Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 01:41

General

  • Target

    JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5.exe

  • Size

    1.3MB

  • MD5

    8af4a760f458c1d594d86702e6925e9b

  • SHA1

    aa81fe6ae366e98e419c13dde9e957df33ade6e1

  • SHA256

    81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5

  • SHA512

    8dcd547dd3eb78dd9ad22b1feffaf3ad4a45ff08be642f0fcff729cce4e9c93e2212c59eeff3f9cc93f391e26639b765ef77a431b385ec70e901f5bfea9c84bb

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 12 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1528
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2544
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1824
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2060
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2108
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2928
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2940
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1492
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:316
          • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe
            "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2720
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UJpHfzfs2i.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2404
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2588
                • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe
                  "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1544
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHuJ4aKJis.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2932
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:1964
                      • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe
                        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2244
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1424
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:2076
                            • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe
                              "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"
                              11⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:1316
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat"
                                12⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2204
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  13⤵
                                    PID:2228
                                  • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe
                                    "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"
                                    13⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1268
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8tyQ25hERL.bat"
                                      14⤵
                                        PID:1588
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          15⤵
                                            PID:1272
                                          • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe
                                            "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"
                                            15⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1664
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OPOGTQits7.bat"
                                              16⤵
                                                PID:2208
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  17⤵
                                                    PID:1492
                                                  • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe
                                                    "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"
                                                    17⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1924
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat"
                                                      18⤵
                                                        PID:2496
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          19⤵
                                                            PID:272
                                                          • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe
                                                            "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"
                                                            19⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:1772
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V3SaMhi525.bat"
                                                              20⤵
                                                                PID:2772
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  21⤵
                                                                    PID:2732
                                                                  • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe
                                                                    "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"
                                                                    21⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2760
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat"
                                                                      22⤵
                                                                        PID:2680
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          23⤵
                                                                            PID:2804
                                                                          • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe
                                                                            "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"
                                                                            23⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1632
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat"
                                                                              24⤵
                                                                                PID:1764
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  25⤵
                                                                                    PID:1692
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2824
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2792
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2912
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2652
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2804
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2860
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2640
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2704
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2172
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1684
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:888
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:664

                                  Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          78286e0c8a4b01e9e48bb9eb3ffd30d5

                                          SHA1

                                          18590d510010854f1324df1a9a31c516a8db7d42

                                          SHA256

                                          aa4ac32df6dc6881bd1ec2647b29d242e69cec572901f8e0e49952c64a6a2b3b

                                          SHA512

                                          657eca1973cb255ab87863c2d09361d94df640f7bece1a91f3a7889968e5061bf85e530fc7529f645a5ebddaa819d4b6d94ffc6152547337fbd3f6824a842a4e

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          c7f26c57ed899be46bfcc07b6d020180

                                          SHA1

                                          3559e143bda44d894a1cefc16cead9bdf63db702

                                          SHA256

                                          97b565b7e4941e27dccd4065df5583791f2e2349f79d4aa71f77b5fb6a1e474d

                                          SHA512

                                          a8d812c71b98f7c77c063d692f316dd3ad5eea722ea78f488838e9092720eb91cf46ec3187cbbe5bffd5e1004005264eb498ce0e1651907e684b77cef239ae6d

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          3f586a5c8714df71b0c89c944466a38a

                                          SHA1

                                          cc7d1828fd9eca8fb96bfd14c015557d4077057f

                                          SHA256

                                          7f34d703bbdbc795760d6bcb51525a966905713691acf5cc8fbae300170af80c

                                          SHA512

                                          e16f3e1af547d938569bdd2bfc41ed30828ed5a79f0f20540240e4adcb3e061359a44e1d6476d5021510dd47c436e003cfefb92a12a941530fd160454e98dbb0

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          9348318beb3c1fad9ac95ee81ab6654a

                                          SHA1

                                          ec13ac95925f716d036edac05f69b96e2807ded5

                                          SHA256

                                          583ac9e55a9e5c94ba33e4720295297ae5bfe39daa7d595976f188e341cec9e1

                                          SHA512

                                          9971f51dcec0c4d4abad859f96d7a6a1fd68e7d513ff1fe139cbf221cfa4136d2763c5f84e72fed24dc0dc710b2069f78832bf2eab5a93d7ea286457cc342b45

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          0530c3fab368340fa4535e0db9d0b43b

                                          SHA1

                                          662a8840dce83f9fc64e11f0adaa533c35bceb39

                                          SHA256

                                          fa72dffbea4eb51dff0fae7e704eeeda5c82ce2496773b83212388973b8c7c4e

                                          SHA512

                                          90e901adea4cc7af425b3f38d6214450ed653e1cdbf3d7b22c116f3e4ed399c8c8e4a781214168e780e329075da1e8f11fd382ea409ef9b4530acd597d2b1744

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          203d007f5aa5573c209518832d71d251

                                          SHA1

                                          f5de79977adb8897dc8af5bb9d79153af16ff71d

                                          SHA256

                                          dfafbe63690f72f092f7c7753f48cc936db6ddb37fd952d27e9a13c1c7ae12e2

                                          SHA512

                                          83afe4df19ef7f4d490e668e26373e502c64e22954b666596baf4acf6bcfe5e3ea847be77f0b5604e45498c177ca7f0ea5f72bdbf065193d6f66d1b1d8c4f6ba

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          be6486c2254f5fa5bb0d35e66b8280db

                                          SHA1

                                          a0b081dc850b0a6912b2d9459efee46398d7198f

                                          SHA256

                                          ee57220a44d337e255c8d4c2b4933af2332a9149a5852a4db1998782ef341690

                                          SHA512

                                          9c2449da3062ba524cbf49927db7752ca4030f43a9e04b30ff7ab4973356b880bb29174cff1f3cbd722c38ea199f677f9266c7706f9f924b33829e0af1bdf0ed

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          02453c22c7f943b949b90a7103e81a02

                                          SHA1

                                          19d566d51481eff58590a844212278d8620e936b

                                          SHA256

                                          b1e33164dd67eeb251b0047677f7a3ef4cc17b0dd604d261d54b6dc8df7cf687

                                          SHA512

                                          bac0c05cabfbec2cdc0956cd439c758603aa81f7138c3055285ea4a4d182493471a05e95544e6423020d6dcad438c65983b196bc4478a64855c2f0db43f22062

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          2a48aef2202dfc439ac05dfe94aa24f9

                                          SHA1

                                          839208aef4132ea029e45a2b04f446dbf8c3709f

                                          SHA256

                                          91e21bb3d96dcb2efeba9e49826c5cf00e1053945cec9f11484294b30a8036f2

                                          SHA512

                                          c5645df64d9746a3797257a81d231ef2c251ef198800270dca27beb2c1714e4ff4fab86a9ea94da39adf0c9e144cde31ab28c38a3fe419349fa852e408fc427f

                                        • C:\Users\Admin\AppData\Local\Temp\8tyQ25hERL.bat

                                          Filesize

                                          240B

                                          MD5

                                          8de5a3d808411c354347d6594a8058b4

                                          SHA1

                                          f33ef86b329ba00d95e3afeb8ecff4e2e035d3a8

                                          SHA256

                                          52978cebde5e9cb75db9290379399e86d0d947f5cc514e368ac3a5f96f2d47c6

                                          SHA512

                                          a90814a837999326f568bd8494ef2461b2854e6507c5f7c350d1678c0cb3f893e0b60e58ddc58d2c5a9ec9d8824f1d3c23f8d00adb1463e2975e0a1335f39ea4

                                        • C:\Users\Admin\AppData\Local\Temp\CabD1C2.tmp

                                          Filesize

                                          70KB

                                          MD5

                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                          SHA1

                                          1723be06719828dda65ad804298d0431f6aff976

                                          SHA256

                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                          SHA512

                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                        • C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat

                                          Filesize

                                          240B

                                          MD5

                                          1fc1435fff5321f84f7266de8a075eb1

                                          SHA1

                                          24321999642c2d5177ad145a5f19754b2a46de8f

                                          SHA256

                                          fd1d2c0c89a1a4fb9c69935e6b793e905f5966b7924d3138dca64102baf4315e

                                          SHA512

                                          d054be38646a0882cf283b3f3fa65af09c116b4d18771198773d23c759fb1c06d371674976f5e1bc5dfe585d9a3a1de5cafe0bb0356552d685390091940b38e1

                                        • C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat

                                          Filesize

                                          240B

                                          MD5

                                          7fdf02d6aeed442ecf69e222dec747f7

                                          SHA1

                                          f97b153bc48cb063eeb351d099cf7cea4e5c5a30

                                          SHA256

                                          9bac172d3abb4ad3be11007f7f024153c8008674737db3a5981232590e2f8f71

                                          SHA512

                                          f34279bedf26dcd93a0fbe9577be5387ba11a7556f9dcb1cc12925ac35a28e048e839b6176b9e1cb8c95a47c8a47b0965427c3900ca5cd023c9a16b54c60a756

                                        • C:\Users\Admin\AppData\Local\Temp\OPOGTQits7.bat

                                          Filesize

                                          240B

                                          MD5

                                          6fcca29d206a4434128f03d31e0e9cf8

                                          SHA1

                                          0d71d5fe9f17be0ecc02de473fad2c9678114474

                                          SHA256

                                          c3940a7a26c67b6fb4a9d8872f8889a5d5c21d85e41be578b391fb6a0ec99088

                                          SHA512

                                          2f5a528450700f2ac17b55e2f83dcca7b10e0d73fbf8b12185688bfccb4908144fcdac6f8a0b8f0606778ae8c6e181005652e1a6a0476bc020ebbfd47cc49043

                                        • C:\Users\Admin\AppData\Local\Temp\TarD1D5.tmp

                                          Filesize

                                          181KB

                                          MD5

                                          4ea6026cf93ec6338144661bf1202cd1

                                          SHA1

                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                          SHA256

                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                          SHA512

                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                        • C:\Users\Admin\AppData\Local\Temp\UJpHfzfs2i.bat

                                          Filesize

                                          240B

                                          MD5

                                          b0d2865ed890c452071e1a3a53b8c5af

                                          SHA1

                                          fc34a551bc0002557c71b5f6272490ef692f35ad

                                          SHA256

                                          a260c2cf886e64c9378c416bee276d03c0492fa3d76fe0f3dc1f9f8175be4b9e

                                          SHA512

                                          d73c672274983b6876c2c97b81ffc9f0dc69367811ef40f873339d91281d567cc9c26a82d579adc8c1edf74eceedc42651826a644b82c8d608e32ac170894864

                                        • C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat

                                          Filesize

                                          240B

                                          MD5

                                          7a3fc26456409eed88b6c8b543723806

                                          SHA1

                                          9ff030343345a0f3f38c03cbccf72a004db9bca4

                                          SHA256

                                          7a20c0187ba4ea95cadda49ceb07b2142b849be8fc9ef565c786d9022c953ffa

                                          SHA512

                                          5629fb9e07fb35fedac7a9d9404dca24e37e827f55cd4e6e5ff89f5ac16112dfa4e3ae2475e960b7169f1bb0484a58764cc2894ef72f8a6ac4759064e35f840c

                                        • C:\Users\Admin\AppData\Local\Temp\V3SaMhi525.bat

                                          Filesize

                                          240B

                                          MD5

                                          b1a3654189d57024580a32020ed2ab0a

                                          SHA1

                                          42e2041670fa251c387f58972f058f0fa39e3559

                                          SHA256

                                          74aa38cd06ee13507643d511d5fb3079197b148f61f28cd5a160503f474be370

                                          SHA512

                                          393ec2269914826b04debc422c0663efcd1c8228f51d4318afd1193ee0b6d9494e67b1af04e57169d87e9baf7395bfbc851b1c6587fea03fc1623d06a8e72f50

                                        • C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat

                                          Filesize

                                          240B

                                          MD5

                                          5cda677f2fd62064b2059dad88946bdf

                                          SHA1

                                          d751e83a28def0fde7f8f7b5a2d1ba9339d439ac

                                          SHA256

                                          3a49f4dc2c5b061a87e05c05a6b2f89e52115e82c720983d4d879db46ed2b051

                                          SHA512

                                          1b352fea0efad045d05bd106858c12d660c4ec37cc46a8d5d23340c92d13c28153abe500c16e9dbe69bef565d52fd75324054c2a7dc700091d68fe66483c2ed4

                                        • C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat

                                          Filesize

                                          240B

                                          MD5

                                          9ecec34ca06e648442fe31a0fa10ce0e

                                          SHA1

                                          5edefe6613d84df11722d2cc76dc3a5a9fd2b85a

                                          SHA256

                                          d70daf05213b97240a1ed73b31d1afa152ebc6bca8ece7f378313a31f3a73623

                                          SHA512

                                          1ae7653339caef9a6d82657bfd47a2472b5f4ab0267def89050201309fd66c6e0936e8dfcb6f7285a473a8fe07a74e5ac31048eb698c3c585067ad8ac89d4e67

                                        • C:\Users\Admin\AppData\Local\Temp\lHuJ4aKJis.bat

                                          Filesize

                                          240B

                                          MD5

                                          472c0ea65b807df0e9b37f640bd158d3

                                          SHA1

                                          87c106a434f5a4520b02f34d1197a38e9cf74818

                                          SHA256

                                          fa08da76a872c2a39748922206ee6f0a934fe1e3dc0fb3770b492e693e6e5b19

                                          SHA512

                                          c69de0e04e0bf42bc2191a02b39499e679c75830948f78d9199197a1d7279695874ab2bbe43b016f7659f0832fae2b2d1935c1c23246bd0c7da89e0d723c4ac3

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          126e6c0b32b109c5254d0902e7d1c033

                                          SHA1

                                          efa4c566411b6acb6d30db893461c9ae20d8716e

                                          SHA256

                                          9b00538185356417b70af05e29ef7f267308d03b3b6a66c7116fdfa0b7433809

                                          SHA512

                                          cf16f1db2560dbb013c68ffeaea101d58cdfa2dc2661189982b76f945c68a1061b170328354000d69b31eb1aa5d88e2e00f3d3b79be95ce4fca65d4d6b8f8299

                                        • C:\providercommon\1zu9dW.bat

                                          Filesize

                                          36B

                                          MD5

                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                          SHA1

                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                          SHA256

                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                          SHA512

                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                          Filesize

                                          197B

                                          MD5

                                          8088241160261560a02c84025d107592

                                          SHA1

                                          083121f7027557570994c9fc211df61730455bb5

                                          SHA256

                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                          SHA512

                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                        • \providercommon\DllCommonsvc.exe

                                          Filesize

                                          1.0MB

                                          MD5

                                          bd31e94b4143c4ce49c17d3af46bcad0

                                          SHA1

                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                          SHA256

                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                          SHA512

                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                        • memory/316-58-0x0000000001D70000-0x0000000001D78000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/1268-298-0x0000000000F30000-0x0000000001040000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1316-238-0x0000000000E00000-0x0000000000F10000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1492-57-0x000000001B660000-0x000000001B942000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/1544-118-0x00000000003B0000-0x00000000003C2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/1544-117-0x00000000003C0000-0x00000000004D0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1632-598-0x0000000000930000-0x0000000000A40000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1772-477-0x0000000000070000-0x0000000000180000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1924-417-0x00000000002D0000-0x00000000002E2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2060-17-0x0000000001F30000-0x0000000001F3C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2060-16-0x0000000000580000-0x000000000058C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2060-15-0x0000000000570000-0x000000000057C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2060-14-0x0000000000560000-0x0000000000572000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2060-13-0x00000000000B0000-0x00000000001C0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2244-178-0x0000000000D80000-0x0000000000E90000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2720-51-0x0000000000DF0000-0x0000000000F00000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2760-537-0x00000000001D0000-0x00000000002E0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2760-538-0x00000000001C0000-0x00000000001D2000-memory.dmp

                                          Filesize

                                          72KB