Analysis

  • max time kernel
    148s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 18:50

General

  • Target

    JaffaCakes118_7c6d6d221103c226b106d1d456d164ae0b853cbb773ced51b6bf2ca5f98f8a47.exe

  • Size

    1.3MB

  • MD5

    e4191f18e6468181c730102499e27fc0

  • SHA1

    88f4f8e3739f4788628c443c6b0ffe09861c3a7c

  • SHA256

    7c6d6d221103c226b106d1d456d164ae0b853cbb773ced51b6bf2ca5f98f8a47

  • SHA512

    552219f0fcf03b6f8a63d73cb7430e3a3bbef5dc52cf58a635d75f0895a64529aabbc61bdd5fdf4ccb8b1c270d811eaf7b707bdab0e5df00dceecf140378c028

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 12 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 12 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c6d6d221103c226b106d1d456d164ae0b853cbb773ced51b6bf2ca5f98f8a47.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c6d6d221103c226b106d1d456d164ae0b853cbb773ced51b6bf2ca5f98f8a47.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:308
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2760
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3068
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2704
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2724
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2884
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2984
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2972
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Utfk4Eg9N4.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3000
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2164
              • C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe
                "C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1316
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:884
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:1728
                    • C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe
                      "C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2784
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2876
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:3044
                          • C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe
                            "C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"
                            10⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:2252
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\53OVnhiNRT.bat"
                              11⤵
                              • Suspicious use of WriteProcessMemory
                              PID:1552
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                12⤵
                                  PID:3004
                                • C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe
                                  "C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"
                                  12⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:1284
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KYEunsIO9t.bat"
                                    13⤵
                                      PID:2080
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        14⤵
                                          PID:1604
                                        • C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe
                                          "C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"
                                          14⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:852
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aPx44ABVco.bat"
                                            15⤵
                                              PID:572
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                16⤵
                                                  PID:2120
                                                • C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe
                                                  "C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"
                                                  16⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2468
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat"
                                                    17⤵
                                                      PID:2088
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        18⤵
                                                          PID:1280
                                                        • C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe
                                                          "C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"
                                                          18⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2420
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat"
                                                            19⤵
                                                              PID:1984
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                20⤵
                                                                  PID:1808
                                                                • C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe
                                                                  "C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"
                                                                  20⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2992
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat"
                                                                    21⤵
                                                                      PID:1844
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        22⤵
                                                                          PID:376
                                                                        • C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe
                                                                          "C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"
                                                                          22⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:792
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AKY6NrPTox.bat"
                                                                            23⤵
                                                                              PID:2608
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                24⤵
                                                                                  PID:3028
                                                                                • C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe
                                                                                  "C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"
                                                                                  24⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:2148
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat"
                                                                                    25⤵
                                                                                      PID:1992
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        26⤵
                                                                                          PID:1724
                                                                                        • C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe
                                                                                          "C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"
                                                                                          26⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2408
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cu7QADyCUt.bat"
                                                                                            27⤵
                                                                                              PID:2592
                                                                                              • C:\Windows\system32\w32tm.exe
                                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                28⤵
                                                                                                  PID:2912
                                                                                                • C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe
                                                                                                  "C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"
                                                                                                  28⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:2820
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1324
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2340
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2444
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1768
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3032
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2676
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2608
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2000
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1520
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2564
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2968
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1860

                                          Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  de7d15a3117bb3d61db86e164b8eec5f

                                                  SHA1

                                                  f4d907a0325245b6f758cb84ce34f6baf106e561

                                                  SHA256

                                                  d858c1b0ad3f54d3422c7d18f83a3ad2a18a5a39139d83c1e76adce32df82eea

                                                  SHA512

                                                  15e8fc18f481dea230e9ca19e4b4a62abf5aafa62c42bb732d935794fc651f8ce53d1f4ce57952436e7513eaef75f6bd7bc1381f8df505175e2ae6cb1254776e

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  f9147696819e6e20a0af64cea4ed9a12

                                                  SHA1

                                                  6d89d3dcb37487d48538c5d89de9fae0ce37a9f1

                                                  SHA256

                                                  095fece434dbf7eb2e17ed438565f7736f5bfc9a39631accd4eacc1cdb5b23ef

                                                  SHA512

                                                  a9bf667798e00525c4a6c76b668f60d99eb16611062de432474d3ceba2520f4643cb5562860bcb8db5a46edb325073d326c5b8bf8aeec87a8d80422ed9f6d69e

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  e7fed24b85e71b24dbd866c7dc8a0418

                                                  SHA1

                                                  3dc255e42b1b618842d4cf2303bcdb5e80d2452b

                                                  SHA256

                                                  4d49531c2261dd7984131dd43c70131a86240f051dee2b28750996d38be7c416

                                                  SHA512

                                                  f9e0fd6078eeea422f9aa3dc4dcbd560585fa14759c1adc7411da18391e7d7b1d2668df55a08245cde3d723ae529cd589e3f80c7e209b09009a5584ffc7a0cd4

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  7539379e9ef7fb06f71d313d6b1ee28d

                                                  SHA1

                                                  0120ee11f7281822115921e958ae006ec4d305f8

                                                  SHA256

                                                  595859f93677bd10a6db18af3c1014416b939f2a2de563025c2bbd53943d947f

                                                  SHA512

                                                  24535fd34ce6bd40ecf9de0b879a82da445da6b4cfb0745a7f8686da16ff60a0156ceff2156d4e7d144b62a2f1efb7ce8e2f6e6dd34aa0897c0c03ef245cd348

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  056e92854a2940bc3363bdd082817e74

                                                  SHA1

                                                  48297b71e72c6feb6719e1638ea1bf0fbab21581

                                                  SHA256

                                                  f47d76b51d1f175ad1e636caab40e8d7d2070df9654a125f304946d6841b1217

                                                  SHA512

                                                  028e4082811f6f2bd48a86664cefdfd25d9f727d859f5ef836d77f87a222a30392ff2659fd029b0a1393037a467a5f6da61aa7071719eb31392991f6076a6f33

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  92dff1267a993d686246e76890b207d4

                                                  SHA1

                                                  6867cc7c4a854d53682279028d3057e2deb3482e

                                                  SHA256

                                                  682501c6c2b075d6e630753f6fee04174f55569e3967dc38a2e38f3c77b33b27

                                                  SHA512

                                                  6a9f0f6ef944e18902ff66ddb7a2db73514bae909984e5b7fd9c8bb11e184dbd05f646914449d82a41b2cad6c9dfd03d8f7e44f9b75cff0f8f72509e2061c18a

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  be5e3a0d5496c84db6ef4c881b875d2b

                                                  SHA1

                                                  9c87e9503748591d6132949e93775a8bcfa8ba75

                                                  SHA256

                                                  dc8bf0f5342d844d3741c7fb7fa20aea02f24ca7b6b04be33eadb48b42ca718f

                                                  SHA512

                                                  96edd821dd144f9e2fd4a80b32301983ac646177a6601e606e8d4029949a2a36ded775a0aa923c832655ca0b135ac3b996dd538c39fbaf18f6a3dc596dfdca83

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  4bc664ac3745322a0e9d5647b6082d08

                                                  SHA1

                                                  78a2d147000007aace3252dfd6b6572eb474779d

                                                  SHA256

                                                  86e9986a3a062976bae03e7d6fa30d471c210d998dec2ba785a10baba1963209

                                                  SHA512

                                                  2883a8626c90cac93cc6bbf058aa9f28ed42a5100098ad9039925df68fc64ef26d0ff5b9083a933defebfb888729556752c2fb3a016235cacf33b2a83df87dc9

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  c93877d031f89131c8e56de471d22bc9

                                                  SHA1

                                                  725ca9ed7a0219ba64df3b7db6635d22d5a4a7e8

                                                  SHA256

                                                  3ee5aea7fc51c30a1720fa71b94baa2ca1eb987f08ab4dd8d1cd65ce3033e959

                                                  SHA512

                                                  b383b32fbf7fcb14c1f17903b6a3f601de121b3e31f9f56780d3360e09a50564aa98bc5014b8f1ba9e55a25d9ee293ac52d9ff93b0c6517f9a410c0e2ccba0bc

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  1f9ef336f40cb7063f012701a17dac78

                                                  SHA1

                                                  1c2a19e1ae3bedc7e7a463c388a8fb791a4af44b

                                                  SHA256

                                                  dbbbaca5fd0b53523e3df6ba9940d34530c9580e429b891a2f770fd3db40c359

                                                  SHA512

                                                  24b1de72ef691fb4946a771176c87c103f6b8995c4e150fd60a7634c76ae10415cd1833c5632e25fee4e4d591213dcecdeeb8736523e0660c4fbadb25793975a

                                                • C:\Users\Admin\AppData\Local\Temp\53OVnhiNRT.bat

                                                  Filesize

                                                  224B

                                                  MD5

                                                  6eaa45555be933ac4fd58f19e643a715

                                                  SHA1

                                                  5c08770b034154bd9e7bd853beea0a1f6f2cbeae

                                                  SHA256

                                                  2e60663dbc1e9587a09524d42681d14ebe689154ab0ed1b7a9befa89638c4fca

                                                  SHA512

                                                  193db2099e4c40d5fcd0e4a596a1f2db4b2d89e7fd2320461677fd01560649dec41d3ab06133f3ea9490472ab8f608247ca908694616ac2972f0cc4bb637ceb8

                                                • C:\Users\Admin\AppData\Local\Temp\AKY6NrPTox.bat

                                                  Filesize

                                                  224B

                                                  MD5

                                                  7eef6af33c6be9abd1141212f966440a

                                                  SHA1

                                                  aefd193b4158f54a7effb30091e870f4143c9abe

                                                  SHA256

                                                  633b99334aeac4dd6ec66e2e90f90cf8b98212a7756e6ebf02effc5c81745372

                                                  SHA512

                                                  2ed857d25cbed2486221ae30b41ad0821334e089addb216b750f9e11df3902ffbaa439d530cf007f300d287a3b7f79b4392b1270c2a8c41faa1dbd550ce6aeaa

                                                • C:\Users\Admin\AppData\Local\Temp\CabBCBC.tmp

                                                  Filesize

                                                  70KB

                                                  MD5

                                                  49aebf8cbd62d92ac215b2923fb1b9f5

                                                  SHA1

                                                  1723be06719828dda65ad804298d0431f6aff976

                                                  SHA256

                                                  b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                  SHA512

                                                  bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                • C:\Users\Admin\AppData\Local\Temp\KYEunsIO9t.bat

                                                  Filesize

                                                  224B

                                                  MD5

                                                  d7213dea21d90582e57766730bfc2573

                                                  SHA1

                                                  39f88acdf78cc28dce47da7b372bf845d64a7261

                                                  SHA256

                                                  4e8d40965e9358a36e060d972de90d756844ba93160cda5fd653d4f85b735004

                                                  SHA512

                                                  e2dac001ac1a1e251d7556fc46546426cb3cbf3ca45d2da7e72ed20d569708a45d16fec2afe98a2c8fad5376715b71430da3384ed7a4988c1c45f2c881a732dc

                                                • C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat

                                                  Filesize

                                                  224B

                                                  MD5

                                                  8b9a225972cf21da7a322b334373dcee

                                                  SHA1

                                                  c75519e9e1e08509fb9f09bc58c56769f5b43a1a

                                                  SHA256

                                                  f768440a409e73bf81063ce0e3f565fab05436005758b0e3720403ef3e189aa4

                                                  SHA512

                                                  c2ec5fc04c34b334c9049ebfbade9fe46fe121061ec15604707bf4bc613921227fa59c3ed06020cbac7abbdbd475a38d574b13f3d3a1c2c195d0205fd5e623e6

                                                • C:\Users\Admin\AppData\Local\Temp\TarBCCF.tmp

                                                  Filesize

                                                  181KB

                                                  MD5

                                                  4ea6026cf93ec6338144661bf1202cd1

                                                  SHA1

                                                  a1dec9044f750ad887935a01430bf49322fbdcb7

                                                  SHA256

                                                  8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                  SHA512

                                                  6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                • C:\Users\Admin\AppData\Local\Temp\Utfk4Eg9N4.bat

                                                  Filesize

                                                  224B

                                                  MD5

                                                  d6948ea745702a35733ebf1723a6681e

                                                  SHA1

                                                  5539a968d50bcb729b792f0e602ea88b11388efa

                                                  SHA256

                                                  7d58f2c2b10beeaf9f0fbd4cbf2ecc5bcf1e27e66d0d5a47a1889274a89dd5fb

                                                  SHA512

                                                  1f7055475e007ce550112c38418102591f6f6b20368238cdc0623ba79bc1d77209740e499371d9fbfac8be0d038a32f5beebea94e5307b568298ca0c61cc1dd4

                                                • C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat

                                                  Filesize

                                                  224B

                                                  MD5

                                                  ebac7241d46059adbefa41124dade84d

                                                  SHA1

                                                  57905f0ba723ea2ab7c42c4ca4ebc59bb7eb825c

                                                  SHA256

                                                  fa02529434d46cf17486b0ce37316b9f281220a943f51812f0a4112889586fe8

                                                  SHA512

                                                  1a0be4f7770322425473062a778498ecb54d1ca4820c32b8493c1b94c8919c8ec2fe518a1e6d258e97aaaa72cfe44ee0e86961223aa65feacc743e52e29b6029

                                                • C:\Users\Admin\AppData\Local\Temp\aPx44ABVco.bat

                                                  Filesize

                                                  224B

                                                  MD5

                                                  631d63e11210b3082dc6357c0d73bd34

                                                  SHA1

                                                  d0ec58a0d44ccb47e06dd3f7e75e7e599e3db750

                                                  SHA256

                                                  4e46144d9c8b7f261cadbd7fb335e3de660f2a1a4307bc68e3943a044373aceb

                                                  SHA512

                                                  7087f213252b2cb987ac039e152a4ba7fc3840175d4128c8771ebc148ab74d12ffc70ef7da5eb46306df50cb0327de6c5fe9ffcb830eefd34c35e14e5bf04b99

                                                • C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat

                                                  Filesize

                                                  224B

                                                  MD5

                                                  7d612f8b16dc0ff1d1bbe3d5d38ff18d

                                                  SHA1

                                                  c59a28ae88300b3e218455b9a02b3cd643cd7e4f

                                                  SHA256

                                                  a3ca7ebb9b6c3d2158b9dcf77be497ab2cd26af65e561c171335a58a27a00754

                                                  SHA512

                                                  558518e537864ad93b93c240917bd37af7b760fa710f622051ec3d50f8208008955109121eee6959afd980adfbf87deea16ca474291290d024c651290b83529c

                                                • C:\Users\Admin\AppData\Local\Temp\cu7QADyCUt.bat

                                                  Filesize

                                                  224B

                                                  MD5

                                                  944c2ebdd10703b8b4e10a7d71916167

                                                  SHA1

                                                  94e5aa9663ca7017a790292cfa24e69081bcd280

                                                  SHA256

                                                  8669d28de44d77f2421fd9cfc201d5c2497c97a5c1a0b2a9bc4d09e92ed1b23c

                                                  SHA512

                                                  bac04c13837895183c7ea583219c01be3e6507bda87b690b3fba320d3996dd04e688479b01596c0829a44224e48decaa87e1ce54c0cd9d24ba27e80f98119f31

                                                • C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat

                                                  Filesize

                                                  224B

                                                  MD5

                                                  e933a4754fdcc38b8917285ac1fbf8e0

                                                  SHA1

                                                  b3ea1671d6ed7b04b5e3d79d8b1485948e7addc9

                                                  SHA256

                                                  7c21e2338bf717619f5b62712c680485c8a0968279cbc38bc3aacdbed3237dfa

                                                  SHA512

                                                  28c1863bcad51249b72f2fc1efba43bfbedc1e1809cabea2e983472e62d581de9bf8475b03a927cb37ee612ed7a46488d4d0c22fd127be92ebd952d3242467c3

                                                • C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat

                                                  Filesize

                                                  224B

                                                  MD5

                                                  eea07ec2ac4835719d0a656c29622b93

                                                  SHA1

                                                  fc48409115c275edaefd41ed370dcb19e58a756a

                                                  SHA256

                                                  8a94bf2f550a15bc0abad7c3c1c7baebe0073b0f9312cd32fd7e6b49c0b1a354

                                                  SHA512

                                                  0faa9e99b224c5f8171acf3466fabbdaa0de512c1a0ee881a2c6f36eb4561ece81493a461a5c8910e42dece0913921d05a54701eecde6fa6def42c6ed11916b7

                                                • C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat

                                                  Filesize

                                                  224B

                                                  MD5

                                                  69f5fee6a3908adf8a8e7b016127f60a

                                                  SHA1

                                                  d1fd255e6f6122e4a24729d27efb65dce0bb0c23

                                                  SHA256

                                                  b934ffee25d293eee9bc66c0bac8320f3cd1704ca4dfb1935380aa9903d15862

                                                  SHA512

                                                  6f0e35a0f0ac4f978ee928e4ac2b247ca5a6672994905ade391c24ca5e9ba45a69b6f66f31a33412dd181b8280e51e85aa3142d55b26a8de25f1cc53c154eb7f

                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                  Filesize

                                                  7KB

                                                  MD5

                                                  b5ea56f3e3873e61e6ae8b9b4b0488d4

                                                  SHA1

                                                  90570fd9bc2765ca4260fc3104274f08b042dba5

                                                  SHA256

                                                  50c88031e305740f6e3d73eb07a5ec92ec08a9d0eca884aefa2cc5131203001c

                                                  SHA512

                                                  f3435795df45ee744481844d86916fd0ce94a86486e873ce19a17792d9d2256c2d90e668ea9e6491956468b7307f643cabdde2c08877ee764c016d22667978c7

                                                • C:\providercommon\1zu9dW.bat

                                                  Filesize

                                                  36B

                                                  MD5

                                                  6783c3ee07c7d151ceac57f1f9c8bed7

                                                  SHA1

                                                  17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                  SHA256

                                                  8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                  SHA512

                                                  c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                • C:\providercommon\DllCommonsvc.exe

                                                  Filesize

                                                  1.0MB

                                                  MD5

                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                  SHA1

                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                  SHA256

                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                  SHA512

                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                  Filesize

                                                  197B

                                                  MD5

                                                  8088241160261560a02c84025d107592

                                                  SHA1

                                                  083121f7027557570994c9fc211df61730455bb5

                                                  SHA256

                                                  2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                  SHA512

                                                  20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                • memory/792-541-0x0000000001340000-0x0000000001450000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/852-299-0x0000000000E60000-0x0000000000F70000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1284-239-0x0000000000250000-0x0000000000360000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1316-59-0x00000000000A0000-0x00000000001B0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2252-179-0x0000000000270000-0x0000000000380000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2420-420-0x0000000000CB0000-0x0000000000DC0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2468-359-0x0000000000330000-0x0000000000440000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2468-360-0x0000000000570000-0x0000000000582000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/2724-41-0x00000000022A0000-0x00000000022A8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/2784-119-0x00000000004D0000-0x00000000004E2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/2784-118-0x0000000001310000-0x0000000001420000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2820-719-0x0000000000340000-0x0000000000450000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2884-39-0x000000001B5B0000-0x000000001B892000-memory.dmp

                                                  Filesize

                                                  2.9MB

                                                • memory/2992-480-0x00000000002D0000-0x00000000003E0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2992-481-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/3068-17-0x0000000000400000-0x000000000040C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/3068-16-0x00000000003F0000-0x00000000003FC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/3068-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/3068-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/3068-13-0x0000000000E10000-0x0000000000F20000-memory.dmp

                                                  Filesize

                                                  1.1MB