Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 02:41

General

  • Target

    JaffaCakes118_0d1424eaa60b12379d786db65f2d5d735802e80d10bb801421cc8b2b6115a598.exe

  • Size

    1.3MB

  • MD5

    d56ce03b4b90817dd9b3146e7ad21e32

  • SHA1

    bdcf7fb63bf4a57487fce8daee047c0ae3495c4e

  • SHA256

    0d1424eaa60b12379d786db65f2d5d735802e80d10bb801421cc8b2b6115a598

  • SHA512

    376c62ffebec37af68258c3f349b610a46a890bdbb758bf5b4a40d20f958a9ca022fdaff708438dba8772c700e2f0cb5eecf492e46f2167c1d84cbdb067714e5

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 12 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d1424eaa60b12379d786db65f2d5d735802e80d10bb801421cc8b2b6115a598.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d1424eaa60b12379d786db65f2d5d735802e80d10bb801421cc8b2b6115a598.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1988
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2896
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1180
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1644
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1624
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1896
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1708
          • C:\Program Files\MSBuild\Microsoft\csrss.exe
            "C:\Program Files\MSBuild\Microsoft\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2432
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2452
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:764
                • C:\Program Files\MSBuild\Microsoft\csrss.exe
                  "C:\Program Files\MSBuild\Microsoft\csrss.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2068
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:944
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:2156
                      • C:\Program Files\MSBuild\Microsoft\csrss.exe
                        "C:\Program Files\MSBuild\Microsoft\csrss.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2800
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1540
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:348
                            • C:\Program Files\MSBuild\Microsoft\csrss.exe
                              "C:\Program Files\MSBuild\Microsoft\csrss.exe"
                              11⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:1692
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat"
                                12⤵
                                • Suspicious use of WriteProcessMemory
                                PID:1720
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  13⤵
                                    PID:2300
                                  • C:\Program Files\MSBuild\Microsoft\csrss.exe
                                    "C:\Program Files\MSBuild\Microsoft\csrss.exe"
                                    13⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1568
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat"
                                      14⤵
                                        PID:2872
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          15⤵
                                            PID:1728
                                          • C:\Program Files\MSBuild\Microsoft\csrss.exe
                                            "C:\Program Files\MSBuild\Microsoft\csrss.exe"
                                            15⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2292
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LgxiiauvsB.bat"
                                              16⤵
                                                PID:1536
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  17⤵
                                                    PID:1928
                                                  • C:\Program Files\MSBuild\Microsoft\csrss.exe
                                                    "C:\Program Files\MSBuild\Microsoft\csrss.exe"
                                                    17⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2952
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat"
                                                      18⤵
                                                        PID:2456
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          19⤵
                                                            PID:1352
                                                          • C:\Program Files\MSBuild\Microsoft\csrss.exe
                                                            "C:\Program Files\MSBuild\Microsoft\csrss.exe"
                                                            19⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2280
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DegeIw2hse.bat"
                                                              20⤵
                                                                PID:2860
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  21⤵
                                                                    PID:2856
                                                                  • C:\Program Files\MSBuild\Microsoft\csrss.exe
                                                                    "C:\Program Files\MSBuild\Microsoft\csrss.exe"
                                                                    21⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2600
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat"
                                                                      22⤵
                                                                        PID:3040
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          23⤵
                                                                            PID:2128
                                                                          • C:\Program Files\MSBuild\Microsoft\csrss.exe
                                                                            "C:\Program Files\MSBuild\Microsoft\csrss.exe"
                                                                            23⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1668
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0Sh6ipYOoX.bat"
                                                                              24⤵
                                                                                PID:1664
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  25⤵
                                                                                    PID:2468
                                                                                  • C:\Program Files\MSBuild\Microsoft\csrss.exe
                                                                                    "C:\Program Files\MSBuild\Microsoft\csrss.exe"
                                                                                    25⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:2784
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\OSPPSVC.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2996
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\OSPPSVC.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2744
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\OSPPSVC.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2916
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2636
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2728
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2172
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1984
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2008
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2020
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\csrss.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1596
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1348
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2128

                                  Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          b4b53eecfda2ca7fb18302a73d015c0e

                                          SHA1

                                          c2033f0da684aa2a197a8c84e7af0690a2771aea

                                          SHA256

                                          257af08f650f7f551cc1c87a0ca674923151835ff34bdf83d61a863772b64cb1

                                          SHA512

                                          f2fa5d0a771548abe5a8f4f65063a9a4668cfd17377365643d764b0978f60e1a1b582c5fa5b36ad12b0687042283c3140d0b57632ca40f95c48301f4a8b83f6f

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          7b34745b34d0fb50516a88d85a2dc8fa

                                          SHA1

                                          40ba3ae4cf89befc09378f44ad3e378532e46e7f

                                          SHA256

                                          b9b213d022d1d6651e2f6cd8f90f2cc499f9201d012fb7679b00c816a65d9bf3

                                          SHA512

                                          42d2fa25e6362f4e648e5b6dbb20d99b74295775bc016d2efa02a7fcf60c3ac4b72fcd4d8f4c07b974d98e4baf09718f8b568dbd074b9e10d2d3d1560d4249da

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          20643d296a3abd703475b77e3acec5ec

                                          SHA1

                                          88072f03432820c21cef8ab71772dd402b8eb229

                                          SHA256

                                          2cc38c4001238e2ac855da28ca82a7328298c8cd2d02c4d2c5a429091703a9e3

                                          SHA512

                                          1237538b2543f0ba1b0f73099e9b6057c9e523621fe6aa4f0bd490a400503bece8cf979913bf20a621e9ecb5268ce46aec3fda82c51aa59fa12f5fb6c8a7fe1e

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          190da28354a14106eef46388f445cc6a

                                          SHA1

                                          83b05041784b71bb2c0c58d42c67068a0296a700

                                          SHA256

                                          6a1f54940bc40468a2069390d5456a9657a3afbb04ada70792362b02df1abc4f

                                          SHA512

                                          eb697a805b165c080b914c98671d5daf265e3694f0979d45a12b884d8c49cba6cdcdc1a5bad3bf14d249a580dd3b26d57a2675adbd07e9c1b06eda47aadab40c

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          0e2684512959ad8dbfa9ba8fb66ea26a

                                          SHA1

                                          2f481285af7ef8b4027cf5326fc73ce6c954b417

                                          SHA256

                                          4db812543233656cd296109f0ffb1e6158a403ada440ab9bc43b214ca9efcc2d

                                          SHA512

                                          5acd5a0dab0f32256b11c118efbd1ed312db1e12d3c4be1d83b7b305d49fcc907b96d2dd24342646e77169e391dceefb1829cea2c7a1891203f9ed499a945638

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          c1afd9be066b42461ff0e8209e61ca82

                                          SHA1

                                          599ba965f6a72a64c1ecabf2e52704ac9d250fc9

                                          SHA256

                                          d4b8dda38e024d7f3a3694a4b5b4f15f6572a7a87dec34061a1f3eacfffbcdb4

                                          SHA512

                                          3d631e60d959ed6031b7c7823ff53b75f811b1b9867d448437d181c45077e492921f7f76bd9f89c7a5dddf5f021d2f96cea11121f0ffc09da03505bde9e352a1

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          38c0285d0a253f6a02efd1e07b461e13

                                          SHA1

                                          9adfc3649807f99f0a31ceb256e9e7edbd59e8b2

                                          SHA256

                                          382fad704fd2e07f988cafe2a33feec2b20b90c4170ad6609a199b8145426f70

                                          SHA512

                                          c406f8c20cc69a29bf1bcc9763ca0550bf165acc7873be4c9dc94a9615f8416241348f298213e37dab3e337591018f7beaabe6da02e226f5bd82578aaaace4e0

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          fa70e16b5386efd8c712c8c8c22880c2

                                          SHA1

                                          986eec7dac757ffa05cb191c73184c42e0120fb4

                                          SHA256

                                          00af822507b4d607acdfb6d395de7df5725a60272521d248c43818e8b2f24bfe

                                          SHA512

                                          611cf65b20b9af13a098f951c8e4700f9dc6b59e65c979c502fa328aab931be03d17aa38ed7bc31a216b0e4d3d569495ae440780a453c5418f6b25fcc9f37425

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          3c70aa56d0ca3995ad9b2ac2ed3df388

                                          SHA1

                                          bf62e17fa6f10805ba7bd4a722f8a8c7e57abd44

                                          SHA256

                                          f49b8d5c22bab134387ef794a66d72d2a4656aac5d40c66d62dfd99d73a7dd4f

                                          SHA512

                                          4052e08355a995c949aba1c15c8173bd5a457317528bdba6534a431a96f09ea1a8cd164529ffafd5c048e83919f0aa37b2686fe8566a1d831ed9243838f7041c

                                        • C:\Users\Admin\AppData\Local\Temp\0Sh6ipYOoX.bat

                                          Filesize

                                          209B

                                          MD5

                                          1e70046fbce9fe0ef5030be1e8820b4f

                                          SHA1

                                          11db1394af91fabc2e31fb4acde16369c4e1a35f

                                          SHA256

                                          18ec7263794ab34cfc6354140ed41b8799b10a2603f1a6d63723cb4a74bc1e68

                                          SHA512

                                          e00742d751f3b48b43ee78d40ebf0e073665c6973f3c54f091a9332d38d720ad4b33a8db6c9a9d0a5cb41d0db25689a6c4b0191dbf2de131ca443ce99a73d386

                                        • C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat

                                          Filesize

                                          209B

                                          MD5

                                          02f932ce7e126d283982434200b3d0c5

                                          SHA1

                                          85f1d2f6582c64f5131be8a9e96b824cd4b8d7ac

                                          SHA256

                                          9ae0a8ee18ba9bd7af78c8d86df0e23a1f707a2f617f950759937f505ab348ac

                                          SHA512

                                          98a32de94893418f5574a581e4351495461a8cc1b5ac6505b28a9f3d7a06d95e4d80b90e012a7c0aabd34fc356155460eff6b90f0bc1981e44b5996396aaffaf

                                        • C:\Users\Admin\AppData\Local\Temp\Cab149C.tmp

                                          Filesize

                                          70KB

                                          MD5

                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                          SHA1

                                          1723be06719828dda65ad804298d0431f6aff976

                                          SHA256

                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                          SHA512

                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                        • C:\Users\Admin\AppData\Local\Temp\DegeIw2hse.bat

                                          Filesize

                                          209B

                                          MD5

                                          264e0de8b2dd5b19df3d8a8ff5df030a

                                          SHA1

                                          2937505c94fa9e4eed221fedc7c670a55480e30e

                                          SHA256

                                          98dea75e8d22b8f87840e874680c13555fdfcd5ac301411630fc871e3de5715c

                                          SHA512

                                          3d377dfd5f28e48fffe51f9e84931bdf4cf0b2a8703614b893bbcf3bfd65ec80ac74a6b1c3b19e0578d471bbafc52b12c468a118ce0239f381d75c4ad655c2ae

                                        • C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat

                                          Filesize

                                          209B

                                          MD5

                                          48171886fb1beba5aa2da88471d71fcb

                                          SHA1

                                          cdb704d91af34f2fe42b83aab93c03c45493d0f5

                                          SHA256

                                          051f575e0a263e1e68be35a7e49d2a9dd497313771c3ef770ec27d34c3df8a80

                                          SHA512

                                          d60693042e1bf709932cb802c0c452d81b7012b6e279ccda8bf7eeb53d30ea37d1e54f151ac4e6fcebaa7b045a8937ff60149b918b4ab357fdc3a7a23778a065

                                        • C:\Users\Admin\AppData\Local\Temp\LgxiiauvsB.bat

                                          Filesize

                                          209B

                                          MD5

                                          4ea2b8e7f7e3d1456726825edae95c2e

                                          SHA1

                                          a1a32966da5b7845a9b0502805c0b09120036d38

                                          SHA256

                                          c9918226edc0d67428642aa657d8d3f18cf0f76cfb32d63a46fbc551f1389689

                                          SHA512

                                          7b9193270ab942d645566e882edef5f9d2f10bba3e8684067c6fbf95745b892a3e4e2d227ec4511b77447dd9c0c411b3e1a06add0a2c0e84a8081931af7151c9

                                        • C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat

                                          Filesize

                                          209B

                                          MD5

                                          4d776d35f1cb5c082087b3f07918fb79

                                          SHA1

                                          1ca5b7dfba26390d3fc92616f479c2c8fb30eea8

                                          SHA256

                                          9290fa1836b3c65d7521e7b652864aea7e2a95aea45b04b17a80a0ab35cfc0ad

                                          SHA512

                                          df3b787842a5ff7a0bfcb39d1de20f719066fa0948c38aaeb1ca744edfe7e333f703982785114c8abc6f8bcf9b144109f8a2587e5c43428cc5d1067bfbd16bb4

                                        • C:\Users\Admin\AppData\Local\Temp\Tar14CD.tmp

                                          Filesize

                                          181KB

                                          MD5

                                          4ea6026cf93ec6338144661bf1202cd1

                                          SHA1

                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                          SHA256

                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                          SHA512

                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                        • C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat

                                          Filesize

                                          209B

                                          MD5

                                          7a3a5502acf6af616f1f930fe25a9441

                                          SHA1

                                          2e4b0a65fd7eb24e9ad361782bbfacc15951a6f6

                                          SHA256

                                          3c65fb06810fc30fa612acb3c60147c86068f75e3b6d8223e46651d76252c509

                                          SHA512

                                          94e1ed87e8d57ff7539fe94f9a75872f497b5cafd0123d418c74c8ab84777179a5fb8fdafe356199cd7d937ae172913112619e4a77d25686d132a4a2050c1940

                                        • C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat

                                          Filesize

                                          209B

                                          MD5

                                          8f39679d791826dad83910be1deabd71

                                          SHA1

                                          03a4163c51d214dcd8eaa10522f00859796ecc4b

                                          SHA256

                                          05d39808aa6e7c6b142931f19623ae79e88bff7c57c8f2c526518b5d75df3d5c

                                          SHA512

                                          ead369882cb791b61520fa7d73d2a3b43071a0c68c80666740c19b148aef1920864406c0772b1a65d52f6d330c850428d57671e92b792e11c75694a25b80aa72

                                        • C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat

                                          Filesize

                                          209B

                                          MD5

                                          d90c8eeb0df0ee91a07f2276d22a9e0f

                                          SHA1

                                          c08535ca5461db10c1472fe6fea3810d7d981a9d

                                          SHA256

                                          c54ecfc10a1cfc76c48e2fe1b4b9ae808c692574dfb50fd7cc55ea914cc218f5

                                          SHA512

                                          3b607d86ed186eaaf5d23652d94746bf9d5145b982035de76ebc72d3236f6a491d7d602b375e6a481b8f38f5725b38213be8579c03d19b588469e8ad56ce9eb7

                                        • C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat

                                          Filesize

                                          209B

                                          MD5

                                          c87605716b3604f5cddfda150437d10f

                                          SHA1

                                          c70a1a8dc8e1b1929cb81748cc9634565a6e2fa0

                                          SHA256

                                          17a02031d96bf671d2c979b8529f7c6228394124ce68448c9b5ad3c432d77825

                                          SHA512

                                          1ce363d3716a10fbdf0431b6544f1104c22361ac962177b3ccd1a95a0c76e1660673864b3f5fb1af11cb0b55baac3014094e1859718fe6f2a99a203a3b896839

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JE0YFJX1IMUMR6BOFCY7.temp

                                          Filesize

                                          7KB

                                          MD5

                                          8620a1a5ac537434304cc8c7119e5ad1

                                          SHA1

                                          58a0177b861cec304557e93a8a3a82ea06410a93

                                          SHA256

                                          87e8a48439079e3003f3fadbd101b06d480b55dc3d7a293d0d5e121426396e64

                                          SHA512

                                          39e553ba557fbec09b8c5070b0a290085fd5301ea0c82ea53c9a1a79b2bfe99016a2cc59e6a90876f82d3dec562dc58a9ac62713d2742781e382084022bdf7bd

                                        • C:\providercommon\1zu9dW.bat

                                          Filesize

                                          36B

                                          MD5

                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                          SHA1

                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                          SHA256

                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                          SHA512

                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                          Filesize

                                          197B

                                          MD5

                                          8088241160261560a02c84025d107592

                                          SHA1

                                          083121f7027557570994c9fc211df61730455bb5

                                          SHA256

                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                          SHA512

                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                        • \providercommon\DllCommonsvc.exe

                                          Filesize

                                          1.0MB

                                          MD5

                                          bd31e94b4143c4ce49c17d3af46bcad0

                                          SHA1

                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                          SHA256

                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                          SHA512

                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                        • memory/1644-57-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/1668-595-0x00000000005C0000-0x00000000005D2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/1668-594-0x0000000001350000-0x0000000001460000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1896-49-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/2068-118-0x00000000013A0000-0x00000000014B0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2292-355-0x0000000000340000-0x0000000000352000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2432-58-0x0000000000010000-0x0000000000120000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2432-59-0x00000000005D0000-0x00000000005E2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2600-533-0x00000000000F0000-0x0000000000200000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2600-534-0x00000000002D0000-0x00000000002E2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2896-16-0x0000000000550000-0x000000000055C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2896-13-0x0000000000070000-0x0000000000180000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2896-14-0x0000000000540000-0x0000000000552000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2896-15-0x0000000000560000-0x000000000056C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2896-17-0x0000000000580000-0x000000000058C000-memory.dmp

                                          Filesize

                                          48KB