Analysis

  • max time kernel
    148s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 17:18

General

  • Target

    JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe

  • Size

    1.3MB

  • MD5

    9e7d29317f6125aec032fdcbe57e757c

  • SHA1

    494b26f63d453179ad8d747926254fcb14135f20

  • SHA256

    20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177

  • SHA512

    60f47c0a04c85034719ee49aa8bac9bca6799d67dbeab0b0dd6f3f9fad605dac977a286544a66ea0d326296ecf350f80d669d65ca86848dcd4899fa9037a8e29

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2780
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2152
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2852
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2960
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1616
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1980
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2396
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2388
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1976
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2532
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1972
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\en-US\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1956
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UbyABZCdRu.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2176
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:340
              • C:\Windows\Web\Idle.exe
                "C:\Windows\Web\Idle.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2976
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2628
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:3020
                    • C:\Windows\Web\Idle.exe
                      "C:\Windows\Web\Idle.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2528
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pkopelt31u.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1516
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:1940
                          • C:\Windows\Web\Idle.exe
                            "C:\Windows\Web\Idle.exe"
                            10⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:2884
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VGBOjzZtA.bat"
                              11⤵
                                PID:2960
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  12⤵
                                    PID:264
                                  • C:\Windows\Web\Idle.exe
                                    "C:\Windows\Web\Idle.exe"
                                    12⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:340
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat"
                                      13⤵
                                        PID:2936
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          14⤵
                                            PID:2712
                                          • C:\Windows\Web\Idle.exe
                                            "C:\Windows\Web\Idle.exe"
                                            14⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2556
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat"
                                              15⤵
                                                PID:2384
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  16⤵
                                                    PID:2876
                                                  • C:\Windows\Web\Idle.exe
                                                    "C:\Windows\Web\Idle.exe"
                                                    16⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:3064
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cRRFCwJQFV.bat"
                                                      17⤵
                                                        PID:1680
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          18⤵
                                                            PID:2188
                                                          • C:\Windows\Web\Idle.exe
                                                            "C:\Windows\Web\Idle.exe"
                                                            18⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2408
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6xwNL0dL8Y.bat"
                                                              19⤵
                                                                PID:2160
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  20⤵
                                                                    PID:2524
                                                                  • C:\Windows\Web\Idle.exe
                                                                    "C:\Windows\Web\Idle.exe"
                                                                    20⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:340
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iMm147yiIR.bat"
                                                                      21⤵
                                                                        PID:2404
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          22⤵
                                                                            PID:2432
                                                                          • C:\Windows\Web\Idle.exe
                                                                            "C:\Windows\Web\Idle.exe"
                                                                            22⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1960
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WYuyh03jyF.bat"
                                                                              23⤵
                                                                                PID:652
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  24⤵
                                                                                    PID:1952
                                                                                  • C:\Windows\Web\Idle.exe
                                                                                    "C:\Windows\Web\Idle.exe"
                                                                                    24⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:2952
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat"
                                                                                      25⤵
                                                                                        PID:2728
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          26⤵
                                                                                            PID:1804
                                                                                          • C:\Windows\Web\Idle.exe
                                                                                            "C:\Windows\Web\Idle.exe"
                                                                                            26⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:2084
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\System.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2692
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2728
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2476
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\Idle.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2088
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Web\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2764
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2360
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\services.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2308
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\tracing\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1420
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:332
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2528
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:568
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3012
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\winlogon.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2996
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2460
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:448
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1048
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:652
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:784
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\en-US\audiodg.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1132
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\audiodg.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:832
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\en-US\audiodg.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:676

                                        Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                7405fabaab93319928ab7b6b30bb5fad

                                                SHA1

                                                a8f4925d7a67952eeb71fe2a0f2c38d2ef91f05a

                                                SHA256

                                                228401c705c52cc171ca9e49d6959cf654666caaf1238831f2786726b45621ec

                                                SHA512

                                                c3a34c536794ba17ae82e47d6c3ed2351877f6c7cc95e124177bf3c39d6578730b6949394f6318865f86d55a3217dc02c376e667f35edc6d54a77a58e3696529

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                8985eed6f85fc6bf2e8be68a85b2ce2d

                                                SHA1

                                                39d42eab1a90eba2f22a1a9da7cbe2029b57eaae

                                                SHA256

                                                2e7980b934c92979648c7c2b53f91ef8c86bfdaf203191493c48975d54bf6407

                                                SHA512

                                                4928070fe0137879590a65cd90dccab9a666daedd7e9e757f7684bf82b2ce2e0b2de6daad75759da14fd19a6de27220f2b9f7061950758a715af0bf03920fdf0

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                57835819a2e815b906e7444d3dfc5f5b

                                                SHA1

                                                984247cc91439038276c7d02a00c8e07ede468bd

                                                SHA256

                                                8ddf060642a6b1f5d2b5dd7cb063b133cfa43f759d8eb10f24c895af17ebbe75

                                                SHA512

                                                39593ed439cd843fc05dfc58ce13947e9b0e87c254e62f778608172f51e925aed2422db1f027f6c996d84f9df0d1358892c414c25f4130dca716b3108953b2d0

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                1ef9a38aee475fc511864442d68c49ba

                                                SHA1

                                                095d822757fc9afa4cf4f887c3d603f52053887a

                                                SHA256

                                                018b25cd35a451267f6afd21464acf88ac9eb47a5a4ce014deec6d6bb61257d0

                                                SHA512

                                                a5a91ace516b41479bfe22b3c2849c8d4ab51d138112e7555e0ae79eefb871a7b8ea2fb2b879b8b46a6d3532738ed67e00ffc989e60a87ab51fd226ea9f1f02a

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                ef50f587008b27f8cd927b023db0bb09

                                                SHA1

                                                e593699c47f7367cf1d999f8d39f245cbc51e4ee

                                                SHA256

                                                fec8c8dc33ae6757953eff141debf785660cfaa448e81a36a63262d60b168c39

                                                SHA512

                                                6ae07934a55c5fd7be45def3b7b4d46f119bab118fd251023ad5ad829f60917291ada0a8a911650c655dcc9870cd30d1dec675e2d77109d2b7be0abfd0bc52e2

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                6443f4b80fa35f0c906beb2f4a50adc1

                                                SHA1

                                                7696fa9af95291f9e7905755816426707d3c54e9

                                                SHA256

                                                ef193af5945fe3588a8cec8d041637d655ff435e2d3ae4d77dfeb1254ff9adb3

                                                SHA512

                                                2be6f9ae95db067703cb1bdd5739f3a05be3f21c4561d13fda86d2e5e5521a0ac53655c482bcf49c7dcb8a7d6a0d8f9c5205f95a7d733511db634db3b331b7e1

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                37493c62e17dff0af3202dcce2fd26d1

                                                SHA1

                                                fd272e3f2bbd2901349b69b39f8a9714c0de7dc4

                                                SHA256

                                                ba2e58bde02ce652645a424f8997582fec15c24773eb76b66202f7378747bbf9

                                                SHA512

                                                c791ceed5df76447422448a42169f3205349a722adc85b2c3373ac5fa175c5a7a24bd7a2b7e19576ee6d5de067a11e7fd662467e7f9c44195f0a99080e5836ae

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                7a1db1559d737213845ea0fa5a98474e

                                                SHA1

                                                3e2b9f66e130d160f2ee9e25565580dd6b25b0c0

                                                SHA256

                                                e05bd816e6d8e721c496652170233c152d9f4055c675b4bb5ea3473d9c6dfa43

                                                SHA512

                                                08248cd8a64b19f8adec8306b8f19a3dd13c980d253d227a08200c73d2392d20aa60098b193ed13fd987bf15aea20a2464c14c0ec1d6eb88b7c5ac89a48b4774

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                2e67100773296045c1bebca34101ab36

                                                SHA1

                                                3578a49c949e9fb8c46158d7419d7528b4ff3103

                                                SHA256

                                                6c3c239e9e18e5839539ee617e41a4aa95de3673fafbbd86ec67d7173f5178e4

                                                SHA512

                                                e9839169cf672b8cd1bb8f09ee9362b7c7ab23aa7c5d7f42876f94568a0fb3ad8fd33298097a6b54f0b77a55b70549eec35b3d8e48c253a8e217b85f84544e32

                                              • C:\Users\Admin\AppData\Local\Temp\6VGBOjzZtA.bat

                                                Filesize

                                                188B

                                                MD5

                                                85b62ca95e5ddf88a8f371d0e7d36aab

                                                SHA1

                                                034caf69cb76c1c1c5aaf27b5a0b4b75d6e652ac

                                                SHA256

                                                3101b3a26dcf3c7e47bdd44d545bfe1c4a9c865f3985798cfe38fd25f48e6b35

                                                SHA512

                                                005b6d996d8b0b357a0051399bf566362a63889f6422ea5b60a0d6d5f3f7e4382bf27c7a24831cdbe6df50d96e0e0acb0fe61d2404e8a58d132e4186bcc74710

                                              • C:\Users\Admin\AppData\Local\Temp\6xwNL0dL8Y.bat

                                                Filesize

                                                188B

                                                MD5

                                                dde3a2e904e8ca2aba29e08df4350886

                                                SHA1

                                                d7c0557e3ea23795f5be47df266f61b381a49766

                                                SHA256

                                                e35ac54d4a76a274eff34308e78574a864dfd589747d4258734c077dcd58ba56

                                                SHA512

                                                2ec9f9f3e19dcbbce36e940e3886812029e7c21790871960a4973e98099ba06f1b765b7ea876e30169d9055bb49f443fb536641000fb5e44f4c1d6833aa9c0ef

                                              • C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat

                                                Filesize

                                                188B

                                                MD5

                                                8f9a4d0b77acb9d371d4455ca67fd5c2

                                                SHA1

                                                e24774a7caa68106295448efde58473efbc8a0bc

                                                SHA256

                                                d2744c4021d2368ac6f234f76f67383e108f47c983f19172dab933108b4bc6bd

                                                SHA512

                                                7c3efcc7ce44c4cfdbad99ad15a51a689be1a5a6d52fcaba66badbb7a225c08fb82b1409ceb17c46f85387b8b869df930106b88c38b933a7fef26612f5607d42

                                              • C:\Users\Admin\AppData\Local\Temp\CabBE.tmp

                                                Filesize

                                                70KB

                                                MD5

                                                49aebf8cbd62d92ac215b2923fb1b9f5

                                                SHA1

                                                1723be06719828dda65ad804298d0431f6aff976

                                                SHA256

                                                b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                SHA512

                                                bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                              • C:\Users\Admin\AppData\Local\Temp\Pkopelt31u.bat

                                                Filesize

                                                188B

                                                MD5

                                                0986da0cefcc7993237cb00b72216c4e

                                                SHA1

                                                694cfcad26e9af3109d1ebf996ea3f5b83f5473f

                                                SHA256

                                                0afb8be3e876dac019b3ac18fd4b5cb28e408880a485a33bb7bd047a8ca79dd9

                                                SHA512

                                                91a21608114b91758c55816937889cc8da77bfafa4dd8e2e80272e2d6b779e9ee9086b193380d3090b28c79f566484db17bd8acffe61abea9df166522a7320e6

                                              • C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat

                                                Filesize

                                                188B

                                                MD5

                                                8a66c801cbf41107b9a903674f12c189

                                                SHA1

                                                eb10bf7f6203f9c9da19e3866ba3a23a6381433b

                                                SHA256

                                                13f3f57bbf40e85747b37b1177a118698aa4d33b5f83099e00b5a33cd4aeb9c3

                                                SHA512

                                                094951820335c43705e6ab9dc6908ecb847697a37c44c9c5880297b91847d0e804931b85cd630d2d4cdfd856b877a245a5d283dbfc6af40edf38939ec8cc45ef

                                              • C:\Users\Admin\AppData\Local\Temp\TarD1.tmp

                                                Filesize

                                                181KB

                                                MD5

                                                4ea6026cf93ec6338144661bf1202cd1

                                                SHA1

                                                a1dec9044f750ad887935a01430bf49322fbdcb7

                                                SHA256

                                                8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                SHA512

                                                6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                              • C:\Users\Admin\AppData\Local\Temp\UbyABZCdRu.bat

                                                Filesize

                                                188B

                                                MD5

                                                f31ada6f42a106092814cee58d61bacb

                                                SHA1

                                                d6934b0ee5964588239afcc735d0b6d29ee37841

                                                SHA256

                                                f65f3987375c16c98143286794721e8884a67a2091ff6861cda33474be9c3468

                                                SHA512

                                                2a71cf0b641a784f47d3e7edf8844b7df0511138e6d134af42e7e411e9a005473be65ea3de5187a51b734330fa456ca6cf5ffdf890eef993f3e9605c53806931

                                              • C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat

                                                Filesize

                                                188B

                                                MD5

                                                143ffab1a2ad3456560ee6b84ca23c11

                                                SHA1

                                                d18d9cc086493eec5d3284cef34d02c326713e7f

                                                SHA256

                                                2b0890e293b5d46a030e10030e2d1117d83aae13c8b3cba71e378506d5b75639

                                                SHA512

                                                5e787ca7192eec0adf6f125c9ec0b8fe8df786ccbda2b9a0021326a4cfaccda8ae55876cf7e6f17ae3c176062eb4d75344d5825ceab4c5740666c378fa22a885

                                              • C:\Users\Admin\AppData\Local\Temp\WYuyh03jyF.bat

                                                Filesize

                                                188B

                                                MD5

                                                2252f47fcc17c7a205f6b95a5ca0f9f8

                                                SHA1

                                                672fc71c92c99c18a9013f711f34ef89fd4b2048

                                                SHA256

                                                44cd3be882d75aa4d0963a50498c8f1eb93b271db6fcd937bc03f10290d12731

                                                SHA512

                                                2527e0b9f5a9921ce4af139faaf63e5a06d66080edd1ccb72f019e932116529026c330c322a2f62acaeef06a5fcb0d0c6493ff96ad2de0c1158482db4833e3ad

                                              • C:\Users\Admin\AppData\Local\Temp\cRRFCwJQFV.bat

                                                Filesize

                                                188B

                                                MD5

                                                09b4e6290ea39feae3a590489aa51249

                                                SHA1

                                                c5716ff83273ac31b3982ab74f50aded934f41b4

                                                SHA256

                                                ea3eafd236d75bf98045355c0bb1902a2cb9bc6078972ede4cedf3ff88177713

                                                SHA512

                                                de733a96b7ad0b68c36c76f4dbd9f9e46f5e68732e6bc092fe9d9893dae81b08e6ed89ec7a1531ba89c6bc0c091fe050510007294ac79038ddb8e7d221919d65

                                              • C:\Users\Admin\AppData\Local\Temp\iMm147yiIR.bat

                                                Filesize

                                                188B

                                                MD5

                                                90503dfd66d411eaf32046eb047d160a

                                                SHA1

                                                4c15e3c6d096d11f06b9d68ebc9d6676b4d36367

                                                SHA256

                                                ba096035e5c0926d63cfd3d10fe6ae4253746faa50b9d3ce2c3483cfd0236775

                                                SHA512

                                                184858240bc141f1b4014029e5fe2465dcace3a3add3ac46e671e274488eb98cb6c3fc3b149b09a52c3075788c29b4166e43bf662f5ab7be96b96c30a27590c7

                                              • C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat

                                                Filesize

                                                188B

                                                MD5

                                                45e1dd64615274e6ff5ce841c69a8a1f

                                                SHA1

                                                466f5189a5b0d5e0e990bb3d498d2e8dc693ad7b

                                                SHA256

                                                c437e67dbdb13c7970265203adf4ee0ccc926c61f95818b34dc18289db852c40

                                                SHA512

                                                948aa6f9c1a6a3c042fbb151e9f6a2132f185874a12cbaaaedfc5b0b05b7c593925686bb6b34d5b311c2148be562c957b0cdcc8ccd75a7da31c78e87f2a8fa69

                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8JWSH9HXV1BPA2XQCNM3.temp

                                                Filesize

                                                7KB

                                                MD5

                                                f5fdd9ce289abbf3aea69e40e16d4387

                                                SHA1

                                                8a3134c72834bc1e8c8a41471b8e10c456c3718f

                                                SHA256

                                                82f3ad538bf4a9f373a04e76e3ce249d4f21d3973073cd116f535575c846bfc5

                                                SHA512

                                                afcdd7c7005aeb450e10682b8b5cce4aed82834d11b9dbd3c7b59add7ec61cbae17f9f707d44f1f2e9195616746f0c61d2b833cf852297f748c385a49bd564fe

                                              • C:\providercommon\1zu9dW.bat

                                                Filesize

                                                36B

                                                MD5

                                                6783c3ee07c7d151ceac57f1f9c8bed7

                                                SHA1

                                                17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                SHA256

                                                8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                SHA512

                                                c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                              • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                Filesize

                                                197B

                                                MD5

                                                8088241160261560a02c84025d107592

                                                SHA1

                                                083121f7027557570994c9fc211df61730455bb5

                                                SHA256

                                                2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                SHA512

                                                20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                              • \providercommon\DllCommonsvc.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • memory/340-496-0x0000000000CE0000-0x0000000000DF0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/1960-556-0x0000000000F30000-0x0000000001040000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/1976-50-0x000000001B650000-0x000000001B932000-memory.dmp

                                                Filesize

                                                2.9MB

                                              • memory/1980-58-0x0000000001E80000-0x0000000001E88000-memory.dmp

                                                Filesize

                                                32KB

                                              • memory/2408-436-0x0000000000A90000-0x0000000000BA0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2528-137-0x00000000002B0000-0x00000000002C2000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/2528-136-0x0000000001160000-0x0000000001270000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2556-316-0x0000000000220000-0x0000000000330000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2884-197-0x00000000002B0000-0x00000000002C2000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/2952-616-0x00000000011D0000-0x00000000012E0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2960-16-0x00000000003D0000-0x00000000003DC000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/2960-17-0x0000000000500000-0x000000000050C000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/2960-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/2960-14-0x00000000001C0000-0x00000000001D2000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/2960-13-0x0000000001370000-0x0000000001480000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2976-77-0x0000000000D70000-0x0000000000E80000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/3064-376-0x00000000009D0000-0x0000000000AE0000-memory.dmp

                                                Filesize

                                                1.1MB