dcrat | 4ea320e28a5806d1c26f4a5f90b309f5b5675609c420ffba489dd90fff017c90

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4ea320e28a5806d1c26f4a5f90b309f5b5675609c420ffba489dd90fff017c90.exe
Size

1.3MB
MD5

971ec6bf6e3804b60902f169e4fdb95e
SHA1

b5899d7d8be026667c03a11291af7bc8027c77e1
SHA256

4ea320e28a5806d1c26f4a5f90b309f5b5675609c420ffba489dd90fff017c90
SHA512

ae1eeaab5fba0ed9e266c94886c284f3af47f640a9c716da90705bbe4a042e9e695ffeb1cd7d25ea41195bb27437e44bf9ced5f53c8c01d05d05268a276d06a1
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2736	schtasks.exe	34

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001925c-9.dat	dcrat
behavioral1/memory/2704-13-0x00000000010A0000-0x00000000011B0000-memory.dmp	dcrat
behavioral1/memory/1108-45-0x00000000011C0000-0x00000000012D0000-memory.dmp	dcrat
behavioral1/memory/1360-283-0x00000000003C0000-0x00000000004D0000-memory.dmp	dcrat
behavioral1/memory/2780-343-0x00000000008C0000-0x00000000009D0000-memory.dmp	dcrat
behavioral1/memory/2112-404-0x00000000011A0000-0x00000000012B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2672	powershell.exe
2688	powershell.exe
2732	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
2704	DllCommonsvc.exe
1108	spoolsv.exe
900	spoolsv.exe
2852	spoolsv.exe
576	spoolsv.exe
1360	spoolsv.exe
2780	spoolsv.exe
2112	spoolsv.exe
1940	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
2564	cmd.exe
2564	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
20	raw.githubusercontent.com
24	raw.githubusercontent.com
27	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
17	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4ea320e28a5806d1c26f4a5f90b309f5b5675609c420ffba489dd90fff017c90.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2668	schtasks.exe
2604	schtasks.exe
2872	schtasks.exe
2880	schtasks.exe
2928	schtasks.exe
316	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2704	DllCommonsvc.exe
2704	DllCommonsvc.exe
2704	DllCommonsvc.exe
2688	powershell.exe
2732	powershell.exe
2672	powershell.exe
1108	spoolsv.exe
900	spoolsv.exe
2852	spoolsv.exe
576	spoolsv.exe
1360	spoolsv.exe
2780	spoolsv.exe
2112	spoolsv.exe
1940	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	DllCommonsvc.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	1108	spoolsv.exe
Token: SeDebugPrivilege	900	spoolsv.exe
Token: SeDebugPrivilege	2852	spoolsv.exe
Token: SeDebugPrivilege	576	spoolsv.exe
Token: SeDebugPrivilege	1360	spoolsv.exe
Token: SeDebugPrivilege	2780	spoolsv.exe
Token: SeDebugPrivilege	2112	spoolsv.exe
Token: SeDebugPrivilege	1940	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2044	2548	JaffaCakes118_4ea320e28a5806d1c26f4a5f90b309f5b5675609c420ffba489dd90fff017c90.exe	30
PID 2548 wrote to memory of 2044	2548	JaffaCakes118_4ea320e28a5806d1c26f4a5f90b309f5b5675609c420ffba489dd90fff017c90.exe	30
PID 2548 wrote to memory of 2044	2548	JaffaCakes118_4ea320e28a5806d1c26f4a5f90b309f5b5675609c420ffba489dd90fff017c90.exe	30
PID 2548 wrote to memory of 2044	2548	JaffaCakes118_4ea320e28a5806d1c26f4a5f90b309f5b5675609c420ffba489dd90fff017c90.exe	30
PID 2044 wrote to memory of 2564	2044	WScript.exe	31
PID 2044 wrote to memory of 2564	2044	WScript.exe	31
PID 2044 wrote to memory of 2564	2044	WScript.exe	31
PID 2044 wrote to memory of 2564	2044	WScript.exe	31
PID 2564 wrote to memory of 2704	2564	cmd.exe	33
PID 2564 wrote to memory of 2704	2564	cmd.exe	33
PID 2564 wrote to memory of 2704	2564	cmd.exe	33
PID 2564 wrote to memory of 2704	2564	cmd.exe	33
PID 2704 wrote to memory of 2672	2704	DllCommonsvc.exe	41
PID 2704 wrote to memory of 2672	2704	DllCommonsvc.exe	41
PID 2704 wrote to memory of 2672	2704	DllCommonsvc.exe	41
PID 2704 wrote to memory of 2688	2704	DllCommonsvc.exe	42
PID 2704 wrote to memory of 2688	2704	DllCommonsvc.exe	42
PID 2704 wrote to memory of 2688	2704	DllCommonsvc.exe	42
PID 2704 wrote to memory of 2732	2704	DllCommonsvc.exe	43
PID 2704 wrote to memory of 2732	2704	DllCommonsvc.exe	43
PID 2704 wrote to memory of 2732	2704	DllCommonsvc.exe	43
PID 2704 wrote to memory of 1536	2704	DllCommonsvc.exe	47
PID 2704 wrote to memory of 1536	2704	DllCommonsvc.exe	47
PID 2704 wrote to memory of 1536	2704	DllCommonsvc.exe	47
PID 1536 wrote to memory of 1136	1536	cmd.exe	49
PID 1536 wrote to memory of 1136	1536	cmd.exe	49
PID 1536 wrote to memory of 1136	1536	cmd.exe	49
PID 1536 wrote to memory of 1108	1536	cmd.exe	51
PID 1536 wrote to memory of 1108	1536	cmd.exe	51
PID 1536 wrote to memory of 1108	1536	cmd.exe	51
PID 1108 wrote to memory of 1512	1108	spoolsv.exe	52
PID 1108 wrote to memory of 1512	1108	spoolsv.exe	52
PID 1108 wrote to memory of 1512	1108	spoolsv.exe	52
PID 1512 wrote to memory of 1664	1512	cmd.exe	54
PID 1512 wrote to memory of 1664	1512	cmd.exe	54
PID 1512 wrote to memory of 1664	1512	cmd.exe	54
PID 1512 wrote to memory of 900	1512	cmd.exe	55
PID 1512 wrote to memory of 900	1512	cmd.exe	55
PID 1512 wrote to memory of 900	1512	cmd.exe	55
PID 900 wrote to memory of 2264	900	spoolsv.exe	56
PID 900 wrote to memory of 2264	900	spoolsv.exe	56
PID 900 wrote to memory of 2264	900	spoolsv.exe	56
PID 2264 wrote to memory of 264	2264	cmd.exe	58
PID 2264 wrote to memory of 264	2264	cmd.exe	58
PID 2264 wrote to memory of 264	2264	cmd.exe	58
PID 2264 wrote to memory of 2852	2264	cmd.exe	59
PID 2264 wrote to memory of 2852	2264	cmd.exe	59
PID 2264 wrote to memory of 2852	2264	cmd.exe	59
PID 2852 wrote to memory of 2940	2852	spoolsv.exe	60
PID 2852 wrote to memory of 2940	2852	spoolsv.exe	60
PID 2852 wrote to memory of 2940	2852	spoolsv.exe	60
PID 2940 wrote to memory of 832	2940	cmd.exe	62
PID 2940 wrote to memory of 832	2940	cmd.exe	62
PID 2940 wrote to memory of 832	2940	cmd.exe	62
PID 2940 wrote to memory of 576	2940	cmd.exe	63
PID 2940 wrote to memory of 576	2940	cmd.exe	63
PID 2940 wrote to memory of 576	2940	cmd.exe	63
PID 576 wrote to memory of 1632	576	spoolsv.exe	64
PID 576 wrote to memory of 1632	576	spoolsv.exe	64
PID 576 wrote to memory of 1632	576	spoolsv.exe	64
PID 1632 wrote to memory of 1808	1632	cmd.exe	66
PID 1632 wrote to memory of 1808	1632	cmd.exe	66
PID 1632 wrote to memory of 1808	1632	cmd.exe	66
PID 1632 wrote to memory of 1360	1632	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ea320e28a5806d1c26f4a5f90b309f5b5675609c420ffba489dd90fff017c90.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ea320e28a5806d1c26f4a5f90b309f5b5675609c420ffba489dd90fff017c90.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Fr9ZLtnh5C.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1536
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1136
      - C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wNwF62sylT.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1664
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:264
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:832
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1808
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8NcI1AeIbp.bat"
        15⤵
        
        PID:2376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1964
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I1IMKnnpZ2.bat"
        17⤵
        
        PID:2804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2852
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1RNSv4oba.bat"
        19⤵
        
        PID:3000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1368
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1ac6ce08e382342aae49e4194ee27a1

SHA1
30935cb392a24e7389778e6bdee71ef82a982cd7

SHA256
0b93e1b46772b76cae5678191d2afc70525812ecd1f1be3d262580d3cfa01032

SHA512
5a2e09fcad3dd428ead8bd64505507b5cec76d204d61930e37a85cd785957abb2bbea750bc79627e4aa26338907b26fa641b232362b85fb68c81efb3eef0162d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df0adcab7b1d3d8ad141152b60b1a482

SHA1
7c0ac60cb788a6b42ed5a4a2e2fa449353f6b742

SHA256
77ca322f35d3800b37134cb93a4d8b0af3354d2dc474b41bd3c416450869fdc2

SHA512
994c2d726731f0d484f8dec17f8585e425bae88675e7480456313f128c57dbe2334b1857621c82eff1b813c5eddb15861be8c1e39c115ed02245dbd4a029d7dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28a3d4d6e73b13b4273a67a0642dffb9

SHA1
f82789315f79de2e7e4599f15088936dd8d57bb3

SHA256
a76d7e73d47a07fdf56bded3f512d9a9e164dd4fee5661a2c936d78b1de1f093

SHA512
74430bf86c06ef0a834c289ad050b317a3ae3e4d0862f6aa498246a84a90559a533889f951aa8b7539cfaeb3c4eb4f573bbe12c497adc62b14fe84c1bf417c9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
687842032ed696531d514621c817277d

SHA1
545aa0b79c2cf7ee50ddd6b6bd56a6a49b0e6afc

SHA256
fabd2a611dac4a51ef2ad203e6ca5cedeef51ad62bfee9721e953004d26c38b0

SHA512
dc224ab3f1929e176c476462276ad79afeb918921f0c8acef6004a228b6551b44b1e4d4ef04353e0cb9353bb5f28fa5fac63dd1a36115b8aca7b47cbe0474a54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bccdfcd70833ce3e1cbf29fc235c0102

SHA1
79ea644ce3bcf3e43242709a4195501b0c6de29a

SHA256
129cd93b78d3b244ea5aba2c421fa676f9c0e01684fae3899072e2e5c1189da1

SHA512
adcbec45f72875a2fb6269e6bd4eb9d81c4656a90f55ed773045abe51ce3b9223f3e5fbff7934d8f8cd652fa703f7a2273e44cdb0f5324fea5cc2f51d8691d27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f068055fe380a856dfdce49041862b15

SHA1
25ea7d11e2d28c935909e2b6fc85153b2085aa3e

SHA256
8142f2a4a7f8f36cea5ba8530aa4cce0d5e129c4752cb041c105fc1cbbc7996f

SHA512
ded6cf286ac0e6c32758c057ebb780444dae66b367b0c3761dd3243b7ddec7126b2f7fc9b7cb76a145734739f9cd05511aa62c84b1a762da783454bb864604a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat

Filesize
194B

MD5
8aaf9b0a35fdc98f03388fb86cd63bfc

SHA1
737111b4f6cb983d78117910b50c9de716686ff9

SHA256
e9a4a91210ec39b5397d055547a85e2bf73335585978c5a0f2234c8a88e57733

SHA512
923826f567ae73793927ecd65570dcbd2ec013a1df3758a57e60a89bfc74de814336dc2c68880533b0003d74ccff86af0da50b8698b2913e414c035c6d8087f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\8NcI1AeIbp.bat

Filesize
194B

MD5
30688f0fbed47c62bcd799100b2b1098

SHA1
f8921875bb7ef68bfc4ec58673b0374587d6e84b

SHA256
9baa5a078cd8ec5b8fb398728df7fcee1969f61329298cee969fc7c44b2c0bba

SHA512
75b14f02d751fb49f684688c0819909adf71b3922cf5e19db96fbdfcfafa38c46d569d3b33f491e6f672cac93d76c0d64ad6f61c6e82f91de45e7c47b88e9e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFB61.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fr9ZLtnh5C.bat

Filesize
194B

MD5
44889ef4f465fbad61371d7c870621bc

SHA1
20145830cf95a6b3003c999968b378a5ef2981d7

SHA256
f6f20f9a3c6238a97527eec0e95f773bb1142175d76f7f5e7dc0d89a352782cd

SHA512
63d07227790f6abb17f50bdce74b255831e58ed4d008e82647f252cb646099b649cd3003aee90ec1f02e2f18c0cb9eb4e4f18f4f40a07e06652c2d6e1d94d1a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1IMKnnpZ2.bat

Filesize
194B

MD5
0c034fc313f9ccd04965cb1685406438

SHA1
41c5abda6f1c996536823d67537dd3684b2dc5f9

SHA256
0a3486860d48216ea419646f86a402a7eda188acfc14920986c5f7a5b38756f9

SHA512
567d78c130995b8554a79de1a7591919e782ab66de8f636521911757c744311221fde2849e17be51fff4b328a564084c0771106dda61b3624260d68fc49d4e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFB74.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat

Filesize
194B

MD5
22077195634fc274d6ba1d8d1f517d24

SHA1
eb28ccfc1350961c1b16791eba2441d2c481b551

SHA256
715daf53c9eb98351641a5b2e583e2aabdc7804fce4f0dddb54d537be47bc508

SHA512
64732b189b7df7a5da93f214eeb4b0792713edb8511e74f703ce81b0872ec3fda883ef0af4b670aa97cd32da75d06f76cf8548e366827ca5e98372d2f2b27238

Download Submit
C:\Users\Admin\AppData\Local\Temp\m1RNSv4oba.bat

Filesize
194B

MD5
ebaaf4bf2b5bb1c5ced798e27f0bedbc

SHA1
61e3dbfbd0b1079982fd0bb0b04dd35881cd025b

SHA256
befc574d9970bb4f69c9c356f22816503bc06b16fd01e51fe34d45956969c445

SHA512
7acb0ed090be4ffa1b7d2f443a89ac308dd40b8cd0dcdc9f871d96429bf408191c7373922feb8fe5ff59be1ad968c7ee2b1f8eb0fc1c610529ef44a3ebaf4fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat

Filesize
194B

MD5
4834de779f03a4785fa7bc8bcd4e4aff

SHA1
bc01b27cd175cca837d4180a87913ff354c46ae7

SHA256
05130ba28a2a59786d8bc8a4f39a46744ba6948a90bd3490d8218d90e74b1d93

SHA512
67f92de28465673c7facd75af944d2f4e8af3f7c2d64dcdb6d934ee2f03b61df049248f9eebb139162176c907b1388389f1695daf407df42f5a5a536c538586a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wNwF62sylT.bat

Filesize
194B

MD5
b4fda416f56b06052620312b3a2bef16

SHA1
3d8ed36afabfc429016b384e54adbf49b5542d68

SHA256
981f7d93de93f668f0c6e6d3f0a4c7303c6f58289f11226af32b2c9c29f33672

SHA512
6581ec2643af7db56ded63a9a3428f8f1edc1a5483638c5d048b02cbec3a8305cab4db55240a4d561c6e9477ce2a806ebc2049a8929e7eace032365888e34208

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
95befcc3b0298bb43fa41a7e18fa3aeb

SHA1
b984f508aa37bc045bb2ae6eddc0cc25f66dbe15

SHA256
27b56f298cbc538f4b6a0896f2056998aca5315bf88e92423b8f4ad98ca86258

SHA512
f0555ed4ff206464b2be3927844304f89eb4ed3c9f1b183e858397a21cfefdb6780f7452bc7bdc0229449337fb1e88722cc18e805936cacbc3364f94c0de125a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1108-45-0x00000000011C0000-0x00000000012D0000-memory.dmp

Filesize
1.1MB

Download
memory/1108-46-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/1360-283-0x00000000003C0000-0x00000000004D0000-memory.dmp

Filesize
1.1MB

Download
memory/2112-404-0x00000000011A0000-0x00000000012B0000-memory.dmp

Filesize
1.1MB

Download
memory/2688-38-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/2688-35-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/2704-16-0x00000000004D0000-0x00000000004DC000-memory.dmp

Filesize
48KB

Download
memory/2704-14-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2704-13-0x00000000010A0000-0x00000000011B0000-memory.dmp

Filesize
1.1MB

Download
memory/2704-15-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2704-17-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2780-343-0x00000000008C0000-0x00000000009D0000-memory.dmp

Filesize
1.1MB

Download
memory/2780-344-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/2852-164-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download