe54fa3f

                                        SHA1

                                        fdc64b3054b628c94748d2bec660b71a56bafac1

                                        SHA256

                                        18d81794cc6efd63917b4e55744d6a6fd33a1eb418d282cb310c5cc4eaee0664

                                        SHA512

                                        9acb055074574884f3113f4df3c1672d192aa61814939e59c41071f65aba4aa923c1e27736abfbde81e9ba805b1da8efe9aa3e73bef10884f61d889173d4cd47

                                      • C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat

                                        Filesize

                                        189B

                                        MD5

                                        f3d6325464a8054dac9d756e9aa71860

                                        SHA1

                                        dda85a476180c220ef636d6467bd535914669551

                                        SHA256

                                        722a1f7c27e15b6937aea5e7681d12859df1f4f6e1f646759c09ae50ccd24e08

                                        SHA512

                                        ba954fae80f29936c04a01503e999d1e78ccfb78a5ac08ccc0c13c2438ab0b5d24631a705be61aaa373403d45b9fe4bbe975c6c337af5a9f9648799a25482344

                                      • C:\Users\Admin\AppData\Local\Temp\CabF9BC.tmp

                                        Filesize

                                        70KB

                                        MD5

                                        49aebf8cbd62d92ac215b2923fb1b9f5

                                        SHA1

                                        1723be06719828dda65ad804298d0431f6aff976

                                        SHA256

                                        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                        SHA512

                                        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                      • C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat

                                        Filesize

                                        189B

                                        MD5

                                        c6e79e8e701462b443f8c4083ec0081c

                                        SHA1

                                        d97b32c557ced0c99ffb2271dc5ce855f43826aa

                                        SHA256

                                        5dbb5e860f2ca59930f0b1d1cf22ec4397c83595e3536e9eb7a31c1443790d15

                                        SHA512

                                        4993200674f010194bc2cd212980cb6c5f5713fa08532e9bbdd17d062c187f96203ee7919eacbd903178e3dce1220d178b5db5bacd9826d7e11920e963483330

                                      • C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat

                                        Filesize

                                        189B

                                        MD5

                                        20ad57f2b5cd0409e4dc6900faa6af5f

                                        SHA1

                                        66016356d6d8300585a07df9aaf22cb40dbdb16a

                                        SHA256

                                        557e4f0964e89d5d52ffa22c91648b02e0befe9d3c0d7c8e7bae7e6e4c06ebe8

                                        SHA512

                                        a0b8ffdc10cbb46322de58cace528799cc5bdc34d568559de8db5ebd3292d0200fb873283f9aa0c918977f38538343b0b766b6233f65cd014455e800a2587369

                                      • C:\Users\Admin\AppData\Local\Temp\TarF9CF.tmp

                                        Filesize

                                        181KB

                                        MD5

                                        4ea6026cf93ec6338144661bf1202cd1

                                        SHA1

                                        a1dec9044f750ad887935a01430bf49322fbdcb7

                                        SHA256

                                        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                        SHA512

                                        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                      • C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat

                                        Filesize

                                        189B

                                        MD5

                                        356b731f8938d612a35e71794dbb3614

                                        SHA1

                                        985854a6117f9c25372fadc271374e506620143c

                                        SHA256

                                        011fcfb4d5a9993b9ad442233661d11cd775c3c37c35a263318614f3419d95d1

                                        SHA512

                                        f8bf5630befe424e2e912aa8638df6b76dd49257907b381ee4caa71234d8e5a2d963e216a8ee39c73c70dd392b5e6bbaff4aa1332648bdbdc3aa066a5735ce99

                                      • C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat

                                        Filesize

                                        189B

                                        MD5

                                        1e50e3520e88864efc00261d8be46701

                                        SHA1

                                        4b67210f898e07c27c931272b00515696255c581

                                        SHA256

                                        a525c3c9476d30683d5a105245aea4205496e9bd641672caeeee40f01762ec0e

                                        SHA512

                                        63bd7bb7f27e58883cd09ee67549e4d118ff90998f12e77efc90c80c0a3ddd9fc6d9b468fb13f427ee1843cbad1857ae3718d722c330af0392a87fa9448d5fe5

                                      • C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat

                                        Filesize

                                        189B

                                        MD5

                                        a637b31fd8a2e568bc818c617f5dc2c8

                                        SHA1

                                        d17f446bbb36517fe65526d38ff6f27e0009b824

                                        SHA256

                                        05d1e507e54ab3e67bb57b9137f664f42705c29bc1805a027803df77f9340787

                                        SHA512

                                        12aa1fc86c919b4e69cfbfa18a24e040115f739c83b130482cb068f60d6b38900897b27b2a35918f1fbb191c41f6a2f8d59c32d61114a4093a8f4ef63c862b6c

                                      • C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat

                                        Filesize

                                        189B

                                        MD5

                                        1cca56b8e194e3c5af3b5aaa610c28e1

                                        SHA1

                                        9c0ca508555a29686dc5b3d09bd0cd5bcc68e8b8

                                        SHA256

                                        b8dcf8f6c69b23b05c16cfad833dfa0ffc5af3702430d76e6006c9616aedb76c

                                        SHA512

                                        adc60a84c3585cbcc015802afd08dcbc2035c97fd05e0d339d18c01e82f924615905ebb3d07ec07b5343925c267a08a482387096ee84bd77f426b6b7bf6f9640

                                      • C:\Users\Admin\AppData\Local\Temp\hlHmrlOhE6.bat

                                        Filesize

                                        189B

                                        MD5

                                        6a8e2c5a0edbc7c6edf8991e23b36838

                                        SHA1

                                        344ebfddccfd9f576ee87782fd9be2b496b31cfc

                                        SHA256

                                        2328242896db0ef96d96500a39d27790306b9231d3787e8da1a3d4a80458b5cd

                                        SHA512

                                        69204f2123281f866c0f914f65c52a4b9753958f3f51d78f85b38fc426b6677e64cb813926b1b87bc3647dbc4ef67d90566718204c4d79cc70f8bc1a1f7553a9

                                      • C:\Users\Admin\AppData\Local\Temp\xEvQv3iUx6.bat

                                        Filesize

                                        189B

                                        MD5

                                        e61ed68f9cb06095ad96c2cff151ca8a

                                        SHA1

                                        3fd7fdc44befd312c3e4ed5b006cd077f3600693

                                        SHA256

                                        a9875570ff9afb95ac43a6e0dfb82cff7b659c8a9cc255d5340df555ecd27b64

                                        SHA512

                                        99ed3b685dc0f1fe32f2315e7b47b3b2a8437c334b284a6f773f059f6526639543450170257cd5cb6b30349b7dc2903d75fa07e0242723b5a18afab815e72c60

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LTRHVTF9C7A8Y4LGR2FG.temp

                                        Filesize

                                        7KB

                                        MD5

                                        e20bb1b715f25f8d10fd0d044283956f

                                        SHA1

                                        61ee625a46a30f2e349ba4e2f18cf5b636cb7429

                                        SHA256

                                        636569e8ab5a8f29a9551e081cae0cdde4167a4f27680bbf23ed807c28bee296

                                        SHA512

                                        c5e094fc842567e363f01321dc36fde3ad7c62eb48234c94d3bb74490272dfad181799a57d1240cb492d871e453b4d456caf81f7e20d4ea568d3163071ca93a4

                                      • C:\providercommon\1zu9dW.bat

                                        Filesize

                                        36B

                                        MD5

                                        6783c3ee07c7d151ceac57f1f9c8bed7

                                        SHA1

                                        17468f98f95bf504cc1f83c49e49a78526b3ea03

                                        SHA256

                                        8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                        SHA512

                                        c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                      • C:\providercommon\DllCommonsvc.exe

                                        Filesize

                                        1.0MB

                                        MD5

                                        bd31e94b4143c4ce49c17d3af46bcad0

                                        SHA1

                                        f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                        SHA256

                                        b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                        SHA512

                                        f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                      • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                        Filesize

                                        197B

                                        MD5

                                        8088241160261560a02c84025d107592

                                        SHA1

                                        083121f7027557570994c9fc211df61730455bb5

                                        SHA256

                                        2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                        SHA512

                                        20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                      • memory/344-542-0x0000000000180000-0x0000000000290000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/344-543-0x0000000000450000-0x0000000000462000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/804-663-0x00000000013A0000-0x00000000014B0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/952-422-0x0000000000CA0000-0x0000000000DB0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1072-65-0x0000000002310000-0x0000000002318000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/1808-362-0x0000000000190000-0x00000000002A0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1812-64-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

                                        Filesize

                                        2.9MB

                                      • memory/1980-243-0x0000000000440000-0x0000000000452000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2372-482-0x0000000000F90000-0x00000000010A0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2424-17-0x0000000000480000-0x000000000048C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2424-13-0x0000000000BB0000-0x0000000000CC0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2424-14-0x0000000000450000-0x0000000000462000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2424-15-0x0000000000460000-0x000000000046C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2424-16-0x0000000000470000-0x000000000047C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2664-124-0x0000000001300000-0x0000000001410000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2900-603-0x0000000000B10000-0x0000000000C20000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2916-63-0x0000000001180000-0x0000000001290000-memory.dmp

                                        Filesize

                                        1.1MB