Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 01:37

General

  • Target

    JaffaCakes118_fe246d8df6111f1cce1f2ca30dd746b98ccbb2647f226bc654792f7594f62cb0.exe

  • Size

    1.3MB

  • MD5

    d7ed442df55737938dd4ba8f5f52c79f

  • SHA1

    5e251104b9b34059a2c402d137969acad1d6ae9b

  • SHA256

    fe246d8df6111f1cce1f2ca30dd746b98ccbb2647f226bc654792f7594f62cb0

  • SHA512

    3cbc9e24e25650767625f4277583c2c551d9ead499e46d259283fea70488e4427f019fe56ca68c7664bcd0f59d9e2d8a0ed57a7c0ac57f05e75e1c98de10c3b5

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fe246d8df6111f1cce1f2ca30dd746b98ccbb2647f226bc654792f7594f62cb0.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fe246d8df6111f1cce1f2ca30dd746b98ccbb2647f226bc654792f7594f62cb0.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1036
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2824
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:840
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\es-ES\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2760
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2204
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2620
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1696
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:340
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9eylyvpAgI.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2744
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1780
              • C:\providercommon\Idle.exe
                "C:\providercommon\Idle.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2428
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yKdveU0JJ.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2784
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:2652
                    • C:\providercommon\Idle.exe
                      "C:\providercommon\Idle.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2424
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2168
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:2856
                          • C:\providercommon\Idle.exe
                            "C:\providercommon\Idle.exe"
                            10⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:2900
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gHfnS8a2p.bat"
                              11⤵
                              • Suspicious use of WriteProcessMemory
                              PID:1648
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                12⤵
                                  PID:2712
                                • C:\providercommon\Idle.exe
                                  "C:\providercommon\Idle.exe"
                                  12⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2820
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8NcI1AeIbp.bat"
                                    13⤵
                                      PID:2776
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        14⤵
                                          PID:916
                                        • C:\providercommon\Idle.exe
                                          "C:\providercommon\Idle.exe"
                                          14⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2428
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jef2EZNQSo.bat"
                                            15⤵
                                              PID:2664
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                16⤵
                                                  PID:2928
                                                • C:\providercommon\Idle.exe
                                                  "C:\providercommon\Idle.exe"
                                                  16⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:772
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SU2rmp5bpW.bat"
                                                    17⤵
                                                      PID:2520
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        18⤵
                                                          PID:2336
                                                        • C:\providercommon\Idle.exe
                                                          "C:\providercommon\Idle.exe"
                                                          18⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:340
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjtq3MYUh4.bat"
                                                            19⤵
                                                              PID:2604
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                20⤵
                                                                  PID:2744
                                                                • C:\providercommon\Idle.exe
                                                                  "C:\providercommon\Idle.exe"
                                                                  20⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:3036
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r40S8pVzgD.bat"
                                                                    21⤵
                                                                      PID:2940
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        22⤵
                                                                          PID:604
                                                                        • C:\providercommon\Idle.exe
                                                                          "C:\providercommon\Idle.exe"
                                                                          22⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2876
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat"
                                                                            23⤵
                                                                              PID:2012
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                24⤵
                                                                                  PID:2912
                                                                                • C:\providercommon\Idle.exe
                                                                                  "C:\providercommon\Idle.exe"
                                                                                  24⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:1548
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat"
                                                                                    25⤵
                                                                                      PID:2464
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        26⤵
                                                                                          PID:1748
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\taskhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3028
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\es-ES\taskhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2156
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\taskhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1028
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:476
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1324
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:584
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\providercommon\sppsvc.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2972
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2292
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2536
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\providercommon\Idle.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1276
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1228
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1940
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1332
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2028
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1800

                                      Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              070dc09cdb5e5f22fc1b403de6e9181b

                                              SHA1

                                              601f93fcd3eeb212a4dc4ef9896e8b922cd3a83f

                                              SHA256

                                              35c5b1f92056f1736cca031f21d0ff667f5f25f5f7f79a8005df2e2f18b06a9b

                                              SHA512

                                              abbe068009129bfbd08c7932aef34a7635a01cb5f29afd8cea6014fe013c2cd34b08781a0f41759d10de4b23babfd7a457a40c6266c8f2cff2b93d65dbcb3ed1

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              422e23fa57222d2884c233846d70466b

                                              SHA1

                                              4ffc736f8ccc861c2d4a372361f435c524a7566b

                                              SHA256

                                              939e11e30a53d3df12ad0983aeafec5af657543df7737485ca858a2954e70373

                                              SHA512

                                              c8f757bf0fe0314224592347acb2207268c8bc3dbcb870892178b46535e7d7b7db75fca29d0bb19eb6bcb0b78ab756496ac4b1f58f11fdff45d91078a550bbd9

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              e4a92cb81c1d660f5107fdac17b96fe2

                                              SHA1

                                              e0574a97632119e14898b9bf3367dd4126ab87fa

                                              SHA256

                                              57c44519e03748985b3fdc3958991c97e73dc9bc9975740302c76c3e2889984f

                                              SHA512

                                              63cdbf57fe64f22230bf1e5b74ec30ca5ab138c8dc5b1f6cfff4307351317b3fc0ae618de2a8e174939ab8e1bff3cc90be603a00ece5a8df9251dcab46305524

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              f930998372441074ff70830eff126575

                                              SHA1

                                              2581f8452dfcebe83ec5d5bad81f9ff811cc32a1

                                              SHA256

                                              0a32b1ab702e897ebb07fb5c34ef213cbfe8ad468807b2c1e044452cf09e6c93

                                              SHA512

                                              6636d20b0037d8f5b92b1c6c68f50ad9a4bd3f39013be0795d73fdf639bf45a17c87c9613e854fb3db553caabfdbe57329fcb5b51da7595f0841425e8bb38c80

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              9b085030468ef1cf9c2da8c562547053

                                              SHA1

                                              9879abfe36a72ef89fedec88fec7fcfebcea8eb3

                                              SHA256

                                              9d0d5f3299acd1618e7b69787e7f2b204accd74d989982ccbb8154ed40079ae4

                                              SHA512

                                              91463eaf3d22d2983919c8a1f2a2c8a7f0660260dd0b93ac601d9e97bc844f63a1317a9e4cc81da933b87b350c7c7149309dd89291864a3c9c08066bff0d9c27

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              6b2d97f59b50b655179a2fc8f6cc6948

                                              SHA1

                                              c61258975bfadbee07192461326b37ed5af839ae

                                              SHA256

                                              0d1b12e808dec5a1582efb2c50900326efba988f5f9e6cf9ec66612d0af3f9c2

                                              SHA512

                                              13cd0b1d5bc149208fa80dd8cf33bacc801449e39cbaab3adc72c8d9baa3f950970fabf57016da658c7567812abf7123e5c188a7f45b1f8f5e6f404a8a8d7b06

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              487dbf00d50f5549b0de27d3bda5e35f

                                              SHA1

                                              9dfdb488086c169d90feea0ff899b2b698481b4f

                                              SHA256

                                              b25ee707a566bbdcdf1b6c6875de0853f11a06106c76a33ff1571deaa51f8659

                                              SHA512

                                              ee3070ee9d81e63dcbee9190f872df90301f1a076c52e49caf405726362a0f764b1ae1ad02e14ccad0e559e9e7661f4722aeaaa782bf8fa6387ab5084a7893fa

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              5758374b8368eba1d17c57927f0d5941

                                              SHA1

                                              f401b779e97a31f1f484ee3c4b155daafcec1e1e

                                              SHA256

                                              4d29aa4b2455b13415c94790e61127fd80e2ab9b5ef5bd99223eecd0d99d9081

                                              SHA512

                                              5879a8bd61d7e73b100c70853337f65a02fde799770e6cb9f18009373c17019403dbe7a4aa4b679e37e04099684ac3a4507b1e6aad04b6ec410d655c3192d7c5

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              943a156298207003bc0d7c26962b1fb1

                                              SHA1

                                              aa46d6714985124ecbb62f0884bc1af944bc56b6

                                              SHA256

                                              5b796c8c2206c31b18418aff98be2c952069c3cc3352e09045c6940890e0e11b

                                              SHA512

                                              14c918a5d2cca8b4f440d305ac1b4cd343d63751bb06b083861637debf7f1b65e50fea702785499c5225f005ebc127a45ebaf823d218a3efd96bd18c91b1a34d

                                            • C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat

                                              Filesize

                                              191B

                                              MD5

                                              af6ef4390110f3a265a970401d4e2727

                                              SHA1

                                              b12d9061a32b985bdef0631c2a315278973c2f58

                                              SHA256

                                              ec555f616d5e918f078aefcceef5fac9d0e01d41dd4bd8062ce84a4c8e876ca0

                                              SHA512

                                              be11cc314cc08875eb64fc5a2d39a52c2fa6bc63741b3520368e2f8bb80c902f8b8d1f7def48fbd1bb7d1bb466d294c0e6d1934dd1132489809193c82f8bc461

                                            • C:\Users\Admin\AppData\Local\Temp\4yKdveU0JJ.bat

                                              Filesize

                                              191B

                                              MD5

                                              0c42ca69564cfdc75b31f238215f7986

                                              SHA1

                                              3e506603a2dbbbe057889ed25f25078ef59a9cbb

                                              SHA256

                                              a6f75818b71198067cc96d8cab489fce20a682e8555102cad1bccfec02fb7217

                                              SHA512

                                              d6026e94638009ce7ffc1f6a26fd6eed13280e5e8f09994e0d9249a381a4d94afaa62d5164b20f19ef3ae3fca805bda3e56b2784a03848abfb50f89118dcf53d

                                            • C:\Users\Admin\AppData\Local\Temp\8NcI1AeIbp.bat

                                              Filesize

                                              191B

                                              MD5

                                              ff35cb428c231d99d4e3d32394b2f4a5

                                              SHA1

                                              3beae0b59b5b152db0d184600bb5b7fe6ac958b7

                                              SHA256

                                              7bd05c1658bbc38e13795e7e3c76aa45522e1eafa267676e6b0a5b92177655bd

                                              SHA512

                                              a8434146c557d50dbaf50936d8dc02af67c359a89308fe030740d9f18aebd9d2c17281b6681c0b703ba2d6be4e3c1fe2aa8d3e2c26ff977fd594510f0c860315

                                            • C:\Users\Admin\AppData\Local\Temp\9eylyvpAgI.bat

                                              Filesize

                                              191B

                                              MD5

                                              558cd5c5e8d6ee2bfe239aa504cce02d

                                              SHA1

                                              0a714aba26d8e513fbefbcf39e32d06549ad013b

                                              SHA256

                                              7d62a1daa7e1a052961051f0474295c8ff9b2fefc433a299ba2017d220dfb9ed

                                              SHA512

                                              170322b49dd946a1ffc100e9f5b8c301ca808be1413f96c92d5da08d877035d0c74f981a4b6004f63dc9e01d4edb9a6c103604dcc565d677cdd92b3862f49a51

                                            • C:\Users\Admin\AppData\Local\Temp\9gHfnS8a2p.bat

                                              Filesize

                                              191B

                                              MD5

                                              19e93d3ea8baf1e6bd2d2c48d5704232

                                              SHA1

                                              1dfef7e83f8ba8ebea36fe64281bd52ebd17cb3b

                                              SHA256

                                              fd91b10ac36bf040852a59109da3153bf3662c132491bbe04a5a7530e08fdee9

                                              SHA512

                                              49fe6f4cf909e95296f233bbd40c4d4238a483f9f6750e7ad5ddffa1de4d7b53b02bc358fe87f6729de8e54af0c1280817a2a226bdd50811f21de06e3c6ccc5a

                                            • C:\Users\Admin\AppData\Local\Temp\Cab99D1.tmp

                                              Filesize

                                              70KB

                                              MD5

                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                              SHA1

                                              1723be06719828dda65ad804298d0431f6aff976

                                              SHA256

                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                              SHA512

                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                            • C:\Users\Admin\AppData\Local\Temp\Jef2EZNQSo.bat

                                              Filesize

                                              191B

                                              MD5

                                              3fc1c8eac1a6825c9a0d4685d235f0d1

                                              SHA1

                                              36fbdbbd3be80af91b198c369c0f6ddfac97da33

                                              SHA256

                                              df89b257fbf8032d31d77b327ae192bacc9cacb2dfe40f9b7f744bb95020452d

                                              SHA512

                                              b61df64ee86140ec437c3c6667c33f5811beb741017a0f1546c659bc1995f22ec7547b2b8b7f57329dee6aeee2a1638cbb7cd9cd1284c4241d240408d617295a

                                            • C:\Users\Admin\AppData\Local\Temp\SU2rmp5bpW.bat

                                              Filesize

                                              191B

                                              MD5

                                              95140cf577a91dead5e1244fa3b37970

                                              SHA1

                                              8edd4ea03063a7f485a80c711cb14a80c9fb131a

                                              SHA256

                                              391d04437346870e8393e3701ad76923b735d514578451477418bd6f5857eedd

                                              SHA512

                                              942394f4779dd918bea714c3175e5c424d022a22dcab4eb0ca65cd28ee95f33bea54a14db766b4c77f8431fdd721dacff430ecfcb81700a21eb75b1e746b5e3f

                                            • C:\Users\Admin\AppData\Local\Temp\Tar99E4.tmp

                                              Filesize

                                              181KB

                                              MD5

                                              4ea6026cf93ec6338144661bf1202cd1

                                              SHA1

                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                              SHA256

                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                              SHA512

                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                            • C:\Users\Admin\AppData\Local\Temp\fjtq3MYUh4.bat

                                              Filesize

                                              191B

                                              MD5

                                              b86ff1e6425419d51f92d4e5caa00f11

                                              SHA1

                                              f6f4ef757c7bb6f9c46cc2fc78625f9c28976383

                                              SHA256

                                              252ebe891bc0e95afd053db194ebd2e8a50e996039e1118733975c1cf32b90b3

                                              SHA512

                                              8ffaa2df4b7db5fe81f66ec469837aa1d17fab50f0dd5db28f798870abf8df9cfbde2fd0e731755ad073114c258ec42a485acb19d6b1be99b0421c875b986f9c

                                            • C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat

                                              Filesize

                                              191B

                                              MD5

                                              d36ec1331b129d34b5e5063f8633dfd7

                                              SHA1

                                              546c5cb7643025d50a6ccb0c0dd03b130cf87c47

                                              SHA256

                                              cf6e7ed8ea53904533aeee25645a0fce3eefbdff23c0b968b227ecd68849fe4e

                                              SHA512

                                              a48a4c767336ac26d28593740b4be1938bf18737dd937fdd35ad29cd37d2b3427ae2a90d1496141068c6b0dd6b928eb68d01574d9400ce08d72b4421d277495c

                                            • C:\Users\Admin\AppData\Local\Temp\r40S8pVzgD.bat

                                              Filesize

                                              191B

                                              MD5

                                              3d1f102d28971858dad9d2e769626948

                                              SHA1

                                              54ba6daa932be52537809d0865dc5423d1f12853

                                              SHA256

                                              9068774851550c0eb5e24e2f6c507af0289e6947ab1d5004517722d4e5b0a438

                                              SHA512

                                              32b8172329910b0f439fc45abe73598ca1c50623245ce6527d5849208e59a8e038468cfaa3521f3cbc6d2005ed905b9c8691b71b93cafeb84fb58e6377f5e051

                                            • C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat

                                              Filesize

                                              191B

                                              MD5

                                              ab93dc1ee65a48d69e40fcf49f829ca7

                                              SHA1

                                              abeb030c51cafd5cacea528f96606e27cbd7de88

                                              SHA256

                                              437903c26ed173ef283d44beccdc535eff5c7964487f7e712e6b9bb14b577586

                                              SHA512

                                              92112b1945e64dc8d1a38ba1e0089e7b949773fd37a8e1f2b8089755c89827e0cb8225712af1e03d7a5e8935a7372d807091d0632269cf559f6786ace01ecb5e

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R6FREHR1QKE9WBTRNU63.temp

                                              Filesize

                                              7KB

                                              MD5

                                              4f901e00319653473ed03549ea6c87f5

                                              SHA1

                                              5e04987522fe373c72ab46010b4f5f2e28cc26fb

                                              SHA256

                                              528ff67ebd22e77ec4f35ecdb7b280cdbc70d327ff9ad4a9398589c8a43b9946

                                              SHA512

                                              993b92562bd7ecd514f04b92ef58d2014933d26c2cd22e6acba1b895eb398ac3b82f1ad54af7b0971e1bf2dbd6f061e313586414550f12a792364455a33d4736

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • \providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • memory/340-426-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/772-366-0x00000000011E0000-0x00000000012F0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/840-57-0x0000000002290000-0x0000000002298000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/840-56-0x000000001B700000-0x000000001B9E2000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/2424-126-0x0000000000800000-0x0000000000910000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2428-67-0x00000000004E0000-0x00000000004F2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2428-66-0x0000000000020000-0x0000000000130000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2820-246-0x00000000011D0000-0x00000000012E0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2820-247-0x00000000002B0000-0x00000000002C2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2824-17-0x0000000000280000-0x000000000028C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2824-16-0x0000000000270000-0x000000000027C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2824-15-0x0000000000160000-0x000000000016C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2824-14-0x0000000000150000-0x0000000000162000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2824-13-0x00000000010C0000-0x00000000011D0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2900-186-0x0000000000900000-0x0000000000A10000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/3036-487-0x0000000000150000-0x0000000000162000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/3036-486-0x0000000001290000-0x00000000013A0000-memory.dmp

                                              Filesize

                                              1.1MB