Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22/12/2024, 13:01

General

  • Target

    JaffaCakes118_b01a6ad11c087a068c9e53cc433d7d8dff9ded343a881503339cd8de471af09e.exe

  • Size

    1.3MB

  • MD5

    fe071f9573ea3915e2198e6c1f761dbc

  • SHA1

    f84cf2c9692969a6f84253ee97cf659dade68a99

  • SHA256

    b01a6ad11c087a068c9e53cc433d7d8dff9ded343a881503339cd8de471af09e

  • SHA512

    2d0385fff286662cb61aebba9d11cb95f564e07d4f52c71ea67f782b3445def471e1046969936d70a884fbf8e54f1b72d29097f3b5a4bcf4e9d3574e30aad096

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b01a6ad11c087a068c9e53cc433d7d8dff9ded343a881503339cd8de471af09e.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b01a6ad11c087a068c9e53cc433d7d8dff9ded343a881503339cd8de471af09e.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3052
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2756
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2632
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2448
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\Offline\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1792
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3068
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2220
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\ja-JP\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:568
          • C:\providercommon\DllCommonsvc.exe
            "C:\providercommon\DllCommonsvc.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2460
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2140
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2508
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              PID:2236
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\de-DE\conhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1616
            • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe
              "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1092
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2692
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  8⤵
                    PID:696
                  • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe
                    "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1316
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\voEVGuhWUp.bat"
                      9⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2172
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        10⤵
                          PID:940
                        • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe
                          "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe"
                          10⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1828
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SQTB2Yz9K3.bat"
                            11⤵
                              PID:1504
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                12⤵
                                  PID:2460
                                • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe
                                  "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe"
                                  12⤵
                                  • Executes dropped EXE
                                  PID:2236
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\conhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1212
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Tasks\conhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2000
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\conhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1324
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Update\Offline\wininit.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2016
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Offline\wininit.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1964
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\Offline\wininit.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2528
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2352
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2196
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2572
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\addins\lsm.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2704
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\addins\lsm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2216
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\lsm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2324
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\ja-JP\Idle.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2996
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3004
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\ja-JP\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2496
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2604
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1636
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1704
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\providercommon\wininit.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2436
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1980
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1036
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\de-DE\conhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2212
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\conhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1044
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\de-DE\conhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:880

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            342B

            MD5

            010abe03fd4c17b2b6d3ed93d4e123b8

            SHA1

            f58df9fff6f26bc78b05eb09cf0ec674ec1a8200

            SHA256

            c4f379839e756929747f85d86277ae18d579d9d57fed34ecdddc82343a2410de

            SHA512

            dc21087acaddc0b01186d8bc214df2e4a619617a2e1ec9b8e095a47b5d7d7db522f470c636e6debaf31a2897a2f61b1df450ce5544d78807d95d8bdb894f5407

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            342B

            MD5

            18bd8ad552a6286e011224add0194b50

            SHA1

            28319beaa2767441f17afb010ceb0f6dc3961f48

            SHA256

            5b33e2519aca616da6d8627c698a317abeb4edbef15f3580f8646d3d79ddb3c5

            SHA512

            b519830aef99583113e4ad2927b3b367c0cc61c544e12dc181b810b478b310f17ab358159d5fc47882ee9ef2164a78bcfb137c7ceece34be282515278abaebb2

          • C:\Users\Admin\AppData\Local\Temp\CabBF5B.tmp

            Filesize

            70KB

            MD5

            49aebf8cbd62d92ac215b2923fb1b9f5

            SHA1

            1723be06719828dda65ad804298d0431f6aff976

            SHA256

            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

            SHA512

            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

          • C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat

            Filesize

            225B

            MD5

            3c3bd6552194534e11dd807af5ea80d0

            SHA1

            6199b5e7b00eaa071dcdf110e31f8f662af9e89e

            SHA256

            e383933a8b7bd1eb6babac2a37fad8a9d49bee252eddce989c0e1079e983c972

            SHA512

            ff3e5727a3a2e33cb487fd772127a933467a8eca30fda379cd053650c4333b06f559532de1cfc8c09191819f2612471f643adc3ff6a7b063463fbca1f5e7bcb4

          • C:\Users\Admin\AppData\Local\Temp\SQTB2Yz9K3.bat

            Filesize

            225B

            MD5

            5cac1c2006bad7713023c2751b56a76f

            SHA1

            047bcde3e0da29098f392b4dd73938bff21945ad

            SHA256

            73aace04866c17dfc2773441e057e9a2fa88edbf42ad5a8d5c7b0b610046d2ee

            SHA512

            bf3cfb6b530a351512c70db8ccdf1d655927704738ab33772f74c40abfe185fffc00c2fea6dc23edae8c1615b68379e6438de9ca2351532b196111489fd7b2bf

          • C:\Users\Admin\AppData\Local\Temp\TarBFFA.tmp

            Filesize

            181KB

            MD5

            4ea6026cf93ec6338144661bf1202cd1

            SHA1

            a1dec9044f750ad887935a01430bf49322fbdcb7

            SHA256

            8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

            SHA512

            6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

          • C:\Users\Admin\AppData\Local\Temp\voEVGuhWUp.bat

            Filesize

            225B

            MD5

            345c099fa2069af5cf46980f19ae73bd

            SHA1

            20db0cbcd63221fb096fe6b8ed2493afd24fdac8

            SHA256

            a051cbd52384dc468e3ec7846d11fe50a1f5de4f95ff3f826f7d1f8b503c428a

            SHA512

            1c3af5bd96c1e36893cc04614c6c7467ba9d0d03ab4347f1f6c03ae3833af6f1f30fd7ce8e7202c96de1a533fcd25e4bbdf82a16c85c968b777b3a7141dbd944

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

            Filesize

            7KB

            MD5

            7440015a370378e884b70ef954895f91

            SHA1

            d51bcf5047c7e3234ac71bc161545e3c9d21524b

            SHA256

            1fb633de7cff50dcff1f69e100fd5f6ff19279e61e52a7424b3a6173f9ac8313

            SHA512

            cff8f4da355e4f57279d18a05023d27e541924c2da9b9bc2137cc506109a427300ec3d13a17bd813f3aec24df110b663171b4432209e373d9194f519066c67a7

          • C:\providercommon\1zu9dW.bat

            Filesize

            36B

            MD5

            6783c3ee07c7d151ceac57f1f9c8bed7

            SHA1

            17468f98f95bf504cc1f83c49e49a78526b3ea03

            SHA256

            8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

            SHA512

            c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

          • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

            Filesize

            197B

            MD5

            8088241160261560a02c84025d107592

            SHA1

            083121f7027557570994c9fc211df61730455bb5

            SHA256

            2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

            SHA512

            20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

          • \providercommon\DllCommonsvc.exe

            Filesize

            1.0MB

            MD5

            bd31e94b4143c4ce49c17d3af46bcad0

            SHA1

            f8c51ff3ff909531d9469d4ba1bbabae101853ff

            SHA256

            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

            SHA512

            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          • memory/1092-85-0x0000000000B70000-0x0000000000C80000-memory.dmp

            Filesize

            1.1MB

          • memory/1316-145-0x00000000010E0000-0x00000000011F0000-memory.dmp

            Filesize

            1.1MB

          • memory/1316-146-0x00000000003C0000-0x00000000003D2000-memory.dmp

            Filesize

            72KB

          • memory/1792-57-0x000000001B030000-0x000000001B312000-memory.dmp

            Filesize

            2.9MB

          • memory/1828-206-0x0000000001260000-0x0000000001370000-memory.dmp

            Filesize

            1.1MB

          • memory/2448-58-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

            Filesize

            32KB

          • memory/2508-70-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

            Filesize

            32KB

          • memory/2508-69-0x000000001B3A0000-0x000000001B682000-memory.dmp

            Filesize

            2.9MB

          • memory/2756-17-0x0000000000690000-0x000000000069C000-memory.dmp

            Filesize

            48KB

          • memory/2756-16-0x0000000000680000-0x000000000068C000-memory.dmp

            Filesize

            48KB

          • memory/2756-15-0x0000000000630000-0x000000000063C000-memory.dmp

            Filesize

            48KB

          • memory/2756-14-0x0000000000620000-0x0000000000632000-memory.dmp

            Filesize

            72KB

          • memory/2756-13-0x00000000002B0000-0x00000000003C0000-memory.dmp

            Filesize

            1.1MB