Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 17:41

General

  • Target

    JaffaCakes118_3afdc1049eae3e0b40d944915e52d52d293b450e150b66b095fde82271501428.exe

  • Size

    1.3MB

  • MD5

    71307fc13b2659f3cdc5e19f3823d738

  • SHA1

    3d63ad7172e5fe0f607d1ca5575c3cf772bbaac6

  • SHA256

    3afdc1049eae3e0b40d944915e52d52d293b450e150b66b095fde82271501428

  • SHA512

    07192db7b6c744868c70712bd8629b64d067ff150a2029394cf5fff2319e7171088c709204f45367329bf775f898608e7dea2008d3a448d471da394524259c10

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3afdc1049eae3e0b40d944915e52d52d293b450e150b66b095fde82271501428.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3afdc1049eae3e0b40d944915e52d52d293b450e150b66b095fde82271501428.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1508
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1856
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2744
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2120
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2956
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3060
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2224
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2968
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\Aero\de-DE\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:576
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2424
          • C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe
            "C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1348
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DemtbJLPzJ.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2856
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2280
                • C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe
                  "C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2704
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\d5cQTyHbvx.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1816
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:2848
                      • C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe
                        "C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2372
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwHeC7tSxv.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:552
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:3060
                            • C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe
                              "C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"
                              11⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:2776
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat"
                                12⤵
                                • Suspicious use of WriteProcessMemory
                                PID:1428
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  13⤵
                                    PID:1820
                                  • C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe
                                    "C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"
                                    13⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1592
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat"
                                      14⤵
                                        PID:548
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          15⤵
                                            PID:1364
                                          • C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe
                                            "C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"
                                            15⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1612
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7aJ3FmDw0K.bat"
                                              16⤵
                                                PID:2732
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  17⤵
                                                    PID:1764
                                                  • C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe
                                                    "C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"
                                                    17⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1676
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sodlpYYBfa.bat"
                                                      18⤵
                                                        PID:884
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          19⤵
                                                            PID:1376
                                                          • C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe
                                                            "C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"
                                                            19⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:1156
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat"
                                                              20⤵
                                                                PID:1616
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  21⤵
                                                                    PID:1812
                                                                  • C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe
                                                                    "C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"
                                                                    21⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2936
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat"
                                                                      22⤵
                                                                        PID:2720
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          23⤵
                                                                            PID:2744
                                                                          • C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe
                                                                            "C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"
                                                                            23⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1732
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Bw8qtkvcA.bat"
                                                                              24⤵
                                                                                PID:2420
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  25⤵
                                                                                    PID:2500
                                                                                  • C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe
                                                                                    "C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"
                                                                                    25⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:1780
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\esvfELjyVS.bat"
                                                                                      26⤵
                                                                                        PID:2660
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          27⤵
                                                                                            PID:2096
                                                                                          • C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe
                                                                                            "C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"
                                                                                            27⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:844
                                                                                            • C:\Windows\System32\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cnsnMHUbNI.bat"
                                                                                              28⤵
                                                                                                PID:3032
                                                                                                • C:\Windows\system32\w32tm.exe
                                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                  29⤵
                                                                                                    PID:1932
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2672
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1796
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2276
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1896
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:296
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2584
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1460
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2236
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2960
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\Themes\Aero\de-DE\taskhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2780
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\de-DE\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2864
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Themes\Aero\de-DE\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2868
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\providercommon\Idle.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2616
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1096
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1160

                                          Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  5a1407063ec0de021e6a9455b404f9ff

                                                  SHA1

                                                  8db0b1301f4b1f671845068b49bf1a2d9be49298

                                                  SHA256

                                                  a18a1435df6a61380701097b32d84adb7fef74e63cabb5c4e42d059ca704a73e

                                                  SHA512

                                                  399c1c5e2c7f3917ccd7fc521c079c44e1ce8256494e5a064ebcb2f4f866b4a5b2f586925f030bbb5877cce203a8b0ef8008e79c7177d830c595bff1160c514b

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  7b599626f82ca9546b022cbcf73191c9

                                                  SHA1

                                                  d2f85cce36b8ec32bdcda46a1a8775735172c0bd

                                                  SHA256

                                                  2e5ca2761447a7b001dc8d6d61d0bb09754d4fdd58c57b12eec92ce6b7f26f82

                                                  SHA512

                                                  eb99ee93e0aa3d54917b16696c8cacbb84afef3c7b0191b9eb925107aa6090f6bc4d288dae9d2a6d43bc5aa7cb5def57f1b997cb448e42988eb13eabaa2d87fe

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  37f594162a112ea6485f710d8274bc29

                                                  SHA1

                                                  151c2c966e8e2e926b384a414b7f7e5910085f18

                                                  SHA256

                                                  c7eeecc1efa3804dff1ec2fad9824ba5732926a7fdc36574ea4a31bc7b845570

                                                  SHA512

                                                  41f6ec88398c340119a11937792de62839da3f1f32dbc631f963d998126c606504336d6c06e3fed40900b310715572371c6ddfe0df5861a928289c3d9a92dcdc

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  6d6e656ef3607def7ddf43dbec07c858

                                                  SHA1

                                                  216c72e8cfb1ec4ce4c2fcf632e9d84ad3ce14c1

                                                  SHA256

                                                  a48bb8ad6823eee86143443cadeb9bf8cb940378b4d3e49fd0e8a13c52970a35

                                                  SHA512

                                                  1c10779a976c060d37984290e713f88f925bd698c604095b63240ad4f40242e14225a499504f56c9fb2fb526ad968a766bc3348e916d4c3ae86c1f76c3c7669a

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  2b41523d23d56844a50b308120ebe144

                                                  SHA1

                                                  88faa072397ca3bd4c32b26ce17ed4ed5adbdf72

                                                  SHA256

                                                  71fca53d32fc3ce660d73e97ff202a3564be99f275b0ec407050cc0bae4f00de

                                                  SHA512

                                                  76cbcfb4c219a772a30f4dc4a25268089f8927efb366dda7584104c53ff676e9682337cb12815fb798a55f6bb491db0a9fa960bb2ff3516ae71dd34d55f8d646

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  3642486b1ac5bceb45a36ff105b4d515

                                                  SHA1

                                                  59d2296b61472f4e1f78a9e07015267caf1e4fc3

                                                  SHA256

                                                  b7278e28075c13a0a3729983d15a2560a4af00869499a9ed8d50c71efb00d55d

                                                  SHA512

                                                  6ca297b7297f51f5fe64de1cebaeec13f79a0a0b2ad42643db2ea03b153c1621ca10bb543026aa9c3a2102c7587b35e33988f3605c31a73a43cbf9e041eee538

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  d92bff48237708a2f8c044b21fb8f00c

                                                  SHA1

                                                  9009a0f34f4e676f947253826d39e5733bb82e26

                                                  SHA256

                                                  5b3d347b94cdf52b119ec5da1b2d91fef2c98e6b213ff843d9f3e73cf1a84d93

                                                  SHA512

                                                  73a33284111f4312ad9c21f537f2996400278825dac0e3fcb1898110b8a591f935f47e2e726a779a490dd61aefc156378342017c174c96909453d69b511d660d

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  755d93ce0c124222ec4cc7c74c2083f4

                                                  SHA1

                                                  454fba3d5f09d7b390a246a53e8befc43a9a9930

                                                  SHA256

                                                  8ed95a67ca1893415c780b36a8c874cfb21002342ef34a0a554333307ea4841c

                                                  SHA512

                                                  30bc45b7e6b1c38a63e24202e81fa2f08861885773fa423e2e6d99a0fcf5ee5a56e1760475191f784cd06ba8606e0bfcea7a4657e370e0f5cec9cad9190d1c6f

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  ed30325591fae2b3b33980cdcb1290db

                                                  SHA1

                                                  5da12e4a8f59da2efdc3dc3de9bfd21cc0b2fb4d

                                                  SHA256

                                                  4fe6e6239f2864b413cee9a3593592db39dff7be6fb2c30111c96425ce495cab

                                                  SHA512

                                                  064bdbfb260bf5cf211c9078f66433f392612853a3b17b7f51ff47cc58d410549642bf7809d5c33b8ebaeddb650db9b6c3b1423f7270967754eaad3b4374d89b

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  97a6d513b83fc4eb554a21c0fecaddbd

                                                  SHA1

                                                  9832d307399a1e7a386b1123e28fe94b47822088

                                                  SHA256

                                                  c35de92a59e5b7e42a42de7b5c23b6b6aa810c9b7353b8e49adfac4c57d5e790

                                                  SHA512

                                                  f08284f89be3b99ca20800bc999d5afc12cb306a47365a12f603d1d57c614869fd6c7947bc6e59ca9dc0c484743cee93bd634931887a588197a36836736f4e0c

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  5a47b11a1969b8e0af4e5162a03237fe

                                                  SHA1

                                                  0196368cbe608b72395bdf563d6d32c1eb3c1e7e

                                                  SHA256

                                                  ba1981b82f964ea8fbf53ce72b9fd332484397dfe77bdcf9ec9a0ccf09cb73e8

                                                  SHA512

                                                  62c916a29ba85a1fa6f591e53be1f5936a89cf8ab2ab58f1970051be3311dc5dc709e498810964cc8a460984d88ac3a0e93d2f65f52f09f00ae92b5f64b1433e

                                                • C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat

                                                  Filesize

                                                  230B

                                                  MD5

                                                  a0214f29ef3616157d3e25eda943c819

                                                  SHA1

                                                  4ddb9b1722f95bfd66893a32f0cea6b5fdfff6fc

                                                  SHA256

                                                  2964571069d63e9765423a08ffba0a69de000d704b79e66da018cf7dad03b375

                                                  SHA512

                                                  c65ba97dabfb552f6ac321f527e251715a7ff942733ee4eb8dbc828206eb7850d2fbac422432c31163e29b12d3f58487a27abbbbe0ebb0f160c684b1497edc89

                                                • C:\Users\Admin\AppData\Local\Temp\3Bw8qtkvcA.bat

                                                  Filesize

                                                  230B

                                                  MD5

                                                  b40e2e46c790af66c9072ac21eb4a82f

                                                  SHA1

                                                  ed565e532ab2839003f364fec629249066f8c46f

                                                  SHA256

                                                  64fc0b7217294cdc2a90642b709ee69fdca8b4cf2f8f87647d797b3d7dd53911

                                                  SHA512

                                                  e2118dd920376f4f570eb7f9e4857b400fd95e7f7cd031d72590030fa2d31d2bc7c3492b23e83f815437f515672b707aea48bc50c6b050b75c15ac69c750bf94

                                                • C:\Users\Admin\AppData\Local\Temp\7aJ3FmDw0K.bat

                                                  Filesize

                                                  230B

                                                  MD5

                                                  327754998a8827a357c71e9a118880c9

                                                  SHA1

                                                  a8b97f62d04f3dba324653fdc30930bbf901d068

                                                  SHA256

                                                  1b16b5c9f85984553735dac8f65eb6549ceab04ca21f6836355dde30e04b0f52

                                                  SHA512

                                                  7ae9f795fa95e6f22577ae62bee47b2b00835569340a1fff5707efd6e73adce89753031a8c64526cdb5b8f841857f50a8117b9fa345f9207d690187eedea661c

                                                • C:\Users\Admin\AppData\Local\Temp\Cab1316.tmp

                                                  Filesize

                                                  70KB

                                                  MD5

                                                  49aebf8cbd62d92ac215b2923fb1b9f5

                                                  SHA1

                                                  1723be06719828dda65ad804298d0431f6aff976

                                                  SHA256

                                                  b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                  SHA512

                                                  bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                • C:\Users\Admin\AppData\Local\Temp\DemtbJLPzJ.bat

                                                  Filesize

                                                  230B

                                                  MD5

                                                  f98cc77d43e944298905671842cd3aae

                                                  SHA1

                                                  7ed0e8a3ea013fe259a1b19485971b1032efe3b9

                                                  SHA256

                                                  aed1a1d53d7b084342deec1374078383351b19aee1a01a423c8da718a8ea7f86

                                                  SHA512

                                                  0b7a395914c4e658dfa7755d93da6b4ab8a6c3bb243548c15c18f0436a5be0c3e340f3e1f34889e657c448a5ca64a7f52e683d41feb6927719fbd637bf120c3f

                                                • C:\Users\Admin\AppData\Local\Temp\Tar1338.tmp

                                                  Filesize

                                                  181KB

                                                  MD5

                                                  4ea6026cf93ec6338144661bf1202cd1

                                                  SHA1

                                                  a1dec9044f750ad887935a01430bf49322fbdcb7

                                                  SHA256

                                                  8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                  SHA512

                                                  6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                • C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat

                                                  Filesize

                                                  230B

                                                  MD5

                                                  37287b541cd39b73b2e0d065971ec117

                                                  SHA1

                                                  c37f49020cb71c51339f0832e1a7a18d813d7fb4

                                                  SHA256

                                                  24cd5ce1207d0c39fa3ba9d405b1fd64ce708c3c7899955e81ff721916cb233c

                                                  SHA512

                                                  3a323bd810eb06495971140a398210453a4906a90c00bba2ee98b63b3e0d59313ab3492ba8c833790c6971c13667f2d57c582f7b37b95ea23fa68892c019b351

                                                • C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat

                                                  Filesize

                                                  230B

                                                  MD5

                                                  734bcf136c8c3da9d92044e75014b193

                                                  SHA1

                                                  aa35459215c19171349a473bf1c27011160d8a08

                                                  SHA256

                                                  4318d76adb747a98517a86e4eec3ab090a1a3708a597dd3a58d5edc1b59506f7

                                                  SHA512

                                                  870b6890f6ad1fe9b21c38c29aa5201a8ed2d0b1a1977e4c8d81ba2535b17234b5769c91cbd2694b3db00a128cbed9b0fb09355bcf3779850d9d19d007ad52a3

                                                • C:\Users\Admin\AppData\Local\Temp\cnsnMHUbNI.bat

                                                  Filesize

                                                  230B

                                                  MD5

                                                  e7702b15729dbff83341adfe61e47806

                                                  SHA1

                                                  08895ccce096dcd9258cc6b9659d7df2160eff8a

                                                  SHA256

                                                  865f8c34edb59ec1625cef1ae791141879674a68b24b9245443e53a3b8e98f12

                                                  SHA512

                                                  94d70dfab8c1703d2f360d61436e2a4be6bd3d111422984d9d0332d06a0773548075ce84c1b6baa344195354e39404e4b814eadcb44e646bd24230010e39bd15

                                                • C:\Users\Admin\AppData\Local\Temp\d5cQTyHbvx.bat

                                                  Filesize

                                                  230B

                                                  MD5

                                                  128b776372294b7a596dd99ac90a2ce7

                                                  SHA1

                                                  1df422041906d0f4cf8d25b7257b46142a651971

                                                  SHA256

                                                  1f367ebe8d5a5dff3d98f37d869982c7a975e46b78800ce3a6f5af849a744546

                                                  SHA512

                                                  0368cd2c4980234cac36b0ea67930e7c7498302bdf77418b8d7ad566c20baab2c2f2e9de31b24e579836af208233820d7fa9263488052086f25709f72d747d03

                                                • C:\Users\Admin\AppData\Local\Temp\esvfELjyVS.bat

                                                  Filesize

                                                  230B

                                                  MD5

                                                  0593da88a9183e103afbb6b9c99ef819

                                                  SHA1

                                                  0eeebe08ede5c09fb17686599871499f85946e2a

                                                  SHA256

                                                  60b16dfd2f0c7dab7fa40ee58b3c4bf9747e099224aef4e0a30360c617141921

                                                  SHA512

                                                  8d23a26e0c7cc6a0fb94518d324a3e0c6a70cdbf7bc0892f78aa5e247dfc28c0c178da92b9618a0557ff5e8b7de0560d9f4c9b16de5bae80649cbe5db2ab40f9

                                                • C:\Users\Admin\AppData\Local\Temp\qwHeC7tSxv.bat

                                                  Filesize

                                                  230B

                                                  MD5

                                                  86a5a014fad43883a202787d08297e81

                                                  SHA1

                                                  3293915eac6a576b90b912fd16167e8b846eed49

                                                  SHA256

                                                  9cd5c2bae0efd4109a5839921913fb6fe55de4718b205840aed870b881de1157

                                                  SHA512

                                                  a55e52003ef651a4de777ca777ab586f3eb737e3592d3c3ca4c765a88755be17c0ae5bb654c80a93a71cbc4d1ab9f1d80e78f7ea16f0f18909daf6e921057efd

                                                • C:\Users\Admin\AppData\Local\Temp\sodlpYYBfa.bat

                                                  Filesize

                                                  230B

                                                  MD5

                                                  4bb63c3dc01fa472a179bd80df51d655

                                                  SHA1

                                                  272e3bc836ee2f9395155074924877f065029e38

                                                  SHA256

                                                  c7dd7e679c9f6daada9bcec2caaa487e334423c3e537d0f0c556cbc7885c21db

                                                  SHA512

                                                  49198b21dfc6cc1d0a22003a70c28fbec9a3beb8719fab934128249868d16a1dbddbf69c4ee13d8ed1af265054b862147e379c542afc9d4b7e42a808ca020f03

                                                • C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat

                                                  Filesize

                                                  230B

                                                  MD5

                                                  fb9a31c36587be633c38aba900c0ffac

                                                  SHA1

                                                  eaf52598288e707c96f532888c46e142203d87c5

                                                  SHA256

                                                  92668e07db0e86beafbd6e98d565aad133bbc7cff2e5381a18c683f2e4fc49b6

                                                  SHA512

                                                  bf108b451ef453c8340390a9d38217850ee899c5707c9dd35c922625038296d95e4c51e85268405262271f55fa6c19972fa4d9a1e1c84a60847674ca766ea3a1

                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                  Filesize

                                                  7KB

                                                  MD5

                                                  7f2005e51c1f1ed368db3fb572a6f4c1

                                                  SHA1

                                                  e7f98ac887403e15a22933c87a9002862c12a766

                                                  SHA256

                                                  c7055ebb087a1fe67b00cd29e5713b7e57c41f4bc604385a5ec9a19afa7f6b96

                                                  SHA512

                                                  18de098852eb40e0540a144ac7c24f6538a92489bffea47a3561affc8aa8df0e90b1672911e41b950097d97f50b6693b1ab8f9fd08a4c66555f6d6f815931676

                                                • C:\providercommon\1zu9dW.bat

                                                  Filesize

                                                  36B

                                                  MD5

                                                  6783c3ee07c7d151ceac57f1f9c8bed7

                                                  SHA1

                                                  17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                  SHA256

                                                  8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                  SHA512

                                                  c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                • C:\providercommon\DllCommonsvc.exe

                                                  Filesize

                                                  1.0MB

                                                  MD5

                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                  SHA1

                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                  SHA256

                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                  SHA512

                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                  Filesize

                                                  197B

                                                  MD5

                                                  8088241160261560a02c84025d107592

                                                  SHA1

                                                  083121f7027557570994c9fc211df61730455bb5

                                                  SHA256

                                                  2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                  SHA512

                                                  20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                • memory/1156-479-0x0000000000250000-0x0000000000262000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/1348-34-0x0000000001310000-0x0000000001420000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1348-66-0x0000000000A70000-0x0000000000A82000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/1732-599-0x00000000003F0000-0x0000000000500000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1780-659-0x0000000000CF0000-0x0000000000E00000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2120-15-0x0000000002190000-0x000000000219C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2120-16-0x0000000001FF0000-0x0000000001FFC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2120-14-0x0000000000860000-0x0000000000872000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/2120-13-0x0000000000870000-0x0000000000980000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2120-17-0x00000000021A0000-0x00000000021AC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2224-50-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/2224-49-0x000000001B6B0000-0x000000001B992000-memory.dmp

                                                  Filesize

                                                  2.9MB

                                                • memory/2936-539-0x00000000013D0000-0x00000000014E0000-memory.dmp

                                                  Filesize

                                                  1.1MB