Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 18:52

General

  • Target

    JaffaCakes118_d5db39bc3e7378de31a7b2d60b1660e743f3c01540c79c2c13128cb34200f169.exe

  • Size

    1.3MB

  • MD5

    f3c9c8fcdc97ee343cd1c164b4b4c8ff

  • SHA1

    4ee049708648e7307f0fead0d284f323048b8201

  • SHA256

    d5db39bc3e7378de31a7b2d60b1660e743f3c01540c79c2c13128cb34200f169

  • SHA512

    ca3959e832d5416bdd891fbb85a5ea0d3103cea8399e14fc16ba3b709b72f5d90d91fbe7d1176b0bc1f8d77675513ade69fe15cb2b146957378755f7e0cfb6fc

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 12 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 14 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d5db39bc3e7378de31a7b2d60b1660e743f3c01540c79c2c13128cb34200f169.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d5db39bc3e7378de31a7b2d60b1660e743f3c01540c79c2c13128cb34200f169.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:796
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2400
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2044
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2428
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1848
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:824
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:572
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1960
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XfWEItxuzP.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2544
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1032
              • C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe
                "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1292
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat"
                  7⤵
                    PID:2140
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      8⤵
                        PID:2004
                      • C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe
                        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1628
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat"
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2168
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            10⤵
                              PID:3036
                            • C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe
                              "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"
                              10⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:2300
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat"
                                11⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2980
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  12⤵
                                    PID:1652
                                  • C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe
                                    "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"
                                    12⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:2800
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat"
                                      13⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:1640
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        14⤵
                                          PID:872
                                        • C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe
                                          "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"
                                          14⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1592
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vlZZCFJNsh.bat"
                                            15⤵
                                              PID:1012
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                16⤵
                                                  PID:1656
                                                • C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe
                                                  "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"
                                                  16⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:764
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat"
                                                    17⤵
                                                      PID:2956
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        18⤵
                                                          PID:1720
                                                        • C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe
                                                          "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"
                                                          18⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1964
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6hK16ZrMt.bat"
                                                            19⤵
                                                              PID:2460
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                20⤵
                                                                  PID:2216
                                                                • C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe
                                                                  "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"
                                                                  20⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1696
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\34gW2xHJWZ.bat"
                                                                    21⤵
                                                                      PID:2868
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        22⤵
                                                                          PID:2508
                                                                        • C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe
                                                                          "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"
                                                                          22⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2548
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat"
                                                                            23⤵
                                                                              PID:2168
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                24⤵
                                                                                  PID:2364
                                                                                • C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe
                                                                                  "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"
                                                                                  24⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:3012
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat"
                                                                                    25⤵
                                                                                      PID:1736
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        26⤵
                                                                                          PID:2808
                                                                                        • C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe
                                                                                          "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"
                                                                                          26⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:1104
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qsbi9TUILn.bat"
                                                                                            27⤵
                                                                                              PID:2344
                                                                                              • C:\Windows\system32\w32tm.exe
                                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                28⤵
                                                                                                  PID:444
                                                                                                • C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe
                                                                                                  "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"
                                                                                                  28⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:2440
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2592
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2636
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2728
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\CrashReports\dllhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2616
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2688
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\CrashReports\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2604
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2812
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2660
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2536
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2512
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2560
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2540

                                          Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  e34bf06c357272b3f282b21389c5d357

                                                  SHA1

                                                  70b38b9c81983df7e9f78d250571b262173c9e46

                                                  SHA256

                                                  3bcfbead674605049e91faeef3ea9e3b8e769516056ce12e79c96a3c8e2c5359

                                                  SHA512

                                                  4f7402098a723f4d4ec6c429d5e0644a0d70fa69835da0b833542b49b5122593b147b68b769ee2630c66f14fa89149610c97da8427bdb1534e65dc2712941e47

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  8c2641c7f1f55b0851b94d59f3ec44d2

                                                  SHA1

                                                  bfb6bcfa354cab9508cbe34bc3e97bd0c0cbb9e6

                                                  SHA256

                                                  d52a35674fe78ef9aa49dc0ace3c0f21932cf65ebb1a9b1231be61ea968dbe15

                                                  SHA512

                                                  f5aa18fa862cf1d415e0f2f5c18b1df011a4daca0279a4648b92c2eb5e0696863b5ea1d58c52cb2b969035a96073c5e3a93dd20db4b1ffe4d238753891142a82

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  ffdb44cc5c69eb2d303cd7e1e8e815f3

                                                  SHA1

                                                  86a3d05d8344a6838b7fcf593b30fc7b27ddb64e

                                                  SHA256

                                                  dc7947926b9e8c270142b8938c7baff1a7133a34fe8b991788d4fd43272866f9

                                                  SHA512

                                                  0ca0beb9337eb4c1d22f414a3717251877c0be159c95fc8ad4823678aa98c62cc253d79484140aecd1d4a72bda43ba1797b39486feeb98dbd468328faf39ad39

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  e0fdd7cbd2a0fa99f63f374b149b01d8

                                                  SHA1

                                                  c3518795d4cc010927691ce6f8f8e4a7d2a6d9a6

                                                  SHA256

                                                  69986be0bcae5bd661a29a7e0af4381bd48a1afac7464e376469f684ab7e1159

                                                  SHA512

                                                  c44105cdb6c3f2973e75f4065c217adaebda8d7e842130343b8db8847561695e473f4fce6cc12b1e73820abbe0cec4bf88e38b68109252a3bba5c5c466676d68

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  a20e7bf785ab1704df46d245dda618b6

                                                  SHA1

                                                  97d24c1146b138236df4a5d7f3158a8534d74c59

                                                  SHA256

                                                  517b54a02682ef2d3f74b05f3a6d0043c22725817adeac545a712e9eecda342f

                                                  SHA512

                                                  a76dd65fae11852d96154e3276354415b2e1c18f1f7afe6d3987cb2b526a31ae00b5aa1c594cd90af7e04c560a80c4df578b47fbd1444fac9ef01bd972b2362b

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  67b59173df2213b7f9b93a58a81a853a

                                                  SHA1

                                                  99a9af578ac792991a7c632dea07c58072db5835

                                                  SHA256

                                                  1c1998e6720d92f1c6c140448eabb3b39c2c058fa69859a0ed4fb50cfb4368bd

                                                  SHA512

                                                  a744d213e6d3d4dc3ff235ff974d342d7d97618b802d32d4a642a2e7b67df9cdf6272e9bc2f0f467d33f91a0c733dfdd5dbbc30d97cd74ef13b989e1105cea9b

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  a245f85e1a9af5f2c4c3178e2a0b5552

                                                  SHA1

                                                  6b82adce744353d6096a146dc19710bde9e41ef9

                                                  SHA256

                                                  470833d643468b35dfb5245ef7f42ff179a9daa4a4b146e6572408ceea15d5ca

                                                  SHA512

                                                  14a0e4ee9f8bc03f37c7fb0961d8287a6db80d33be353576627683c16f6517f9e07d758d2441fbc1d2d94eccaad547ef950d4758d253518d02354141d10a1040

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  82bed4fde9e447f180350cdd86da0c68

                                                  SHA1

                                                  aaf95a6b6ab7209d85f3a543b0d63dc2b87eca63

                                                  SHA256

                                                  5942a021a02f7ee8276682027fdf94304b47a51ae2e301fbc3ff0f406817ce58

                                                  SHA512

                                                  a80cf461a8b48131d96843b021040cf0a1f07363176c841f660a295a52e4d77d990cb02992c2ba005fa2c2118d498de5225ac253d1ce2d3233106483c08ea38e

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  1471558b5a25f2e7edcd8a82403ab3cd

                                                  SHA1

                                                  ec006bc3de7a96619a2d0c0e4e8ba4dfab738b75

                                                  SHA256

                                                  ea30fe42ac7df7a8071e05dd1c3ac7b7b610fbb715fcc984c3427fae84a5ed77

                                                  SHA512

                                                  3823493560a98045af979648674f933fcd91e46ae11f0e13bb7cfa83905e907cd8f371115d408f8a466d00515759845fc1bdf70199e37e06d9334a75ec5ff1f2

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  541a94f3a70a62d0eac49fd67260d3cf

                                                  SHA1

                                                  93d1be511710dea084533f3212d49c1a112ea2cb

                                                  SHA256

                                                  204d55ac26d47f128b47763d73aeee894a94e6ea7065504377d4af684cd1f72c

                                                  SHA512

                                                  4c583434079064dd6d123a624f958e41ffc883f66a119553a9bf7caa28e0c6f04e40c937ed6842d6cfa9f2984960c744b6aa622326b046e46120c7ae42815202

                                                • C:\Users\Admin\AppData\Local\Temp\34gW2xHJWZ.bat

                                                  Filesize

                                                  225B

                                                  MD5

                                                  1c152c53cb71a3572e4cd4b1285bdaa2

                                                  SHA1

                                                  6a23e94d065480df5a1094218e9ac76fa752c068

                                                  SHA256

                                                  af9958dc26ff5b8af86a5190ff9e913190184edfd3b1f9b4a020a5f6b0c0e712

                                                  SHA512

                                                  b15ab97eda0b2274452db84968808de927afbbadd76915ccb2d1097e73880a76f1866bd34643f412c38433de41babfc73217bb282f74be1387bc62716df2f5da

                                                • C:\Users\Admin\AppData\Local\Temp\CabE3BC.tmp

                                                  Filesize

                                                  70KB

                                                  MD5

                                                  49aebf8cbd62d92ac215b2923fb1b9f5

                                                  SHA1

                                                  1723be06719828dda65ad804298d0431f6aff976

                                                  SHA256

                                                  b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                  SHA512

                                                  bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                • C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat

                                                  Filesize

                                                  225B

                                                  MD5

                                                  4670143960c4042239aebb3ed2b30840

                                                  SHA1

                                                  676343886fbae68daf4afb63ad05be779a793db6

                                                  SHA256

                                                  0b2fffd5a58afce869e2219717dd1efa7cab9646d6fc8791592ac33a17b4575c

                                                  SHA512

                                                  7e265fc450d311bc313722675c3a5211b4fa16425fb19947951256d83463f4b3ad7ac33562f5a4f1efabb338cb68be4c4f951aadc6e96a92eeb6cc0af2a8c2fc

                                                • C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat

                                                  Filesize

                                                  225B

                                                  MD5

                                                  f34f24588210de7f04d2e67dd3f5e6cc

                                                  SHA1

                                                  1fe8c2f99d13c2236ef2833c8252b2be0c5687ec

                                                  SHA256

                                                  ca75d0f4b15d17a34967fff9861f5bb8344a9c58f2068dc826ef44b2959e9113

                                                  SHA512

                                                  324857cda7f39e23fb88c5bfaad4c596544265f05fc273fb429ed94336b9e774c208eb10b8afc773f86b68face5e625c39ea8f4d7f869f15eaefad969978f2ab

                                                • C:\Users\Admin\AppData\Local\Temp\TarE3CF.tmp

                                                  Filesize

                                                  181KB

                                                  MD5

                                                  4ea6026cf93ec6338144661bf1202cd1

                                                  SHA1

                                                  a1dec9044f750ad887935a01430bf49322fbdcb7

                                                  SHA256

                                                  8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                  SHA512

                                                  6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                • C:\Users\Admin\AppData\Local\Temp\XfWEItxuzP.bat

                                                  Filesize

                                                  225B

                                                  MD5

                                                  ebff3c7cc1dd60089b886e5ea1ce3d3c

                                                  SHA1

                                                  c5fd2cd1a3caacede728f92e3043a08388af75e1

                                                  SHA256

                                                  d9a86d75d7c24879760b032c53da30a70891d508e2df5cc7643c07830abbafc3

                                                  SHA512

                                                  8742d6be0b518a024ea1453f610c8956f2bff02e11199890c97e959aa11a106791465b884c286e5923b26b8ad57153761bbc4b1f2bed8ba8251a31144ca671c4

                                                • C:\Users\Admin\AppData\Local\Temp\h6hK16ZrMt.bat

                                                  Filesize

                                                  225B

                                                  MD5

                                                  1a0ad7726d6c95e931dbbfe08c2ba080

                                                  SHA1

                                                  145577956c529e45f0d02c4118c921ed89772bd8

                                                  SHA256

                                                  94c6cfda08c1e510ae4c00c6144c3b7f7d1a9ef0357b11544f5b8784469f3650

                                                  SHA512

                                                  f561124331401cbc1f650ba0cd085af172099582a146ba79c7a9299bdb289d6d8b81cd57814f0cbac6b1bdc0a04ae5b1e128f3728535f918f31d9d2cbc3687c0

                                                • C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat

                                                  Filesize

                                                  225B

                                                  MD5

                                                  41a0395d219ce451f4acaaab5927bba7

                                                  SHA1

                                                  039977bbbdf02dd328e9a4908d70299693daf114

                                                  SHA256

                                                  d969724166a7ee3c0db50d093d4a1e68db49088aaf5cb3de238eb096770a7d25

                                                  SHA512

                                                  ce166fb6a10a33a6d2aba43a5ae769bd1812f671e76c02eb2e8a8549daee70deb6dac37cca399ad3fd9fb1bee02fca6b3894565b88bee56d8960ae1ca3c5ca97

                                                • C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat

                                                  Filesize

                                                  225B

                                                  MD5

                                                  32891d3fa30443dcd67f4ebfba8d1de9

                                                  SHA1

                                                  77cccf05f722737f021ff55819ac7d09104dc0e0

                                                  SHA256

                                                  ca6ef58209a76b3247bd0c172ed43021d20861de18755e760f29d68c14e61bd2

                                                  SHA512

                                                  8aeb71e17c230e70085ee542cde2fc01afa0e2d7e93bab36ba2ac1e46b95a72b18c2f69c0ea458b0d35ffa22348f51366faadc8e979da99360341cfaf9845332

                                                • C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat

                                                  Filesize

                                                  225B

                                                  MD5

                                                  2f222b14373e37acd7e96a76e170ec5d

                                                  SHA1

                                                  292c2343ea1dbd2f34824f4aa2b3db97fb17362d

                                                  SHA256

                                                  1f94db8b76a909bdcd48c4c66247a7fb6677369733eee9b728094405a00bbd77

                                                  SHA512

                                                  275ad0a5404b07ec79ab239cc3d45c72032412a17d30fcef528f7260d9dad5d541996c3007d278547d0359e9470aae7df7f9c4a1a0c0b78ed1f5104e9820056a

                                                • C:\Users\Admin\AppData\Local\Temp\qsbi9TUILn.bat

                                                  Filesize

                                                  225B

                                                  MD5

                                                  f9951ecaece3ca8fce1d10b89ccd03ae

                                                  SHA1

                                                  73b8decbc6ecbc93c3a04c4b2df6a6d7da3d6656

                                                  SHA256

                                                  1af14a7e95d52b106cc2b36bc458f32428a613249c371af705ce4f2b321b0fcb

                                                  SHA512

                                                  e4e2d4462ff45a5bbe466ae8239cce9ca3a63084cbc9983e152f5e99101509b85642f4a507603aab098fa92bc107f3422fc7f1c5411ff1a29ec4a44c73c26447

                                                • C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat

                                                  Filesize

                                                  225B

                                                  MD5

                                                  1dbe82acd06c5dfec97ebf8a345db024

                                                  SHA1

                                                  f3eeb392affc5d6911432123f409ed59f507bf20

                                                  SHA256

                                                  ea3edecc9503178c74aacba1279c1c6f5a9cc30ffe41e0095d686b6fdbeb31dd

                                                  SHA512

                                                  b5c4cffb6a5a034a86fd6297ba9ef1623f1b5b423872eafb863a0cb779b8122cccf4571c325c25bda4d489b86434ce9f40ba9daee44af98ed37a8af5cb2e18b1

                                                • C:\Users\Admin\AppData\Local\Temp\vlZZCFJNsh.bat

                                                  Filesize

                                                  225B

                                                  MD5

                                                  a64db4a1b0bb99fa1eb9ead51d8e575b

                                                  SHA1

                                                  9bcbc622b02a0a95963806003895fcda659bfdda

                                                  SHA256

                                                  b214fff58ab6cb4cb50d5d7404ef6db4cff7207df73779639ea63e20d5818682

                                                  SHA512

                                                  13d6001618cbc0f965bc007c3a56bd32618403c306d340b18cdcf18b6a8ed5c957ac4bef99d99099b3f325e290ecdd23add216b0d4b968b60959532ee92faf51

                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V90WW3BQFYXQKMWYBYQO.temp

                                                  Filesize

                                                  7KB

                                                  MD5

                                                  389d97ff412fa01d84a708c3476c37fd

                                                  SHA1

                                                  7ce0954c9f25ba50016b9c8cf8973752f243c2dd

                                                  SHA256

                                                  eff603ce8fddf2a09854fa1315f666df5f63cdc29abc9fb5efa628b814de3a95

                                                  SHA512

                                                  8e0fd803c27cf71face47689c4439b607f9e0309c0be550b2f1fee15e364a2c6655511228618a01260eb6e661f95936ef1e9a19fadcddbf5c73b27ac9cc589ce

                                                • C:\providercommon\1zu9dW.bat

                                                  Filesize

                                                  36B

                                                  MD5

                                                  6783c3ee07c7d151ceac57f1f9c8bed7

                                                  SHA1

                                                  17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                  SHA256

                                                  8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                  SHA512

                                                  c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                • C:\providercommon\DllCommonsvc.exe

                                                  Filesize

                                                  1.0MB

                                                  MD5

                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                  SHA1

                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                  SHA256

                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                  SHA512

                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                  Filesize

                                                  197B

                                                  MD5

                                                  8088241160261560a02c84025d107592

                                                  SHA1

                                                  083121f7027557570994c9fc211df61730455bb5

                                                  SHA256

                                                  2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                  SHA512

                                                  20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                • memory/764-359-0x00000000000E0000-0x00000000001F0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/824-35-0x000000001B570000-0x000000001B852000-memory.dmp

                                                  Filesize

                                                  2.9MB

                                                • memory/824-36-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/1104-661-0x0000000000160000-0x0000000000172000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/1104-660-0x0000000000230000-0x0000000000340000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1292-58-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/1292-57-0x00000000003F0000-0x0000000000500000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1592-298-0x00000000003C0000-0x00000000004D0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1592-299-0x0000000000250000-0x0000000000262000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/1628-116-0x0000000000FE0000-0x00000000010F0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1628-117-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/1696-480-0x0000000000A30000-0x0000000000B40000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1964-419-0x0000000000250000-0x0000000000360000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1964-420-0x00000000005D0000-0x00000000005E2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/2044-14-0x00000000004C0000-0x00000000004D2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/2044-13-0x0000000000CE0000-0x0000000000DF0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2044-15-0x0000000000A10000-0x0000000000A1C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2044-16-0x0000000002380000-0x000000000238C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2044-17-0x0000000000A00000-0x0000000000A0C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2300-177-0x00000000002F0000-0x0000000000400000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2300-178-0x0000000000140000-0x0000000000152000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/2440-721-0x0000000001310000-0x0000000001420000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2548-540-0x0000000000B30000-0x0000000000C40000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2800-238-0x0000000000F10000-0x0000000001020000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/3012-600-0x00000000010A0000-0x00000000011B0000-memory.dmp

                                                  Filesize

                                                  1.1MB