Analysis

  • max time kernel
    147s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 02:34

General

  • Target

    JaffaCakes118_cd2d9319ab9fd432fb58d195688ced06a6512d62dc6bf351b18b28653b9e883d.exe

  • Size

    1.3MB

  • MD5

    261c3f1e4b8be79a0fff991a0f1e90bf

  • SHA1

    80c3f2f9cd8ed8622239ea802bb322c46530549e

  • SHA256

    cd2d9319ab9fd432fb58d195688ced06a6512d62dc6bf351b18b28653b9e883d

  • SHA512

    3287f2186ef49c89b015395dcc5f7e32058099aeb1cc09f054412dd46b29f5d9186acda2d94eadfbb16854f685b5d0870e6dcd5f28451a8f0e58e501cd4ea0f8

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cd2d9319ab9fd432fb58d195688ced06a6512d62dc6bf351b18b28653b9e883d.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cd2d9319ab9fd432fb58d195688ced06a6512d62dc6bf351b18b28653b9e883d.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2800
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1748
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1904
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2124
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2320
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2152
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\bin\dtplugin\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:444
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2964
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mk2kVjaeOt.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1076
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1496
              • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
                "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1636
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2924
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:1276
                    • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
                      "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2644
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O1BWw2qr2X.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1960
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:2016
                          • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
                            "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
                            10⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:840
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M53DwaTFc6.bat"
                              11⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2824
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                12⤵
                                  PID:2212
                                • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
                                  "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
                                  12⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2504
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7KIMELUbd.bat"
                                    13⤵
                                      PID:2204
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        14⤵
                                          PID:2652
                                        • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
                                          "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
                                          14⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1820
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat"
                                            15⤵
                                              PID:2612
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                16⤵
                                                  PID:768
                                                • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
                                                  "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
                                                  16⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1480
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat"
                                                    17⤵
                                                      PID:2188
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        18⤵
                                                          PID:916
                                                        • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
                                                          "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
                                                          18⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2084
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2XkxZsmkwh.bat"
                                                            19⤵
                                                              PID:876
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                20⤵
                                                                  PID:1944
                                                                • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
                                                                  "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
                                                                  20⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1972
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u02VouYs0z.bat"
                                                                    21⤵
                                                                      PID:1640
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        22⤵
                                                                          PID:2352
                                                                        • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
                                                                          "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
                                                                          22⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2844
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5cWoBfSAzl.bat"
                                                                            23⤵
                                                                              PID:2100
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                24⤵
                                                                                  PID:1524
                                                                                • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
                                                                                  "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
                                                                                  24⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:2156
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\taskhost.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2612
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\taskhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1272
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\taskhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1484
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1316
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2316
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2392
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2280
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:292
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1796
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1260
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2324
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2260
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\csrss.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2784
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\dtplugin\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2860
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1460
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Searches\wininit.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2132
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Searches\wininit.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2188
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Searches\wininit.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:332

                                  Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          bed890c6c4e35a73280f33881185957b

                                          SHA1

                                          d2f65b84b06a3bea6794dcba3437eda8577c5975

                                          SHA256

                                          a668b2d88ba664bd3ccf999240932519e086f4af5b2794eb75b31a744d990f7f

                                          SHA512

                                          887e7ce7c4d53da71778cfd93bb7573bf073acb7f06f95fe32c2b88d4cc90981c19898487b576a2d897fe43cefaa9fb3f3200ffdbc31e5457984d570cfc0f022

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          34df0038217bdf646deb0ce9ea453db5

                                          SHA1

                                          bc5b104ff5d4f977216b023396a9a006e1f3bef3

                                          SHA256

                                          3a97eca3e8c8bcb8019d88446dfb2b08db31a8e3f5981ea5fbfa558260b65c01

                                          SHA512

                                          42e1e390346ecb0c5885ba170aa42e69475e32f5b1ca4b7aeba6d355b8df06e2db8883ef4e881abd80e75c5bc17ef33e5519ddffc5ab47b349b0d9859aa45087

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          ee7e5f47dccc0cf802d591875a8e3fca

                                          SHA1

                                          33db294309103ad77db1aa08660561ed0c123471

                                          SHA256

                                          98783cd6afee9df351065eb1074ab0e812005e182e39d2226d5f8e03abb390de

                                          SHA512

                                          e207bbc236bfe124dfce2694d4114310300140b144f3c5ad67358bbecdafffccb8c6e4f0943bf0652256759100f7ac82d56b36e88d30abf12f7133a81ff0742c

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          a43a3231e2ca383c3f6e93d8a3f56f29

                                          SHA1

                                          cb570ea24bd4256f6f89280a4850ac12d56ee624

                                          SHA256

                                          41bca044dc9ca74ed3c97f94a047db52ddc72fb7a4f4c695ca7af07c1b7efa86

                                          SHA512

                                          456df1ed22a26edcfe8b7332d412a32a60069bf611ae03527639c2fca3f2bf5483d7fb5f62ea1160bec34bd53fc897f665d7d542923e0dfbb95033971f9672a1

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          871768afc96e92e8c2c275cfc061879b

                                          SHA1

                                          a66aba164f921bd65963ce38dd7d31e7b79a59b3

                                          SHA256

                                          6be2f1cb2e2b08bdee68679d36697dfc8479877894d3be9c3d85ecc0b5a8950f

                                          SHA512

                                          d5574d8e48a128163ffaf8a52f0013be96ee3e366ad1a73657ff28e0f65828e716c09fcef27356bad5be31a95d983c8b02bcbbff72354afd5a02ef78e7776404

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          7057eb007fe43619bf78b882d63c5e45

                                          SHA1

                                          00eafc9e0a4dc72f998efcafaf7885b2d7e2084e

                                          SHA256

                                          d7644a9916aac172a0b3760489a47ad312ad89675757baaa719db39b7e9392d1

                                          SHA512

                                          42438a1863bf87a68951125e30ec1522f93bf7be2298953675e2f627269c264e47e7ab6eed65cfc23caa2080c4a92845ef3096bd6c6098ab110ad62b143a7e5f

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          debdfa8520e68214407698539a94f8c8

                                          SHA1

                                          790785865e2c3c85094ddb3ea0ad22d2731689af

                                          SHA256

                                          bf2dbb7efc86a7e14287931bd62b73de2efc5ace82860395d4b39a389b706a92

                                          SHA512

                                          51d0093aa98a088229704939349c6480d21eae9d7c94b55d978d3883c2be2a77d0e1573e353ae040a6e0b3fe250430b9e245de09c4d1d5b5c7f929105e2bc8f4

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          0120a90097b3533a46c44c70f71245a8

                                          SHA1

                                          3c27e2a633cafffa145cd9689a9b4f6654f5c8b4

                                          SHA256

                                          d8ec205b514ae056f30c55f8cd804e65f04cec5c7e7ca8eeefac5a04e6f89029

                                          SHA512

                                          a365d4ffdd75ceee97752ece62ff7326b0d4f3d563d400884192b1179272bad1c07b2063731901b62e90470a7b2dbfae82bb850d5734e38c1e8b96275171ecb7

                                        • C:\Users\Admin\AppData\Local\Temp\2XkxZsmkwh.bat

                                          Filesize

                                          240B

                                          MD5

                                          49f93416fd61db82bae95e3edd26ee29

                                          SHA1

                                          2b84214903169d6dec5ad3abcc2e1c1a2cfad9a7

                                          SHA256

                                          e1d2d904d0a776f15c674dc74b1e75d4d2ae2568aa5327279bfa70b8508701e8

                                          SHA512

                                          b9669efb456e68180cf0d213d250cd3a1af1b2139f1711919572a211cd56b6c6bd18b90dc8e93329d117701c6d9b9196d9062eb5f26eab07c251a72c438ff086

                                        • C:\Users\Admin\AppData\Local\Temp\5cWoBfSAzl.bat

                                          Filesize

                                          240B

                                          MD5

                                          fee9eb71b1adee0012c9bc8641f82f31

                                          SHA1

                                          a59d464bd4524d1cf1f387c53eaae96a2897e62a

                                          SHA256

                                          b05cb437521cdbdb40218d38b3b7b2eb1414716ea4159ed47ee5a5407965ff88

                                          SHA512

                                          d28952851c8ba8d3bcd51ff49208684c6fca0c3113bbad4a13e811be04a9e572d42252d059f11648fcccf93290aea98b239877f60b3101f24928b771acd0e264

                                        • C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat

                                          Filesize

                                          240B

                                          MD5

                                          b227278d2c784ef66812194bdae27060

                                          SHA1

                                          77626892c833d1c405383bb0c26069c94d9c2d4b

                                          SHA256

                                          8f81e0d19bb8b56a5eba246d1b1986423b6a14de5934bad157c7e4c0e7611b69

                                          SHA512

                                          affcdb082ade6694716452b285c9ab212908cf58856095a9e57952446e647028ee3e27c697e7c33eeedcbc218564d662aeb6053a6e9d6604cee0ee6bd7987c4c

                                        • C:\Users\Admin\AppData\Local\Temp\Cab6931.tmp

                                          Filesize

                                          70KB

                                          MD5

                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                          SHA1

                                          1723be06719828dda65ad804298d0431f6aff976

                                          SHA256

                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                          SHA512

                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                        • C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat

                                          Filesize

                                          240B

                                          MD5

                                          27ebe7418a1335a3007562e8de867f03

                                          SHA1

                                          db1a8efbac49d3cf414f8626633da245ba67be9f

                                          SHA256

                                          a4baec56f417bc4392332d3324f29760d46754558a2e4216bea9abade735e0f1

                                          SHA512

                                          2c712ff897663e4bcdf9d640455a4985369a67f5de44d3dcb74fb155b40f1a7d1e4151137cfd44d84517c9bf97111b1c7097aaeb93fc13f09b59b7eacb1141f5

                                        • C:\Users\Admin\AppData\Local\Temp\M53DwaTFc6.bat

                                          Filesize

                                          240B

                                          MD5

                                          93f29e51dcc7ab7bb9af81a66c1f5a24

                                          SHA1

                                          e1fe676f2c7e90ea697afd78cb6e97cefaf67629

                                          SHA256

                                          0eaf4f2dfa95e932cfd70f5a7b93c7f974cb1f082362f32bbef396fe9307fa8c

                                          SHA512

                                          ce44ecd20eeee5d8543151a0b9f66160d18f34dce737077f74b5b85aca05a697aa776edec76118d640581ba63110198a5bd8289db836c8998a96b5c82c8d2602

                                        • C:\Users\Admin\AppData\Local\Temp\O1BWw2qr2X.bat

                                          Filesize

                                          240B

                                          MD5

                                          cab67c46558bbcce57de299cf1c7acea

                                          SHA1

                                          d676cde87e43fa2ddc0d4c4406522088dab8ab6f

                                          SHA256

                                          5422ce8e519978d32f84b0c3c4da4d054eeffd1abf243e26ac9bf3b51c013162

                                          SHA512

                                          52b08d0a10d829a1383d00a5948eeac7a3213930d2b31ec2d3794deac83e726f0d563e2ac79f22bee02bb2a2b1706ff6089070811f8969b95320f10bb0d5f643

                                        • C:\Users\Admin\AppData\Local\Temp\T7KIMELUbd.bat

                                          Filesize

                                          240B

                                          MD5

                                          1123b8d045be2a9af5f6ddf987763122

                                          SHA1

                                          5b791add83aed70a7291d0b3485d6b0c6dff8d38

                                          SHA256

                                          042d826b0a494c048ad188a1ab507ed3342f38322e7a1e7473239a769f5bd96b

                                          SHA512

                                          13985c5e41160e38dfd66f1bf33a723e27018a104e913a97b8a936bf5a5e0505ab56f830ede64e06ccd697dc0eceb354eae83d594ea9a6f8599c123435e9b798

                                        • C:\Users\Admin\AppData\Local\Temp\Tar6943.tmp

                                          Filesize

                                          181KB

                                          MD5

                                          4ea6026cf93ec6338144661bf1202cd1

                                          SHA1

                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                          SHA256

                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                          SHA512

                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                        • C:\Users\Admin\AppData\Local\Temp\mk2kVjaeOt.bat

                                          Filesize

                                          240B

                                          MD5

                                          0135a13ff3412f523c5f1519000724c1

                                          SHA1

                                          d7250bad90456cfbcc621626f7f6006939dcce6e

                                          SHA256

                                          4a1cd2e04a9d77cce275e582453a030f837429a9c6511704e5233972ce9286a0

                                          SHA512

                                          7f36ac6c589049763aa4bfd4b35051ada7483c541d5b6cd665fe46ea89c298f7f4414ab9baf11f15f7ddfea3e1acbaabb79a661e1033f440636aed027e0de879

                                        • C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat

                                          Filesize

                                          240B

                                          MD5

                                          3fa33bbd6e34b3d88a8442e66183e69a

                                          SHA1

                                          44f8ecb9eac3bb8e3bc2606d30351b47b72c37d1

                                          SHA256

                                          aa54ae5425a788b51022b3cb3f4cbe7ed9f5997ac6cce72f912b9eb579ab81d0

                                          SHA512

                                          8b9b0e2cdba12c79ed2717536da108fb5610f3d8a1eb5e8b3fc9995440f42559baba9ca6fcae310e0540ac7cab3e72a12a0152aabaee3aa633215091193dd1c0

                                        • C:\Users\Admin\AppData\Local\Temp\u02VouYs0z.bat

                                          Filesize

                                          240B

                                          MD5

                                          5e36bc1ed3244e2c6005d1341dc1f58e

                                          SHA1

                                          eb4b1739b8e4b27cb32c5754043b3d0bb1fc9ea2

                                          SHA256

                                          4adab41c7e3180cb32b4f831b80ba7f4985da4e78eb1681bd824c4fbb875c91a

                                          SHA512

                                          0552df6d6b2a08a1fe9a4c91549b3c265aa1f9215537fd12343317456e1a6d31557555ca43e32b50c56e328323f09fd72d12c3c105f2440f257c3d0fad898208

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          e132a90c7d55d5173584db463861a107

                                          SHA1

                                          1b77e6bb01de427a1ad9a22bc3713ebfb01b8411

                                          SHA256

                                          bab55c1c6db8a17aeaa57375f6082d5920e1abd3e10c1e10f3f250f72fe39a77

                                          SHA512

                                          63b03e085cff0430173a4016f58d0f4ece67eeb98efe47dff47ca9a25da5dcb92969ec58e766fa4ed0f7b8052e60f0e746d4ef4c257f6075ed5ec8209f11a2c4

                                        • C:\providercommon\1zu9dW.bat

                                          Filesize

                                          36B

                                          MD5

                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                          SHA1

                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                          SHA256

                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                          SHA512

                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                        • C:\providercommon\DllCommonsvc.exe

                                          Filesize

                                          1.0MB

                                          MD5

                                          bd31e94b4143c4ce49c17d3af46bcad0

                                          SHA1

                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                          SHA256

                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                          SHA512

                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                          Filesize

                                          197B

                                          MD5

                                          8088241160261560a02c84025d107592

                                          SHA1

                                          083121f7027557570994c9fc211df61730455bb5

                                          SHA256

                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                          SHA512

                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                        • memory/444-59-0x0000000002960000-0x0000000002968000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/444-48-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/840-194-0x0000000000240000-0x0000000000252000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/840-193-0x0000000000390000-0x00000000004A0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1480-374-0x0000000002140000-0x0000000002152000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/1636-73-0x0000000001240000-0x0000000001350000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1820-314-0x00000000003B0000-0x00000000004C0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1972-494-0x0000000000F00000-0x0000000001010000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1972-495-0x0000000000280000-0x0000000000292000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2084-434-0x0000000000830000-0x0000000000940000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2156-616-0x00000000001C0000-0x00000000001D2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2156-615-0x00000000001D0000-0x00000000002E0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2504-254-0x0000000000B70000-0x0000000000C80000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2644-133-0x00000000002D0000-0x00000000002E2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2644-132-0x00000000002E0000-0x00000000003F0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2800-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2800-17-0x0000000000400000-0x000000000040C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2800-13-0x0000000000CB0000-0x0000000000DC0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2800-16-0x00000000003F0000-0x00000000003FC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2800-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2844-555-0x00000000002D0000-0x00000000002E2000-memory.dmp

                                          Filesize

                                          72KB