Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 04:24

General

  • Target

    JaffaCakes118_b4e37e7ac118bb9393937345a48ef4e0b27c24e516baf675f187e1416d66c6d9.exe

  • Size

    1.3MB

  • MD5

    770d1c4cb7c77341141b83eee8352d98

  • SHA1

    97b07ebc82744510332c8c451e78821d2a8a8ff3

  • SHA256

    b4e37e7ac118bb9393937345a48ef4e0b27c24e516baf675f187e1416d66c6d9

  • SHA512

    c160acca3ddec0ff01ce70f026982c1e9583d6dd4aa26de6fe9e3326706e75236cfac39a0715579264e683776ea3f25905a070385d2f60a4e71f5f748e479d17

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4e37e7ac118bb9393937345a48ef4e0b27c24e516baf675f187e1416d66c6d9.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4e37e7ac118bb9393937345a48ef4e0b27c24e516baf675f187e1416d66c6d9.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:856
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2408
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3048
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1636
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2544
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1696
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1192
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1632
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2248
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wMvxJuE7fS.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1788
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2076
              • C:\Windows\Registration\dwm.exe
                "C:\Windows\Registration\dwm.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1320
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P9uKrkSNlp.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2860
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:3064
                    • C:\Windows\Registration\dwm.exe
                      "C:\Windows\Registration\dwm.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2616
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2204
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:2396
                          • C:\Windows\Registration\dwm.exe
                            "C:\Windows\Registration\dwm.exe"
                            10⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:2088
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zfOrxS71E3.bat"
                              11⤵
                              • Suspicious use of WriteProcessMemory
                              PID:1140
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                12⤵
                                  PID:1924
                                • C:\Windows\Registration\dwm.exe
                                  "C:\Windows\Registration\dwm.exe"
                                  12⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1544
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat"
                                    13⤵
                                      PID:2932
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        14⤵
                                          PID:876
                                        • C:\Windows\Registration\dwm.exe
                                          "C:\Windows\Registration\dwm.exe"
                                          14⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1092
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat"
                                            15⤵
                                              PID:3036
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                16⤵
                                                  PID:3012
                                                • C:\Windows\Registration\dwm.exe
                                                  "C:\Windows\Registration\dwm.exe"
                                                  16⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2772
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AvSbArq942.bat"
                                                    17⤵
                                                      PID:692
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        18⤵
                                                          PID:288
                                                        • C:\Windows\Registration\dwm.exe
                                                          "C:\Windows\Registration\dwm.exe"
                                                          18⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2648
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat"
                                                            19⤵
                                                              PID:3052
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                20⤵
                                                                  PID:2032
                                                                • C:\Windows\Registration\dwm.exe
                                                                  "C:\Windows\Registration\dwm.exe"
                                                                  20⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2432
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EqBdbgL5Ji.bat"
                                                                    21⤵
                                                                      PID:2476
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        22⤵
                                                                          PID:1988
                                                                        • C:\Windows\Registration\dwm.exe
                                                                          "C:\Windows\Registration\dwm.exe"
                                                                          22⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:1100
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\DllCommonsvc.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2632
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Tasks\DllCommonsvc.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2720
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\DllCommonsvc.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2744
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\cmd.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2700
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\de-DE\cmd.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2168
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\cmd.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2748
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2828
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2656
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2736
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\dwm.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2532
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Registration\dwm.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2392
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\dwm.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:628
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Cookies\explorer.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:824
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\explorer.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1752
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Cookies\explorer.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2028

                              Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      9aab1ba69e3584ca4b18aa806491bd64

                                      SHA1

                                      911a39f96795aff2679ec17e344c8afabb78cf81

                                      SHA256

                                      cd2bc65889e111085da4ce67409d2925565f141fdcbdab218d5fc33788007f90

                                      SHA512

                                      157e524091dd555d1529c511c4204fcc2fb6b3ff493302a185ab18dd075607e8d8f9995cff6daeb6e04e64d71c3f3afbb5097320ad91f55a1ffce78bd380d0dd

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      854269d8dda512aa1a115f8bdf933117

                                      SHA1

                                      2a551407994dd817468f6487e969579e89ec849c

                                      SHA256

                                      64bbe52ae1c2945001459ac320a1ce6e5c9b5cb4b3da5b4c1490a01f5b6574f3

                                      SHA512

                                      04bee9a7aa7a60b37adce7ad3fac387da8bc9db5d1abf2af3cd7e768ca4139bae47aab0de7509b082c1652f3aadaa1c19647ceba8417f6ce81978e896a9ae6a4

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      f5b51b57df58af41a213c41b759dba34

                                      SHA1

                                      0f99c8a9095b380108c4d64ae403afd715b63a54

                                      SHA256

                                      f8bcc7f44020ae95b957126d7ca89aa92ff0d8a3d78ae75826669df42aa7b0d3

                                      SHA512

                                      4e00d64b20b32664e21b50fa9e1d5984cd71dd6c6aa71352d551f749406ca0745ff238cb988c8efaef83abf3261c25e6fe7dfbec496bfc98a3a10e9517b1defd

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      a8d2e0e4661c098f80dbecb0bd525d31

                                      SHA1

                                      474b6349dea2162ce655c08725945e01e985c909

                                      SHA256

                                      108a940390aed971d7f3c69336a09107ff8bc78fc4f3e8e3f982cf9c85fdea8e

                                      SHA512

                                      52d10495c155b8b1ada2fd32fe04789d3d0a8ec301bf0a3c82b9741212239eca3cd97e39aacc2d879d3d26d966ee89b79357c2bd882791fefbf5b146f478742d

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      fa83c8c56819a411c33ce9eb76f859cc

                                      SHA1

                                      a780fc40e3b6a1388b0a6876e5c27a18e2f40bb1

                                      SHA256

                                      42b947f462e83dbe0420cc8a4bd1066defa25aa45f108a76a395b9c7514b5670

                                      SHA512

                                      44d362f287b4678ed366bd1a55aa07fa9ab62e9ba73f432d0ade341e2b921ea27fca8ba4c86e16096c8d888b570d9670695a3db14666b5f517b41ae198711288

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      95481cebc8ee467d0c4a7a7e3b3004ab

                                      SHA1

                                      30427c18b93bfffd585fcbce5a6fbbcc561eabbe

                                      SHA256

                                      c16d95771a0586cc855d51354b14221924ba0cc418af0bcb794b531259510fe3

                                      SHA512

                                      251d466ff52467497079f44c66611459559768d2a2737251ea605dcd95caabc1bfd7c4a25e9906910538004a9787805ee0eceb406882fd0df214d2b80f3b4359

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      a064165a1141734e503058f9a9c06b99

                                      SHA1

                                      db1939b5b2c9a57ae0e891f9542ebbc29345cd57

                                      SHA256

                                      419ddf4851cd9ce412ce2b146127e3e061e55c29edab34f0dc72fd510cbd02ca

                                      SHA512

                                      795b624033aab6f7572b4c0b2d739ee7d3888c4d0867ec1c3f1ba393271a07d7b21b25f5a1a81ee3765504fcd7649980152953c8ffe93cbf59d7f4c99a4b0118

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      3e49eed2814144d69e6335561034635a

                                      SHA1

                                      8fcaefcee80a909216510e5da3a43e34cbf09d6f

                                      SHA256

                                      f8ed5080c910a27e14901055bf697b15d7be2c389ccdce3813d5b7f0502f0001

                                      SHA512

                                      6474b21e2f5410cd3811144d322d9a34f9cccb9e8b32085200607d8281a5481e4d0be2db6134ec56c15b88b3d5d867d246b799cde54d09555ae4a4c78fd168c3

                                    • C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat

                                      Filesize

                                      196B

                                      MD5

                                      8828d3001a0bc750c6ca5c3d1750f602

                                      SHA1

                                      d9bbff3dd358aceecd25723276bd6ab94c1b3dfe

                                      SHA256

                                      43758a38de73043fe1e4055d12ede4e1bcbe60c29205984fb3678f077ccea9a4

                                      SHA512

                                      6d1edf6537b292d37978bd319b78487414d01ed6e6e47c90247b222281d35e5d13eca61a678f78c087bf770b766c142b0bc9b8ffe46b5e5f227c1139d45d502b

                                    • C:\Users\Admin\AppData\Local\Temp\AvSbArq942.bat

                                      Filesize

                                      196B

                                      MD5

                                      454122dc9b11b5202b32dc8ea693f6d9

                                      SHA1

                                      7dbb76d0c2e0be65d3c99474d762c464033b4fe2

                                      SHA256

                                      8dfc17bfc8e3042c9a7e24b42451a2ae87e5591425c7bafdcd1a554ef73b1860

                                      SHA512

                                      b3bc7ed78f76c4e35b0135f31a68f92a8444274c57b7d4b53b84be675066b27d2966c5a6dd10bcd8d78e2dbde72969d5ff4d88081e0b5b1481d92077d2a4b94b

                                    • C:\Users\Admin\AppData\Local\Temp\CabE17B.tmp

                                      Filesize

                                      70KB

                                      MD5

                                      49aebf8cbd62d92ac215b2923fb1b9f5

                                      SHA1

                                      1723be06719828dda65ad804298d0431f6aff976

                                      SHA256

                                      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                      SHA512

                                      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                    • C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat

                                      Filesize

                                      196B

                                      MD5

                                      fd54f31de65c5654672e2170442f3ee2

                                      SHA1

                                      1d2410cd89e3d2eeb9fa5f7f34bbd79890305d38

                                      SHA256

                                      7942b38b742dfd4d908021ce93344c984a0c8119a85998b3682a3ae8fdea2212

                                      SHA512

                                      6250001f8bde11b5b7e1112b0fdddba377c40bda6c0f81637eab7b839b036c1228c7874a48846c61b4c2f43173dc789f89b9b10bbb915b50500eb4d6443e3ce9

                                    • C:\Users\Admin\AppData\Local\Temp\EqBdbgL5Ji.bat

                                      Filesize

                                      196B

                                      MD5

                                      32d1a380cde782e33348fe41f3a2fc05

                                      SHA1

                                      dc0dfe476776a6f127034e4fa83bcdc56e14cbed

                                      SHA256

                                      2da2cc9f80084c9bbad7e4a6630a29933f13c0a7d64382fc15993e6ccd8e28f9

                                      SHA512

                                      3d39b359b292c10cb3c50cd47ba8493ed667c3ba4e96536c8bf21ded0f353ce6c676daa6d129fc5eeed8d0ae2878e1ce305555b778c6890d613e1db737758cd1

                                    • C:\Users\Admin\AppData\Local\Temp\P9uKrkSNlp.bat

                                      Filesize

                                      196B

                                      MD5

                                      d53323c37163d44f466d4d16a878256c

                                      SHA1

                                      1d1dbd255fc64de89d438c5591526a716bf2b9c9

                                      SHA256

                                      157a39bcd1360d9d5f6f4bd4aec904c1b3f5517295d3f6ce6ca3ee09875ff9fe

                                      SHA512

                                      07238cc0d71f123cf0a97ae535dd4f93bef421c7949bbbcef40c2015a9c952903eb660d9a71f34cc1d96158d04516ccc03ac0c75b693915d266ab039e71f0ed0

                                    • C:\Users\Admin\AppData\Local\Temp\TarE19D.tmp

                                      Filesize

                                      181KB

                                      MD5

                                      4ea6026cf93ec6338144661bf1202cd1

                                      SHA1

                                      a1dec9044f750ad887935a01430bf49322fbdcb7

                                      SHA256

                                      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                      SHA512

                                      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                    • C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat

                                      Filesize

                                      196B

                                      MD5

                                      1b30d068361ca4e331ac879ba28010c2

                                      SHA1

                                      8d2ebfabcab30d645517cc742420b58cffd34bbe

                                      SHA256

                                      c071526ae4d681f8b83ed496124b783e383955083719fad85e36e763e3697f2a

                                      SHA512

                                      7c34035f90e0eba755400edc3af43220fbaf93e1e098604b27757e890f7717c1e52182bba326faacbf1c2d0169e5ffe49db5527ea1a2fff2eb6e43038529e460

                                    • C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat

                                      Filesize

                                      196B

                                      MD5

                                      7cba9954f518d22b842b7e5956019bc0

                                      SHA1

                                      cd62dc7bbb6c48eb8207894d6a213379f7e4b84b

                                      SHA256

                                      7278f9112468781fb68ce9cf9c9c231e78607c08ebce94e6a58aa8dfa63d54b4

                                      SHA512

                                      60e998b4093244e44d41f4dd31441b3eb33e6316b1580bbab070519600780df7a0b3897a79c011c802bfb1127bb9ee7c521cd26e25efa0e02a55327697573a49

                                    • C:\Users\Admin\AppData\Local\Temp\wMvxJuE7fS.bat

                                      Filesize

                                      196B

                                      MD5

                                      d70dc6e5696cde68608d8f92950920c9

                                      SHA1

                                      0dbda9a82922c35f5671ef78364c648f6895c89f

                                      SHA256

                                      7b22e0e39ef0f0b484cac43713b3a6a4a784a87af78bca5423a33430521827a6

                                      SHA512

                                      c0aa64b616b97ffc4d47f0caa947d7bf39f785caa2d7e95acac190617fb30512ca4d46d516ecbe376d226188864859a0735b2e63ddf5454b6872cce208c7002c

                                    • C:\Users\Admin\AppData\Local\Temp\zfOrxS71E3.bat

                                      Filesize

                                      196B

                                      MD5

                                      15c32c07d78ef88454940759c671c811

                                      SHA1

                                      65028bd80ce83a06c40daf39eb67c7d789bf6b16

                                      SHA256

                                      222508fba5680cf9dc795b02da1e1ff593dcd8b5d666d8b01398a2a16e40065a

                                      SHA512

                                      1011b6201ce142c473402b54fd9104ca141fbac3811a08550e9e984718fb1be9e041f478ac0ba9c54f3147faf999fe1157e6b81c45866dfb53b11ced0581c014

                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                      Filesize

                                      7KB

                                      MD5

                                      ae583973d635165b6e5192283d987ebd

                                      SHA1

                                      275414b184abecae367cf6cb08be7093f34c303d

                                      SHA256

                                      7708bd611ae9f25478fd9c86322bc1741da0154cc8e3ab2b1037c6dca679a484

                                      SHA512

                                      4149e79196be86d8f7e89545dbd31c82423a0f243f65dda09067503de2f5bc8f895ae4d105b47d3195d8d8cc1665e27aaf1d7ce79001ac9d6be3949cb8689c57

                                    • C:\providercommon\1zu9dW.bat

                                      Filesize

                                      36B

                                      MD5

                                      6783c3ee07c7d151ceac57f1f9c8bed7

                                      SHA1

                                      17468f98f95bf504cc1f83c49e49a78526b3ea03

                                      SHA256

                                      8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                      SHA512

                                      c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                    • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                      Filesize

                                      197B

                                      MD5

                                      8088241160261560a02c84025d107592

                                      SHA1

                                      083121f7027557570994c9fc211df61730455bb5

                                      SHA256

                                      2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                      SHA512

                                      20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                    • \providercommon\DllCommonsvc.exe

                                      Filesize

                                      1.0MB

                                      MD5

                                      bd31e94b4143c4ce49c17d3af46bcad0

                                      SHA1

                                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                      SHA256

                                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                      SHA512

                                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                    • memory/1092-306-0x0000000001210000-0x0000000001320000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/1100-543-0x0000000000250000-0x0000000000360000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/1320-66-0x0000000000860000-0x0000000000970000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/1544-245-0x00000000010B0000-0x00000000011C0000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/1544-246-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/2088-185-0x0000000000980000-0x0000000000A90000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/2248-47-0x0000000001E90000-0x0000000001E98000-memory.dmp

                                      Filesize

                                      32KB

                                    • memory/2248-46-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

                                      Filesize

                                      2.9MB

                                    • memory/2616-125-0x00000000008E0000-0x00000000009F0000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/3048-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/3048-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/3048-15-0x00000000002E0000-0x00000000002EC000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/3048-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/3048-13-0x0000000000AD0000-0x0000000000BE0000-memory.dmp

                                      Filesize

                                      1.1MB