Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 02:27

General

  • Target

    JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f.exe

  • Size

    1.3MB

  • MD5

    34df7506e76ceeb4d9d568da789a4a45

  • SHA1

    68b2e32ba9e0e438076f711bb50bc0ceb4e82b79

  • SHA256

    6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f

  • SHA512

    fe4d087bca3b893371688b2bbb5f7b1211b11cf6180c164dc728e115c87ff0bce7f913f7458f974d5ea540d0ba3e9bef84dc6ed3dcb4b95dcbda3ec7499ff1b9

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2328
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2400
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2712
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2520
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\wsearchidxpi\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2172
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2268
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Assistance\Client\1.0\fr-FR\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1912
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1936
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2368
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2380
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2508
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J4Xd3ofT6n.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1460
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2548
              • C:\Windows\inf\wsearchidxpi\dllhost.exe
                "C:\Windows\inf\wsearchidxpi\dllhost.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:872
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2000
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:2332
                    • C:\Windows\inf\wsearchidxpi\dllhost.exe
                      "C:\Windows\inf\wsearchidxpi\dllhost.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2820
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Oj9OucH8K.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1500
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:2132
                          • C:\Windows\inf\wsearchidxpi\dllhost.exe
                            "C:\Windows\inf\wsearchidxpi\dllhost.exe"
                            10⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:1872
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat"
                              11⤵
                                PID:1584
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  12⤵
                                    PID:1920
                                  • C:\Windows\inf\wsearchidxpi\dllhost.exe
                                    "C:\Windows\inf\wsearchidxpi\dllhost.exe"
                                    12⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2164
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat"
                                      13⤵
                                        PID:2996
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          14⤵
                                            PID:884
                                          • C:\Windows\inf\wsearchidxpi\dllhost.exe
                                            "C:\Windows\inf\wsearchidxpi\dllhost.exe"
                                            14⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2328
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qUPyb5cGVE.bat"
                                              15⤵
                                                PID:3008
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  16⤵
                                                    PID:1552
                                                  • C:\Windows\inf\wsearchidxpi\dllhost.exe
                                                    "C:\Windows\inf\wsearchidxpi\dllhost.exe"
                                                    16⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2096
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat"
                                                      17⤵
                                                        PID:1580
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          18⤵
                                                            PID:1960
                                                          • C:\Windows\inf\wsearchidxpi\dllhost.exe
                                                            "C:\Windows\inf\wsearchidxpi\dllhost.exe"
                                                            18⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:564
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat"
                                                              19⤵
                                                                PID:2548
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  20⤵
                                                                    PID:2648
                                                                  • C:\Windows\inf\wsearchidxpi\dllhost.exe
                                                                    "C:\Windows\inf\wsearchidxpi\dllhost.exe"
                                                                    20⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:1808
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat"
                                                                      21⤵
                                                                        PID:2588
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          22⤵
                                                                            PID:340
                                                                          • C:\Windows\inf\wsearchidxpi\dllhost.exe
                                                                            "C:\Windows\inf\wsearchidxpi\dllhost.exe"
                                                                            22⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2100
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat"
                                                                              23⤵
                                                                                PID:1564
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  24⤵
                                                                                    PID:1184
                                                                                  • C:\Windows\inf\wsearchidxpi\dllhost.exe
                                                                                    "C:\Windows\inf\wsearchidxpi\dllhost.exe"
                                                                                    24⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:992
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\blOcFVMglb.bat"
                                                                                      25⤵
                                                                                        PID:572
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          26⤵
                                                                                            PID:1716
                                                                                          • C:\Windows\inf\wsearchidxpi\dllhost.exe
                                                                                            "C:\Windows\inf\wsearchidxpi\dllhost.exe"
                                                                                            26⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:2692
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\inf\wsearchidxpi\dllhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2936
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\inf\wsearchidxpi\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2976
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\inf\wsearchidxpi\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2660
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2676
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2636
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2692
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\Assistance\Client\1.0\fr-FR\audiodg.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2932
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Assistance\Client\1.0\fr-FR\audiodg.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2332
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\Assistance\Client\1.0\fr-FR\audiodg.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:560
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\smss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1108
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3020
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2472
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2688
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2820
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2824
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\Prefetch\taskhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2312
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Prefetch\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3016
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Windows\Prefetch\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2680
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2488
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1148
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2256

                                        Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                ed663a74a6c8385c54cd242f041d23e1

                                                SHA1

                                                04ac82b8d3e08c9bd6488c4fb54079205d15b3cc

                                                SHA256

                                                dcee90960705bdd63a11c48ab439c2c7b5026e8e0209ec70a50e6a51c5e58725

                                                SHA512

                                                f87ca0c7a08ee91d44a1c433397f0fa5e0023d74e6a9c7b76061f89f5db81c72a0a4c0a43a21cc31a46e853216908ee9227f2696835225d9c65a95f7f1b67baa

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                f8e2530019d4237fb00c40bff068cd95

                                                SHA1

                                                559286907e4fab310de2a0bb693d6e97bd36e788

                                                SHA256

                                                fd2798a7aa2ff5f4a5493f7d442544f077b055d98ef2687fb9106f4852cb238a

                                                SHA512

                                                f14e7781f760e7f95c81b1a524cf2ecd7edf4a1e3610b8702c989f31fe5e84623987ddb0f6da2ef3f3b069a64503489d3666f44341d709a66083ab4b969ec855

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                8c3e978d09dee946c971a646bd359a73

                                                SHA1

                                                38ba645d11aa63993e3c8017c2518cfacb7548cd

                                                SHA256

                                                4c1a268856091a13cb8f8baef7758007be56462b7559b9591d45e767004c8fd1

                                                SHA512

                                                44616728470f16373c176eedcb6260e82520fae31971dd0f7186fc8b9880868c440765038f24294fa09826603064455d84c2dc259915a6aa400161eddb535596

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                60d92203dc53d1d7a439651e2a199c96

                                                SHA1

                                                3eca80ff09e9f48755940c196c24b92543b7fc04

                                                SHA256

                                                9b8ba49486e13af402cd7ea9359bac6d6d4e18466e0d5f05801d77b321bf8c09

                                                SHA512

                                                859394dc4b73aa10056d262e5ccf0f7d71423cf7ec706360aa43e51cb5c9ddcb4897a08d3bbabee6f41b9246fd80d37ee634b5288a7897a6de05bf2676f98d87

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                cadd657d3208d921b8efa4328ca53d5b

                                                SHA1

                                                953078ef2c5cb4beb6218f05c06ee5e4ded6050b

                                                SHA256

                                                bb28900f9e0f9a212ee5ceb4f200ecca741b700b0226353c106d122c7c7cfb27

                                                SHA512

                                                d8db2b0fb7023c4b4013bff8597bfadf50bbfd40c2bd041e1b74b4e01a12aeaca30b44ccf70419aa2c27139ac5ff633879c0a2766f6350037fd9eafa827924c4

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                432d646cfc792250118cfebf830965d8

                                                SHA1

                                                c5703f4878337842fc6cce0ea4dffd6b1fc73075

                                                SHA256

                                                38d451f9428fbd27921b8fd440e7944cef12a8238e5c7baf6fa95eb93ea25149

                                                SHA512

                                                a2e581e8669e7eca2450f567ae59fb06d88db206f208731530594c40dca5a8d4c9a779d559625cabfeeaacfdda15cc3ca22ea5a4a4440f5191c76fc50b230264

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                c962bb8dee6e6481e801773bcc8b3458

                                                SHA1

                                                ea0cdd394d42f8a500eb96e46af3115ec72cb206

                                                SHA256

                                                fcb7d560316622e5bf4ddefad6de706f4c7af408885fd08ad57e10f52734c1b5

                                                SHA512

                                                4352823ed96c298479fc317c2c76b653dc5a9bfdd1ce7f8fd33a400fa7473c083d53d9423a404bca4c9e147c4708c163c1bdae64eddfa723ab532dd954330f9e

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                bc3877d18af98dce50a54330f94139eb

                                                SHA1

                                                8bc4fa0a9152f1b5005c44e22af83fa6ac8cb2d3

                                                SHA256

                                                78896088086d2e2bba55c50cab2f577c715f24c9e3645b0c0e191e4dd73105f0

                                                SHA512

                                                c1a1caf5a0b6ece150950f2485fc24f189e4812197475c04aa00702396f1f1e1263cf59a1f57b1255c8edb8e43491bccd74ba0a529918ffd68cb03f7c38c2c05

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                5f4641de2e4344d0136a7c5cf2da05b7

                                                SHA1

                                                98610daff13dacdc7f09c4c0dad2bf018bc98dbe

                                                SHA256

                                                282d26e7f3246844f19af7a8506f3994a62fb4edade917d0b9dcedac2bcc9f0c

                                                SHA512

                                                98e9fda6777bd7acb2fdb9174eb996030b0f977f6eaec7cb62a2adc78c189dd7f48de2204c5f86022082063f7fbf72d4f75287e093615d7a47e2ca070552e652

                                              • C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat

                                                Filesize

                                                204B

                                                MD5

                                                e94b3d1358aaab6ff355e44c51caff36

                                                SHA1

                                                6938744953f009b657f58ee4fb207627bb8f0a78

                                                SHA256

                                                bdd285f1fabd3b53968571c277e7f99c484fa862d8fcd3c6adb2b6644df287b2

                                                SHA512

                                                53ab2c9a9d23ce27176cce1ef3c8d9f6be32e4d1a8bdb6b036c99211493ce9b995e5ef8afddcbe2f60f861f762d8be17d09e75ffaf30414893e6a81432b9df6e

                                              • C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat

                                                Filesize

                                                204B

                                                MD5

                                                98e37877a1e74ad495f25a0401627820

                                                SHA1

                                                12b5498308f9140d0e285506c22f0a8339a65c3b

                                                SHA256

                                                4f1ce7e70914c78cc9e72cf103545088410e1ceadffbe64521e0767a7161ca19

                                                SHA512

                                                c33b950f29cae7cac08176c42ce80219dc649ccb0fc340ada7ddf0e65bd9496b4421b5a0a4456d8b0cdd792a729e8fbe786be531c391abde8d2f1d79c304569e

                                              • C:\Users\Admin\AppData\Local\Temp\2Oj9OucH8K.bat

                                                Filesize

                                                204B

                                                MD5

                                                61b6e49a06a213f69adc3bb8eca23fe8

                                                SHA1

                                                d32bda1de220e635192150a5659dbee2809d438f

                                                SHA256

                                                b3fa8d6389bdb39908fda328dc3a2acddab99f8349d0c3b2cfb9ad3dad2faba7

                                                SHA512

                                                598d4c27cf0955bf047b5807fdd586911f69d9007dcbb90426f8ddaf27b99a7e7951665e630ea41cc428173229c9c9781b8c6733e9d037fa5d6b80ad96e37415

                                              • C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat

                                                Filesize

                                                204B

                                                MD5

                                                022732bee0662cbd2b4b38e4d149f956

                                                SHA1

                                                6efa018cf78ec32468aac0113f06f25f92a94adb

                                                SHA256

                                                dd474b47b4575e54079725c362bbf5c7b14afd2b84707907f7938c05808b1f01

                                                SHA512

                                                d16f3a96f0839873b935b6a638c20f80c2eb243caa8eecbb867d0e28bf091f4588e688aaa40f70eeeaf0fa66c73b627598a691f2ae6d92478c7968f45420266c

                                              • C:\Users\Admin\AppData\Local\Temp\Cab437.tmp

                                                Filesize

                                                70KB

                                                MD5

                                                49aebf8cbd62d92ac215b2923fb1b9f5

                                                SHA1

                                                1723be06719828dda65ad804298d0431f6aff976

                                                SHA256

                                                b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                SHA512

                                                bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                              • C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat

                                                Filesize

                                                204B

                                                MD5

                                                b5d721c1632f079362ee6e5ed603e23e

                                                SHA1

                                                5806ae0c52493dd60d44736b1082bdb8a72bbf1a

                                                SHA256

                                                4f15b73ea1f8fbbc4e87c50c9b1a313353f4f59dc1aba0789cce304200b4a8af

                                                SHA512

                                                2a9370def70798003eee7986d8cec4daa0eb3aad2e5c8976e016c48b5b39ea668b08eb6e7e102ecc0875c19bfd559c5020a12a2026ac79d08e49c7b4953f0b64

                                              • C:\Users\Admin\AppData\Local\Temp\J4Xd3ofT6n.bat

                                                Filesize

                                                204B

                                                MD5

                                                fbafd5eacee8522161dbfc0bf6b6977a

                                                SHA1

                                                f85e6ca3f0f1918be8ec360be90f472b5338c8b4

                                                SHA256

                                                674d37b41c0a65253f4c4bb0685eeb8e715a3d6a49c197b338b66d1906072824

                                                SHA512

                                                bc047254c46b8163cb6074d794eacd0a112f951fee85550d82774be956d797b185bff32d8d258f5a6620be931f9f103f57bbb93f8d86646dbad9c7325cac542c

                                              • C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat

                                                Filesize

                                                204B

                                                MD5

                                                ca29dee26e5e46fdcc4509ed27dacd45

                                                SHA1

                                                df9653370fe8bf8d892c7954df3ffb1c67dd3060

                                                SHA256

                                                c963e3c2cfbfa229ff017e5fb129d07f65d76c9b096a7feddf991f4a6fec7f99

                                                SHA512

                                                7d3e6b730591cf9c9702a4be37c8b96974f7c51c942b3105abc841e708c8f48315fcdfde071f4b6af92361277b7759377768aa19ce31aa67f53fb50c4940231c

                                              • C:\Users\Admin\AppData\Local\Temp\Tar459.tmp

                                                Filesize

                                                181KB

                                                MD5

                                                4ea6026cf93ec6338144661bf1202cd1

                                                SHA1

                                                a1dec9044f750ad887935a01430bf49322fbdcb7

                                                SHA256

                                                8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                SHA512

                                                6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                              • C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat

                                                Filesize

                                                204B

                                                MD5

                                                295b3c5d09437036984dd384cafb01c9

                                                SHA1

                                                8cd07fd36b26a239bf58aa8e89144fe8493e0996

                                                SHA256

                                                517ceef23de6e8c59914906df00dad51153ca57e4086ad58e76b2120920b28ac

                                                SHA512

                                                c07a477b78da8d9c77a9ef4e79bed87f5fb596cdcd92b065ef1a3a6fe0a2409ad7870233d5975b8b5bde00ea0061e6cecf6ba223db8d70a73046f4a01277243d

                                              • C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat

                                                Filesize

                                                204B

                                                MD5

                                                ecbb1cf5c7784cdf9fdd7f0ad4197255

                                                SHA1

                                                36ca5f45d43c3416121b56e7b63b2169363b2c40

                                                SHA256

                                                204bb9bd66e99fa0d2499640e54f6e782adb53cdd2288a1c4a4cc9214b5b1bfe

                                                SHA512

                                                4ce7bc5138e886790dc441c5e2e6f53bc2022bcd2ad9e020f7658c3a6383f5d2e81f81b27f3d8516313cd174af2a264cc9d10edb25b97ec81b74d32cdf7cfbcf

                                              • C:\Users\Admin\AppData\Local\Temp\blOcFVMglb.bat

                                                Filesize

                                                204B

                                                MD5

                                                e2d4c0f3c8ae9b2e14c9a24ad97296e1

                                                SHA1

                                                67e30a3838c9f38489fedcc044b98369dde64ca7

                                                SHA256

                                                07e11a2c46b62b08ac55ecfa495025c78ef9977e7e93ba9728ef6d9696decebe

                                                SHA512

                                                bebec1ab7c05b9b58a3bebbd69591726c6640b1c106e1059b50c61e0f511137f1797792daf64de042baf68b7cb0a961c7f368eb54aab4f3dc54c7b1367414bdf

                                              • C:\Users\Admin\AppData\Local\Temp\qUPyb5cGVE.bat

                                                Filesize

                                                204B

                                                MD5

                                                9db7491acf8c3f5362ecef787c82b133

                                                SHA1

                                                526d2b0fa076ace625a6408c329a7b8110f4e52e

                                                SHA256

                                                cd1a7d8dfd5f363dfd40d59b2c1bb2ebe4238d2bd970b17eca5ef299646e20a8

                                                SHA512

                                                6aa5b49d17fe82ad0a71fa311b73df3f9f2e0f676ee133200d1ff3d421e2c63928fd56fae81a043b40741de2b7590c952e43e3f29cbf5bf8db16dc58801e01c0

                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                Filesize

                                                7KB

                                                MD5

                                                7de5f8f4d9992fec2bfc8945af0ba54f

                                                SHA1

                                                501f9b86ef8a18c709e1e7177847600fdfb9e5c1

                                                SHA256

                                                7367818e0a1e0e35f5f43a40ff82ad70ac66592251605f1a06e39f2579baad70

                                                SHA512

                                                c174131464492260c430603da5e41efac2e0179d81a6c4f4a4c899ca7f827447538a979048c399d6da515c1231a6c18061d37fd853b65d014de80a103f8e6bbb

                                              • C:\providercommon\1zu9dW.bat

                                                Filesize

                                                36B

                                                MD5

                                                6783c3ee07c7d151ceac57f1f9c8bed7

                                                SHA1

                                                17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                SHA256

                                                8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                SHA512

                                                c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                              • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                Filesize

                                                197B

                                                MD5

                                                8088241160261560a02c84025d107592

                                                SHA1

                                                083121f7027557570994c9fc211df61730455bb5

                                                SHA256

                                                2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                SHA512

                                                20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                              • \providercommon\DllCommonsvc.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • memory/564-441-0x0000000000B50000-0x0000000000C60000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/872-81-0x0000000000140000-0x0000000000152000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/872-80-0x0000000000CA0000-0x0000000000DB0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/1872-200-0x0000000000EE0000-0x0000000000FF0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2096-381-0x0000000000240000-0x0000000000252000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/2096-380-0x00000000003A0000-0x00000000004B0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2100-560-0x00000000013C0000-0x00000000014D0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2164-260-0x0000000000110000-0x0000000000220000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2328-320-0x0000000000820000-0x0000000000930000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2520-47-0x0000000002770000-0x0000000002778000-memory.dmp

                                                Filesize

                                                32KB

                                              • memory/2520-46-0x000000001B670000-0x000000001B952000-memory.dmp

                                                Filesize

                                                2.9MB

                                              • memory/2712-17-0x0000000000570000-0x000000000057C000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/2712-16-0x0000000000440000-0x000000000044C000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/2712-15-0x0000000000560000-0x000000000056C000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/2712-14-0x0000000000140000-0x0000000000152000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/2712-13-0x00000000010E0000-0x00000000011F0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2820-140-0x0000000000E60000-0x0000000000F70000-memory.dmp

                                                Filesize

                                                1.1MB