Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 01:12

General

  • Target

    JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe

  • Size

    1.3MB

  • MD5

    fd4723d4daed5b787199a3d5e21040b5

  • SHA1

    533cff7711b4d262509260280227fcb0d0433b67

  • SHA256

    cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5

  • SHA512

    821cc704eaacd6cdf1891a382629ada668952d151bdd30acc8e657bcf50d6cdd1c2f9e584cbf99a40e53af726600ac7ab413ed4f3c42a90cf805b089dd043cf9

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:868
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2724
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2716
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2248
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1484
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1332
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1908
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Wallpaper\Landscapes\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2028
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\My Videos\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2096
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1076
          • C:\Users\Default\Pictures\Idle.exe
            "C:\Users\Default\Pictures\Idle.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2120
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KmPq9HzxB6.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1932
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:1752
                • C:\Users\Default\Pictures\Idle.exe
                  "C:\Users\Default\Pictures\Idle.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1728
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2400
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:1800
                      • C:\Users\Default\Pictures\Idle.exe
                        "C:\Users\Default\Pictures\Idle.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2224
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zfOrxS71E3.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2248
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:2396
                            • C:\Users\Default\Pictures\Idle.exe
                              "C:\Users\Default\Pictures\Idle.exe"
                              11⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1460
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat"
                                12⤵
                                  PID:1488
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    13⤵
                                      PID:1620
                                    • C:\Users\Default\Pictures\Idle.exe
                                      "C:\Users\Default\Pictures\Idle.exe"
                                      13⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1648
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat"
                                        14⤵
                                          PID:1164
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            15⤵
                                              PID:2976
                                            • C:\Users\Default\Pictures\Idle.exe
                                              "C:\Users\Default\Pictures\Idle.exe"
                                              15⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:1812
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I0OceA6Xfh.bat"
                                                16⤵
                                                  PID:3028
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    17⤵
                                                      PID:2592
                                                    • C:\Users\Default\Pictures\Idle.exe
                                                      "C:\Users\Default\Pictures\Idle.exe"
                                                      17⤵
                                                      • Executes dropped EXE
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2200
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat"
                                                        18⤵
                                                          PID:2232
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            19⤵
                                                              PID:2872
                                                            • C:\Users\Default\Pictures\Idle.exe
                                                              "C:\Users\Default\Pictures\Idle.exe"
                                                              19⤵
                                                              • Executes dropped EXE
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:1564
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V9nTU0UPEK.bat"
                                                                20⤵
                                                                  PID:2196
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    21⤵
                                                                      PID:1992
                                                                    • C:\Users\Default\Pictures\Idle.exe
                                                                      "C:\Users\Default\Pictures\Idle.exe"
                                                                      21⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2336
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat"
                                                                        22⤵
                                                                          PID:1660
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            23⤵
                                                                              PID:2020
                                                                            • C:\Users\Default\Pictures\Idle.exe
                                                                              "C:\Users\Default\Pictures\Idle.exe"
                                                                              23⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2724
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat"
                                                                                24⤵
                                                                                  PID:2468
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    25⤵
                                                                                      PID:2508
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2380
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2792
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2676
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\lsass.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2684
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\addins\lsass.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:320
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\lsass.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1104
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2604
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:656
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2984
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Pictures\Idle.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2800
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Pictures\Idle.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:340
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Pictures\Idle.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2720
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\Wallpaper\Landscapes\spoolsv.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1984
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Landscapes\spoolsv.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1152
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Wallpaper\Landscapes\spoolsv.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2820
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Documents\My Videos\winlogon.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1464
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Videos\winlogon.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1288
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Documents\My Videos\winlogon.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:3008
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2396
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:3004
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1628

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      ccb8d1995a6c3a623d7f219aca4694a8

                                      SHA1

                                      ede680b25c5bf94711d74376421e2672ef8e328b

                                      SHA256

                                      a8a7151d98037b85f42f2f40bcee4f0027b4d08cd516c021f785d37ebb7eb6ac

                                      SHA512

                                      44053bdfac0f4f3c7362fc7811a627ffb2a17129d2083ab04d200409b2b645ed561b8676060c2ef156d671e9fb4589e98e1bbb7699c22998e8752991a3b9b37c

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      dfcbc9db71a233c86c5f8729294a9d66

                                      SHA1

                                      80fc366ad5008ca8be9bdc685e1b69c00499f8cb

                                      SHA256

                                      7cb5780a2ed1a1dd9d2ec1d1ca16050e14d1602eca4e688f7ec170ae6b5df2fe

                                      SHA512

                                      d85b9ebb6355ee1de45a67bec7df517f1a2b3c4cb43c7d9359940028f9d0e2e0ce95bf0f988d85cc46dd46cc602616fb256d8e21ee0683564ddf78e00ce3d7a0

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      06d5d97d433419badd4fe0852d540b8e

                                      SHA1

                                      2dd088d40784830a619147f88e0986a83c5e571d

                                      SHA256

                                      ee25e709f8ab77014dc5955660199f4f2fae39ea402888648bbc001b16cd9f5a

                                      SHA512

                                      e6ab287ee3e4da59cd8f2eff2ac9a03ec56e1a9426c7800c11b6c8ee59d57a63637a00d6cb41d12dc2d6260bbccbad1a6f9fa8ed5f1b1b465373ead2694769a2

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      0ae681eefb3bfc797725566aaf3edf78

                                      SHA1

                                      988aa723974e063e4bf5898f2ec3197e9550114c

                                      SHA256

                                      7bffd5d667db91eb92e0a52861716eabf4bf311aca6785dc671e1730a09065ee

                                      SHA512

                                      2ced92af2e90302e7fb5ff44b78b3847a427430a7c755c86932370672170bf44887636f758c3f56bc4586d416aef64c3d2a0c11036712095a0841cb038dbd6ed

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      8c9ee2e46bfefe48494e88f7917119fd

                                      SHA1

                                      ae7867dcbac9994f696cb2316e805053c64a91b4

                                      SHA256

                                      e6221ec4a2fd94b183db7b1e36a627237c0fd8463370024e3241e9da4b4ec8df

                                      SHA512

                                      8d4a1fc5093e900d708ce0604ce810358b656c01ab8c0a800a47f6fe3b8da78360adfaed604f610cab830b089ce2f1f4c3d9f6dae3b848ad0be577d8b68dc98b

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      c10acb9f9ad65a93b73b59cd97ab9400

                                      SHA1

                                      cd58dfabefb8b2bd1039f3be9ee7bccb9e102009

                                      SHA256

                                      733120764c9e39b0dda2d90c69b5291464326f9aadda74d18da0055fe76ca612

                                      SHA512

                                      d72578e8479b9925428fe3789307e9d18606ba3ed185cdf7931655d65e9145a0cb35b96a26ac306c77923c04c34f67143139ff94c187e8ad4060b7d71675b5e2

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      6f7586076faa6bb2fe1f3931f937614e

                                      SHA1

                                      73256ba78fe2d3a534604ff10466b1151eca8ff9

                                      SHA256

                                      73d6b80c5d22d29ba39f79d5bb699b9d0f08c4b2a329e67e3c6de5496cb007fb

                                      SHA512

                                      633616baf59975e4793216482f4e0a8151c2342bc1740044aa527c96c5fb80d07a65e81b65d99bb1e3e6665ec02ed050ff69f1a2218419d440344ba1a451ef1c

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      6087b98eb333ba0b94b1d3f9f96773ee

                                      SHA1

                                      20f8639e114e07f91a84f40c553b22801f1ae01c

                                      SHA256

                                      6c9514efd33f46ef6d1c5295170d08493a2bfe2f0c65354c8c400761c796b96d

                                      SHA512

                                      71b602fb17cb8d82434164588a9fe83eb7fca84d78c3eb674d1afd57627cbf15c9df35bca1451de023067804567c5511407db35def11713e307a7826b4174ec9

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      200b1e2ff23dc64d297159a84b20cb57

                                      SHA1

                                      1c5a4697c5761487381e64dc5e4ec6ea44355c57

                                      SHA256

                                      9f61c7033d0f0a204b67682ba39a4cda34c802e737543808a13bb4a82de58ce2

                                      SHA512

                                      45ae775af7e55817c61d2c70dfa2adb82771412979acc99748ddca388b6bbbbab8ef31c0b6c32490bcd239ef46853cb6362bf5f9444bf447b7f9efa03ef10cb9

                                    • C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat

                                      Filesize

                                      199B

                                      MD5

                                      eda96f93e42ee90944367e73b221e709

                                      SHA1

                                      76e30522f04c842e99ba94a2b6a8e79105445531

                                      SHA256

                                      ccb23a6f7a97e52c646554d3566da247322776d898f009f17000752815e043b9

                                      SHA512

                                      db79b0c020b97a05cf186afe56bddf9a2588ea36e8479993d058121d0fa0f79868c71b3d421df9776c5bb57739caa1896da816b05c2367d8977924db2f9553c3

                                    • C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat

                                      Filesize

                                      199B

                                      MD5

                                      1a9c44ae4f72eea2fbe6f15173b0d2f6

                                      SHA1

                                      520dffac5ab1b7785447cd97f3ea70350016bec0

                                      SHA256

                                      1b95eca519943b6a47415b0263fe9ded2fc5d6b1da17992fa6b5a1287bf823b5

                                      SHA512

                                      0a4dbcf6d2772687f026e7cf2e40b3c09c9735f184dc7819bfa138532001d9bfc7bba4dde5bd9bfe391788db71eefb2d6b4e8d4747dc7e3695629ee01ac838c2

                                    • C:\Users\Admin\AppData\Local\Temp\Cab1A85.tmp

                                      Filesize

                                      70KB

                                      MD5

                                      49aebf8cbd62d92ac215b2923fb1b9f5

                                      SHA1

                                      1723be06719828dda65ad804298d0431f6aff976

                                      SHA256

                                      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                      SHA512

                                      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                    • C:\Users\Admin\AppData\Local\Temp\I0OceA6Xfh.bat

                                      Filesize

                                      199B

                                      MD5

                                      ac73b576c772de122200a2ddd6f36bbb

                                      SHA1

                                      a1331d656238e35fd73e27769e0f7fd579f18318

                                      SHA256

                                      c90ce04b696227576c2dcfc72f1ee85e10a9e17667df59cd2e4ee246be68b55e

                                      SHA512

                                      65515aba6caa79e872c18da41ab28f631d379c2540f0c91a027e8b56d7bba16c81578a40c4a69ae335b182462e97cd5cfebeeebf380142cd2cd51ba67a7016c5

                                    • C:\Users\Admin\AppData\Local\Temp\KmPq9HzxB6.bat

                                      Filesize

                                      199B

                                      MD5

                                      b7e17d7f9168c9de867ef63763788dce

                                      SHA1

                                      5d2d65a965b95a2cf4ae08df083248a7723f68fc

                                      SHA256

                                      563f5d550de0fe528320a7d123068eebe9b5fb2ee63244f1cfac732182d79dfa

                                      SHA512

                                      cfab84382c7d7d23b31923fec7092718823b8684e63f5469c9352363494829c7f60905c9e155b9b1029c12624822ace79ff390e83e622bc9107465719709b301

                                    • C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat

                                      Filesize

                                      199B

                                      MD5

                                      667a5dd13ca4d14de9aeab50409c5b55

                                      SHA1

                                      d7a247ca0a2a4b39ad749846b1a1cdf9cb175043

                                      SHA256

                                      bcaed8726665e399e7ffad34005943ca09378b28b7b0d783c2f2956b26903d62

                                      SHA512

                                      8c6876af7440e74581a0383377a89eaac0b2167581e148500a37913f6712e621b0bc12d1ffce573f38719403b3ad13552da35fc1b7b044c78fed9e5875592b9c

                                    • C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat

                                      Filesize

                                      199B

                                      MD5

                                      60855d5b05e5262be48e3c5ef411d3f9

                                      SHA1

                                      c994ea4e9ed7a72996e528dab778e5a7c849b932

                                      SHA256

                                      3cb6a0b1466cff7240ff0495f19c95487c360eef0a151e32941e27d2cc0dd9fc

                                      SHA512

                                      50e680e16947510eac9e5b2079054acae67f5a3f81b2c2918e534f4e9109baf2f70b895f4b31dc3bee1a59ff44e5fad7ba9f4442154486ab17343047beed8ebb

                                    • C:\Users\Admin\AppData\Local\Temp\Tar1AE5.tmp

                                      Filesize

                                      181KB

                                      MD5

                                      4ea6026cf93ec6338144661bf1202cd1

                                      SHA1

                                      a1dec9044f750ad887935a01430bf49322fbdcb7

                                      SHA256

                                      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                      SHA512

                                      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                    • C:\Users\Admin\AppData\Local\Temp\V9nTU0UPEK.bat

                                      Filesize

                                      199B

                                      MD5

                                      5596750ff9516c8088e55917bc66a956

                                      SHA1

                                      b41a4ea71fb33d7a60934ba0b451269e82576407

                                      SHA256

                                      e001ce3cabde638a02b15488ef7b1364bd430e94332ef61bea993e629c91b436

                                      SHA512

                                      d3be53c1c286991874a8674c798aacee827171d7cbd36e0815c8fb9f849fb32c50a052d62e37fc21a02a068ba3f59f1a2fc033b5895127462b532da43be1e308

                                    • C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat

                                      Filesize

                                      199B

                                      MD5

                                      92f7e17b0ae38db15e9727ed500babaf

                                      SHA1

                                      4021b7b47807d5eeb548e5b9d5b4a2ddf2b5740a

                                      SHA256

                                      00b1d3ea72e00bec3d99c29f6df2f1f0628ac018e74fd08e55fb73a34ea3c284

                                      SHA512

                                      6f101b3f69fe968f33171c218e5e7491393f1b24f4ab3b9a958d24607a43d408f45898cde306a6fe7e939f5c1893ef5a8574188f82958da78d4daf91ac12908a

                                    • C:\Users\Admin\AppData\Local\Temp\zfOrxS71E3.bat

                                      Filesize

                                      199B

                                      MD5

                                      cdc07998f79ce084d12bf5d4d53b3f2f

                                      SHA1

                                      248e542d3770484f38db8ec6ac691b1f28fc15f3

                                      SHA256

                                      5a1b60de1a642023b97a76b132bcc2f6aaf84a729fba28017f2570182ad4859e

                                      SHA512

                                      ec3ddc1696f77421aba53fd055780c593305dc7d4314f029a0a32bde0c29f49cb3d7168f03d4ec9d7b4509707aa5f58386178f497c1d6bcd041664874982f5e2

                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                      Filesize

                                      7KB

                                      MD5

                                      43c87ca0437e53b4d8ffc6f8fed2765f

                                      SHA1

                                      0ae51a4ed9746f520c0062b3dacac3506ffd838b

                                      SHA256

                                      881e89a48d0e5765a7e434e9af73f9391d9e05d8bee7de59a8be1237236db38e

                                      SHA512

                                      262d98ce3cd246ed04bd151b22f8fc5738869803e373ea68bd893727483f63776cd99cf20b1f0fba6ddce48d1f1c657a95b07805750a9c7a8c8d80ca238a0a6e

                                    • C:\providercommon\1zu9dW.bat

                                      Filesize

                                      36B

                                      MD5

                                      6783c3ee07c7d151ceac57f1f9c8bed7

                                      SHA1

                                      17468f98f95bf504cc1f83c49e49a78526b3ea03

                                      SHA256

                                      8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                      SHA512

                                      c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                    • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                      Filesize

                                      197B

                                      MD5

                                      8088241160261560a02c84025d107592

                                      SHA1

                                      083121f7027557570994c9fc211df61730455bb5

                                      SHA256

                                      2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                      SHA512

                                      20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                    • \providercommon\DllCommonsvc.exe

                                      Filesize

                                      1.0MB

                                      MD5

                                      bd31e94b4143c4ce49c17d3af46bcad0

                                      SHA1

                                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                      SHA256

                                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                      SHA512

                                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                    • memory/1564-495-0x00000000010B0000-0x00000000011C0000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/1812-375-0x0000000000DC0000-0x0000000000ED0000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/2096-46-0x000000001B330000-0x000000001B612000-memory.dmp

                                      Filesize

                                      2.9MB

                                    • memory/2096-58-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

                                      Filesize

                                      32KB

                                    • memory/2120-75-0x0000000000440000-0x0000000000452000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/2120-59-0x0000000000C40000-0x0000000000D50000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/2200-435-0x0000000000220000-0x0000000000330000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/2336-555-0x00000000013E0000-0x00000000014F0000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/2724-17-0x00000000002E0000-0x00000000002EC000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/2724-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/2724-15-0x00000000002F0000-0x00000000002FC000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/2724-14-0x00000000002B0000-0x00000000002C2000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/2724-615-0x0000000000060000-0x0000000000170000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/2724-13-0x0000000000D30000-0x0000000000E40000-memory.dmp

                                      Filesize

                                      1.1MB