Analysis

  • max time kernel
    146s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 17:29

General

  • Target

    JaffaCakes118_adf79dfd7aa3ca6c8b128933eb74bb16317bb0c9143005dca57907a9a112acd6.exe

  • Size

    1.3MB

  • MD5

    ce93576e0a5b44f4aeb32124bd140460

  • SHA1

    99c15083ece325958a02c176abb6a74935c00960

  • SHA256

    adf79dfd7aa3ca6c8b128933eb74bb16317bb0c9143005dca57907a9a112acd6

  • SHA512

    6046d3a6eafce983bfe67f1eb6eb20f34155a4d427847e1a8c984ab67299c01db422a4d328ab796c290fc7bde3f061d727d5133850b7640d2eb8b7b76f693fff

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_adf79dfd7aa3ca6c8b128933eb74bb16317bb0c9143005dca57907a9a112acd6.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_adf79dfd7aa3ca6c8b128933eb74bb16317bb0c9143005dca57907a9a112acd6.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1820
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2100
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2232
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2208
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2204
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2400
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2392
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\uninstall\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2108
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2300
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:288
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:824
          • C:\Program Files\Windows Portable Devices\audiodg.exe
            "C:\Program Files\Windows Portable Devices\audiodg.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2664
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AKY6NrPTox.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2700
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:1532
                • C:\Program Files\Windows Portable Devices\audiodg.exe
                  "C:\Program Files\Windows Portable Devices\audiodg.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2680
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1944
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:1932
                      • C:\Program Files\Windows Portable Devices\audiodg.exe
                        "C:\Program Files\Windows Portable Devices\audiodg.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2800
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1088
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:824
                            • C:\Program Files\Windows Portable Devices\audiodg.exe
                              "C:\Program Files\Windows Portable Devices\audiodg.exe"
                              11⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1252
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jef2EZNQSo.bat"
                                12⤵
                                  PID:2308
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    13⤵
                                      PID:2856
                                    • C:\Program Files\Windows Portable Devices\audiodg.exe
                                      "C:\Program Files\Windows Portable Devices\audiodg.exe"
                                      13⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2260
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat"
                                        14⤵
                                          PID:1516
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            15⤵
                                              PID:2788
                                            • C:\Program Files\Windows Portable Devices\audiodg.exe
                                              "C:\Program Files\Windows Portable Devices\audiodg.exe"
                                              15⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2504
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pnRbx2xD7z.bat"
                                                16⤵
                                                  PID:492
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    17⤵
                                                      PID:1776
                                                    • C:\Program Files\Windows Portable Devices\audiodg.exe
                                                      "C:\Program Files\Windows Portable Devices\audiodg.exe"
                                                      17⤵
                                                      • Executes dropped EXE
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:600
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat"
                                                        18⤵
                                                          PID:1152
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            19⤵
                                                              PID:1256
                                                            • C:\Program Files\Windows Portable Devices\audiodg.exe
                                                              "C:\Program Files\Windows Portable Devices\audiodg.exe"
                                                              19⤵
                                                              • Executes dropped EXE
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2436
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat"
                                                                20⤵
                                                                  PID:2560
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    21⤵
                                                                      PID:1932
                                                                    • C:\Program Files\Windows Portable Devices\audiodg.exe
                                                                      "C:\Program Files\Windows Portable Devices\audiodg.exe"
                                                                      21⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2204
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2716
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2308
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2584
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2680
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2700
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2800
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1944
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1092
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1696
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\uninstall\dwm.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2900
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\dwm.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1164
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\uninstall\dwm.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1380
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\Tasks\sppsvc.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2740
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Tasks\sppsvc.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2864
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\Tasks\sppsvc.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2904
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\csrss.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1484
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\csrss.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:264
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\ServiceProfiles\csrss.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2780
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\cmd.exe'" /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:1992
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2536
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
                              1⤵
                              • Process spawned unexpected child process
                              • Scheduled Task/Job: Scheduled Task
                              PID:2564

                            Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                    Filesize

                                    342B

                                    MD5

                                    7ccd709778381c41fbff5fe9731fd1ee

                                    SHA1

                                    eb7ef9edbb549504122513fe4a684be277af05aa

                                    SHA256

                                    8e5d6364763723d1b374c7fea3b2e6432a0d241a24a1a665966185a934af9f04

                                    SHA512

                                    a7625a41ab984bbce349343082331815fc5651cd80dad3d0730b8ce2760c1fda95abab5f1bd660a1d5885325bd8c34718711462e5fc54ffb05a66988e5e48baf

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                    Filesize

                                    342B

                                    MD5

                                    e36868632e4dbac5c83db7f00d857f95

                                    SHA1

                                    3f2569235a80e0d0b2b279b8141768b80e651e44

                                    SHA256

                                    295f49519fd26b7d9fd1f5ba0f47019884a049ca8d6b2edb81eb076281bf7189

                                    SHA512

                                    756168be44f96989595ef86a5e3718dd3971a66be0be9c8ed4e8750169b2d37373d313a4b7693105b1a2567037c27716e88b03e78f6cd57dd655e7ef60686cd7

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                    Filesize

                                    342B

                                    MD5

                                    cd8d76f77bed2f556b24d84ed4cd3ee7

                                    SHA1

                                    820cfa9a5da2115c5e57f8ea44af8ed4a794784d

                                    SHA256

                                    c23b58848bffe3dc7ae776cef9bdf55a85520aee52bce01456def4a3b67fb39f

                                    SHA512

                                    1c8e1d530794414a97a74824bf167b95318be327930c586492cb03cd1d4728f5276212e1ce7ff7fa3e46cf4f5d1644ae4f9f6fee4bd0a1eee13cd56950d1ae57

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                    Filesize

                                    342B

                                    MD5

                                    6d2623bedf99a46f6154227a4ac91cb9

                                    SHA1

                                    ebbbe1b66eb0cd0abe79281bf70e603281f95fa7

                                    SHA256

                                    bbee5527b82578f9feaeae8de65cb0906a1563ba7faeafae16179ad9a56e7fac

                                    SHA512

                                    b95128b4cba7ba626b0fc65c42b3f1fff0c96a0783f10f77a19f113d6ebbbffa67e7c5c7410e109db96c723ddd60325f591738e7a52eb4338c16d95387932629

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                    Filesize

                                    342B

                                    MD5

                                    46748dff147148b47693227cb650ca10

                                    SHA1

                                    219f5642490e22fa2b8d2fb06da046b0869392b5

                                    SHA256

                                    5857dbed63fa5a8c9d565eeb81fe1c176338bd792c3f60af073f455d4ff8076f

                                    SHA512

                                    47f2c31c6c1dededad0cf62fb8c4d66a9badc0f6765fb2575a8f9d6a8692ad81a5978996a382f6ff9059404bcaa4b6152a2b8d5a7116d2e9495faa22ad573307

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                    Filesize

                                    342B

                                    MD5

                                    68cb0a8e5025d6cff4133f3d34a7ccf5

                                    SHA1

                                    2dd808d872ccb79405cd27c19a74b5fbd0dcae52

                                    SHA256

                                    2b8b7125526902e39a5b186894825eaaf030758b60d1beca7e74d0748200caa8

                                    SHA512

                                    4fd686f4ebac4ca5fa332ab1b713d4870e320eb80dc00860fa186f0617b05d1ba1771e3a10427ea7bf79d2b8ab496d6270f819fc3a5a3cb73ec9ea4d27114743

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                    Filesize

                                    342B

                                    MD5

                                    dc018c933179eb6c8fa0d17e5b07757a

                                    SHA1

                                    f27840374c8ffc6b7eac3672a817b04b24208251

                                    SHA256

                                    2974aa5820414e8c9a3a05138459a6b02d4764919337045eb4716851d14773b7

                                    SHA512

                                    cbbb416fdadb0f49e2a4926c4968990c3aeef5c589f007762622c286f01ac98ce019e829012ca7d3f36ad2c50b33fa5f3cd1237b127834dcf1e6f1f8a45679d3

                                  • C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat

                                    Filesize

                                    218B

                                    MD5

                                    6d2966615fc9a4265e29ccea1e134848

                                    SHA1

                                    d0830d1f64907fde981a1b2b8ce1888363bfa542

                                    SHA256

                                    14f5bf499eb82d90c303d11ce990978ed816af9478f3bc000441c029f38be933

                                    SHA512

                                    bd79aa4a9dd371ecf5a1a2c13da69bd7e3e156bed92b0aa54cf19e98dd1f81f05a27bfd06d9e6a9bb4f2f3345db70b06225134d52b38a953d34c75cd1990c808

                                  • C:\Users\Admin\AppData\Local\Temp\AKY6NrPTox.bat

                                    Filesize

                                    218B

                                    MD5

                                    9255791592334e784207fcf1a381a412

                                    SHA1

                                    ab6e56d79d22959814053b855c95aea68f639243

                                    SHA256

                                    1d85073e0b7bf3ce61e07a496627111f49dca6bf4ac0f4957ca65840ae184cd2

                                    SHA512

                                    513c55d9d3f4652da950e8d8d76ee5ec314550a62620056296c8fbbd41dbcd95265e2a88166e00cbe08d76af0125d48fe457825057f53edecb7704c424b07a29

                                  • C:\Users\Admin\AppData\Local\Temp\CabD5C8.tmp

                                    Filesize

                                    70KB

                                    MD5

                                    49aebf8cbd62d92ac215b2923fb1b9f5

                                    SHA1

                                    1723be06719828dda65ad804298d0431f6aff976

                                    SHA256

                                    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                    SHA512

                                    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                  • C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat

                                    Filesize

                                    218B

                                    MD5

                                    769379c271ce6f828766bf0e21a9cddb

                                    SHA1

                                    b9206f78b30b23be76247fec68edae0f9a3c8460

                                    SHA256

                                    80ac3bb1a3258f5c769ca691604f507495d17d2c105dbcc6ffd1e30e8a21d299

                                    SHA512

                                    c57256b2a7bac9fa21d8d6731d14a4fd35646af26f5c551da4e318008067a625d9fe1bd2fda78443086f281fabdf4eced06c93496bf83f5b19bf7f3fe83be606

                                  • C:\Users\Admin\AppData\Local\Temp\Jef2EZNQSo.bat

                                    Filesize

                                    218B

                                    MD5

                                    346c8398dee58188e6a1c17e5dd6a6af

                                    SHA1

                                    c4df952830e3f8e557be2002c885bfd2c646441c

                                    SHA256

                                    6569ca4f1ac0d96ce0c89d20264cc973cebb4eace227f77aa05f8262c5f47fe4

                                    SHA512

                                    83559ea483ce8e2bfe34dab61c903f3a25e8bd9df84af41426d99b077f43dedb2ffe6d7240bc132cdb0a2142ff9c8adee97c0f0a89daae4ded57084ff8f07f4c

                                  • C:\Users\Admin\AppData\Local\Temp\TarD5EA.tmp

                                    Filesize

                                    181KB

                                    MD5

                                    4ea6026cf93ec6338144661bf1202cd1

                                    SHA1

                                    a1dec9044f750ad887935a01430bf49322fbdcb7

                                    SHA256

                                    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                    SHA512

                                    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                  • C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat

                                    Filesize

                                    218B

                                    MD5

                                    6f2826db4b7981c5a37af8878b737b3a

                                    SHA1

                                    1e774289eae4bbcb33e639a7a0aae9232819a805

                                    SHA256

                                    e41dd16159591dae2cc89d8579a080c99225c4008507c16b86ac5387560d9c9f

                                    SHA512

                                    d4cb354e99c63783538c04e6b423fa231e87176341bc4c5a03e292dab4379d9025d7e893e5266eb38c83e59f22d7c6412ab50326ca9d28727e2b21ae21df2b13

                                  • C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat

                                    Filesize

                                    218B

                                    MD5

                                    09ccc902fd439d6b4cec1c475ed771af

                                    SHA1

                                    62572be7959244ee265512be14172fbb82f93a13

                                    SHA256

                                    8eb65aaadd6bf9cf4f86aaecc9b8e7b8a7d3b357084d617bcb06e045ab187217

                                    SHA512

                                    489a4405286f4d9749505b9e071f467ad3db17c4d494479eb51543cdbd6e46b373184a17141ee4f6c428660b1223677709234b10fd0bcc935404fd5e4c0bd743

                                  • C:\Users\Admin\AppData\Local\Temp\pnRbx2xD7z.bat

                                    Filesize

                                    218B

                                    MD5

                                    0bd7053e09099e71a63ce786f9e98178

                                    SHA1

                                    5716d6b519be060cb824509b66b5d68a8c359a6f

                                    SHA256

                                    5367d3ea97ce1f0fc7b96cafe6347dad8dd19fc641c8e06b52d78e67dffc7548

                                    SHA512

                                    e9b25834ee9ad0328f39f9bb560ae24bdcfce021839cb3887e99815ef5024ab226ac6d657bbb26c3ef51200a606e5cb5ef4505b8f12096837b038d5877388a40

                                  • C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat

                                    Filesize

                                    218B

                                    MD5

                                    efbea8fdaabf81ae7d89dae3b759fd35

                                    SHA1

                                    d1211c094778ae4eec6a7bfe5973d9d9d61e7ac6

                                    SHA256

                                    c695ae1a68ebc76c3718c74ed9dca5abf1e0303cd05679c1ca12935c5ef78e7a

                                    SHA512

                                    07a0048d1af1206a1a340206132a1c87dd93644a1b9fd797029d1df813cd410809fa41bf6d29290cc3c1bc62adfefc75792369ca7d54aafc34354c7e37f2204c

                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                    Filesize

                                    7KB

                                    MD5

                                    f0a8975ca3b7489b1efcfbde07f26733

                                    SHA1

                                    59c827a85a3e64e9eecbfc484945906199dae358

                                    SHA256

                                    7de7456746c93ec99e5b853b68d0ae730b57372b58db18ad0a584c3fb212983c

                                    SHA512

                                    70ecd74feff4730848fe6805667239394d1b11c3ecfdae4246b429445fda263446ba7b4721c79dad61bcaa0550d4dcc22dac3fd77b32c1d6db9a33ae1b50134b

                                  • C:\providercommon\1zu9dW.bat

                                    Filesize

                                    36B

                                    MD5

                                    6783c3ee07c7d151ceac57f1f9c8bed7

                                    SHA1

                                    17468f98f95bf504cc1f83c49e49a78526b3ea03

                                    SHA256

                                    8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                    SHA512

                                    c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                  • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                    Filesize

                                    197B

                                    MD5

                                    8088241160261560a02c84025d107592

                                    SHA1

                                    083121f7027557570994c9fc211df61730455bb5

                                    SHA256

                                    2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                    SHA512

                                    20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                  • \providercommon\DllCommonsvc.exe

                                    Filesize

                                    1.0MB

                                    MD5

                                    bd31e94b4143c4ce49c17d3af46bcad0

                                    SHA1

                                    f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                    SHA256

                                    b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                    SHA512

                                    f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                  • memory/600-439-0x0000000000430000-0x0000000000442000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/600-438-0x0000000000D90000-0x0000000000EA0000-memory.dmp

                                    Filesize

                                    1.1MB

                                  • memory/2204-558-0x0000000000DD0000-0x0000000000EE0000-memory.dmp

                                    Filesize

                                    1.1MB

                                  • memory/2208-48-0x000000001B500000-0x000000001B7E2000-memory.dmp

                                    Filesize

                                    2.9MB

                                  • memory/2208-55-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/2232-17-0x0000000000410000-0x000000000041C000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2232-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/2232-16-0x0000000000400000-0x000000000040C000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2232-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2232-13-0x0000000000F50000-0x0000000001060000-memory.dmp

                                    Filesize

                                    1.1MB

                                  • memory/2260-317-0x0000000000140000-0x0000000000250000-memory.dmp

                                    Filesize

                                    1.1MB

                                  • memory/2504-378-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/2504-377-0x0000000000960000-0x0000000000A70000-memory.dmp

                                    Filesize

                                    1.1MB

                                  • memory/2664-38-0x0000000000C80000-0x0000000000D90000-memory.dmp

                                    Filesize

                                    1.1MB

                                  • memory/2680-138-0x0000000000240000-0x0000000000252000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/2800-198-0x0000000001320000-0x0000000001430000-memory.dmp

                                    Filesize

                                    1.1MB