Analysis

  • max time kernel
    143s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-12-2024 23:18

General

  • Target

    JaffaCakes118_48f718cf5f316687100bdda656ae7509bd181269ba7a16ce0919ffae7206fd3f.exe

  • Size

    1.3MB

  • MD5

    bda66baae95d4dc4410098f8767b46a2

  • SHA1

    54004cb81ec61e5c4b563ec0ce67b4d22672b319

  • SHA256

    48f718cf5f316687100bdda656ae7509bd181269ba7a16ce0919ffae7206fd3f

  • SHA512

    5ebca40bb05d12c0f7ae6d991a84878acf8272fef98015993fad4469e81b6cf6043f8846f6d62bdf00fe9c455a84e3c85a24b8cad65572bef916b44a73bb2ef9

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 12 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 14 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 13 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 13 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48f718cf5f316687100bdda656ae7509bd181269ba7a16ce0919ffae7206fd3f.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48f718cf5f316687100bdda656ae7509bd181269ba7a16ce0919ffae7206fd3f.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3304
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4928
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1912
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2352
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\DESIGNER\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1040
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\en-US\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4344
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Visualizations\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1672
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1800
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3d5a4VryJl.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:244
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:3780
              • C:\Recovery\WindowsRE\dllhost.exe
                "C:\Recovery\WindowsRE\dllhost.exe"
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4804
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3288
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:4952
                    • C:\Recovery\WindowsRE\dllhost.exe
                      "C:\Recovery\WindowsRE\dllhost.exe"
                      8⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2600
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TEfATY8not.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4848
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:1172
                          • C:\Recovery\WindowsRE\dllhost.exe
                            "C:\Recovery\WindowsRE\dllhost.exe"
                            10⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Modifies registry class
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:1784
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat"
                              11⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2692
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                12⤵
                                  PID:4568
                                • C:\Recovery\WindowsRE\dllhost.exe
                                  "C:\Recovery\WindowsRE\dllhost.exe"
                                  12⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:4392
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat"
                                    13⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:1176
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      14⤵
                                        PID:4916
                                      • C:\Recovery\WindowsRE\dllhost.exe
                                        "C:\Recovery\WindowsRE\dllhost.exe"
                                        14⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Modifies registry class
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of WriteProcessMemory
                                        PID:1476
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TEfATY8not.bat"
                                          15⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:1692
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            16⤵
                                              PID:1788
                                            • C:\Recovery\WindowsRE\dllhost.exe
                                              "C:\Recovery\WindowsRE\dllhost.exe"
                                              16⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Modifies registry class
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of WriteProcessMemory
                                              PID:3228
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1kSioVLOLD.bat"
                                                17⤵
                                                • Suspicious use of WriteProcessMemory
                                                PID:2800
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  18⤵
                                                    PID:4344
                                                  • C:\Recovery\WindowsRE\dllhost.exe
                                                    "C:\Recovery\WindowsRE\dllhost.exe"
                                                    18⤵
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Modifies registry class
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:1672
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat"
                                                      19⤵
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:3972
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        20⤵
                                                          PID:1740
                                                        • C:\Recovery\WindowsRE\dllhost.exe
                                                          "C:\Recovery\WindowsRE\dllhost.exe"
                                                          20⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Modifies registry class
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1968
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat"
                                                            21⤵
                                                              PID:968
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                22⤵
                                                                  PID:2692
                                                                • C:\Recovery\WindowsRE\dllhost.exe
                                                                  "C:\Recovery\WindowsRE\dllhost.exe"
                                                                  22⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Modifies registry class
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2476
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ssDSZpddA3.bat"
                                                                    23⤵
                                                                      PID:4696
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        24⤵
                                                                          PID:4076
                                                                        • C:\Recovery\WindowsRE\dllhost.exe
                                                                          "C:\Recovery\WindowsRE\dllhost.exe"
                                                                          24⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Modifies registry class
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2936
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat"
                                                                            25⤵
                                                                              PID:4236
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                26⤵
                                                                                  PID:2116
                                                                                • C:\Recovery\WindowsRE\dllhost.exe
                                                                                  "C:\Recovery\WindowsRE\dllhost.exe"
                                                                                  26⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Modifies registry class
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:3752
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DhSpfyjZaR.bat"
                                                                                    27⤵
                                                                                      PID:760
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        28⤵
                                                                                          PID:4956
                                                                                        • C:\Recovery\WindowsRE\dllhost.exe
                                                                                          "C:\Recovery\WindowsRE\dllhost.exe"
                                                                                          28⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:3848
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\DESIGNER\spoolsv.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:3940
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\spoolsv.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2984
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\DESIGNER\spoolsv.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2900
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\DllCommonsvc.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:4172
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\DllCommonsvc.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1920
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\DllCommonsvc.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1280
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\csrss.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:3048
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:3228
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1768
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:3364
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:3420
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:4912

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

                                    Filesize

                                    1KB

                                    MD5

                                    baf55b95da4a601229647f25dad12878

                                    SHA1

                                    abc16954ebfd213733c4493fc1910164d825cac8

                                    SHA256

                                    ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                    SHA512

                                    24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                    Filesize

                                    2KB

                                    MD5

                                    d85ba6ff808d9e5444a4b369f5bc2730

                                    SHA1

                                    31aa9d96590fff6981b315e0b391b575e4c0804a

                                    SHA256

                                    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                    SHA512

                                    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Filesize

                                    944B

                                    MD5

                                    77d622bb1a5b250869a3238b9bc1402b

                                    SHA1

                                    d47f4003c2554b9dfc4c16f22460b331886b191b

                                    SHA256

                                    f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

                                    SHA512

                                    d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Filesize

                                    944B

                                    MD5

                                    6d42b6da621e8df5674e26b799c8e2aa

                                    SHA1

                                    ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                                    SHA256

                                    5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                                    SHA512

                                    53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

                                  • C:\Users\Admin\AppData\Local\Temp\1kSioVLOLD.bat

                                    Filesize

                                    198B

                                    MD5

                                    0ed0b5e9971a8ace5d846ea3117f992a

                                    SHA1

                                    fa0c1e70c13126301474b6cb942266e610b6f4bf

                                    SHA256

                                    0e29b7341d9677b8322b3ec8272f906bf8ae12aa6b7c586fefce48eea15b1629

                                    SHA512

                                    ccece1adf1aea08b45ed4ce2754b3a41074120eaa33411241d4d9e401d783bd3b1756669d2ea5d0da97bde3b54bfbc9a7d4ac2450f9db22647159856647b1d99

                                  • C:\Users\Admin\AppData\Local\Temp\3d5a4VryJl.bat

                                    Filesize

                                    198B

                                    MD5

                                    f6aea1abbbd9f952af4aa63c3347c34f

                                    SHA1

                                    7315b31126abdd6ba0a3c3fb242ff93243f46e75

                                    SHA256

                                    2302cb134d6a97021189b332a8b067990619020da2b59f908acc56b38cf78226

                                    SHA512

                                    9bbeb2ee7d6f664ed929afd089be9660eb681731577f84e83e4f0de7907d477432ff53bded5dfec6f632c259b22aa30d33dfd72f381cfe3bc59487a225d40087

                                  • C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat

                                    Filesize

                                    198B

                                    MD5

                                    7ce7214f23b4bba50d9e4512dea0172a

                                    SHA1

                                    3e94c75a516d21672edb0df4db0badcacb34389f

                                    SHA256

                                    30d1cca2c92627e0c4560f3020041f90a86e914755af58c2336def273b7912f0

                                    SHA512

                                    79a73ff16a28798c3de5e0141b3e922afc1f7619f99bb046482d23bfc4f560f42a36abb03448fd2e3af62727824a2341f6a664189fbc40e24dae12182c5e28f1

                                  • C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat

                                    Filesize

                                    198B

                                    MD5

                                    8a564cd6d45dc942a855ac17f5ffb2ee

                                    SHA1

                                    9d802aee3585767da70c2d0d32844236f3d7c176

                                    SHA256

                                    a70cf05660ed92db2910a91cea7a08c792936730588a04ccab6c37bf3f7be1e0

                                    SHA512

                                    28cb51d7780c99075f326341814732e6e4dc74ad92ba3ab5737a76e34e569f8831942b0f34a4c31deb3f88a9386dea86c23f38615583c1f2a53543d96b9bcea3

                                  • C:\Users\Admin\AppData\Local\Temp\DhSpfyjZaR.bat

                                    Filesize

                                    198B

                                    MD5

                                    26e39afd0589ac6d3fde602c055c7cfd

                                    SHA1

                                    bc16d1a4f4d1c5a67c9962c4247a48ec6268cedf

                                    SHA256

                                    93470d301528f25e41b5a9479d02565451dfaf9a08b2f4c1b097bdf0a9d3748a

                                    SHA512

                                    83675b17697e02d062baced90cb21ae06bf29ae967c0309bb3c44a1cfc599411d351600073763654acae4dbd1406b9b1f03b1d088e5844d2f5b93a94f2a8eedc

                                  • C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat

                                    Filesize

                                    198B

                                    MD5

                                    324fdf7eb589b2d4d2871a9a4c75c7ee

                                    SHA1

                                    a5702635834e068b6e27ab639861289fa3a9304f

                                    SHA256

                                    fa851ddadd9d9fb49063f94418e5351986cee9c7916e31a27124989934c75247

                                    SHA512

                                    b27dad39f0f3a7d82265c70a643d4d9d015812aba3fca0e66363bc6d2c6c0d3649371bf1b32b11bf09466a0465305b804b832e964f120a19d275b70564007bf5

                                  • C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat

                                    Filesize

                                    198B

                                    MD5

                                    8a28cfacc1a2feae39fd2725f424a5e7

                                    SHA1

                                    b87ae16c0dcf5fda1a3fdda62fcc6f73735f8e0c

                                    SHA256

                                    5f045f7c2cae49f1b4eb45c78ec3737a94f2683c86a7ac88d15c760269956c2b

                                    SHA512

                                    a93f42f0d16f35a9aebd49b5e7e81bc57a8d2a1315be6d273ae963247d3b5e1a7bf7594e9844f795712c503684acb6869db2583cb86712ce3c1d4848c648e789

                                  • C:\Users\Admin\AppData\Local\Temp\TEfATY8not.bat

                                    Filesize

                                    198B

                                    MD5

                                    c18579ec33781b6a64eb1da82a15b38f

                                    SHA1

                                    9fbe636ac4dc4fbfde3e10779ff0785481f655f0

                                    SHA256

                                    0b46648c64de710de412032da4cc00ecb54da5b88f7fe3ead225c7d807199fb1

                                    SHA512

                                    0ab8974f907df01108fad34fd1e7100a2ab254d64638ee08100d8b92cf96e8266e9243185468df5398d33bdab56fae597b8a8f5d28ccb977f75279fe1cf21d93

                                  • C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat

                                    Filesize

                                    198B

                                    MD5

                                    f3e6d46f041e4d492133d34fc6fce220

                                    SHA1

                                    cd144e25d554f42f12b7d7e6aef6e1990c3439f2

                                    SHA256

                                    7c31c22f52005525169f8a13e5680dbcc0f655279d7aaeee24f074a3cff48bac

                                    SHA512

                                    461791b060b7e9d84cc97804366f28f471e2023a22ee54270d4ea5fd13f048c5f34d5d7dc2862f25b649969e97ba8c23f6ba479a0c19b03fbb39e6798d83edb8

                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_unsa1pk5.wfj.ps1

                                    Filesize

                                    60B

                                    MD5

                                    d17fe0a3f47be24a6453e9ef58c94641

                                    SHA1

                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                    SHA256

                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                    SHA512

                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                  • C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat

                                    Filesize

                                    198B

                                    MD5

                                    d42e4a9d166ece921a9382386ac7a63c

                                    SHA1

                                    1761f5f4a4607f04bdebf118edcdb58b3555cd9f

                                    SHA256

                                    ccf1f9846432f6f9c94f8c1c79f82fde74a91038b78ce3c930f4dae66d3c70c7

                                    SHA512

                                    582059a5b3ef7fde228157802067402f9b1daeec33c97be20e75ffcc3efa7fbea32ef6477d9fdaf5796d74b65551b56e90d5ac78316caeb1ec33ca2f3516aaf7

                                  • C:\Users\Admin\AppData\Local\Temp\ssDSZpddA3.bat

                                    Filesize

                                    198B

                                    MD5

                                    eb6ecc1213a6a4445a88573f9238dd49

                                    SHA1

                                    28ee0f6ae453c1e05d0f7cecce6f8a85b7042f17

                                    SHA256

                                    a519b41d6bee727d64a2e15a33eb79735279fcc05d9db4388b1f8b6aa21474bf

                                    SHA512

                                    f9feaccfe64d6a4cf377d79c4727b0404306af07354b4242a22c0864bb3547535af26a407d4dcde2008cbe4047256f06f77002be736a9ba9b5eda23f43e6e0f5

                                  • C:\providercommon\1zu9dW.bat

                                    Filesize

                                    36B

                                    MD5

                                    6783c3ee07c7d151ceac57f1f9c8bed7

                                    SHA1

                                    17468f98f95bf504cc1f83c49e49a78526b3ea03

                                    SHA256

                                    8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                    SHA512

                                    c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                  • C:\providercommon\DllCommonsvc.exe

                                    Filesize

                                    1.0MB

                                    MD5

                                    bd31e94b4143c4ce49c17d3af46bcad0

                                    SHA1

                                    f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                    SHA256

                                    b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                    SHA512

                                    f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                  • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                    Filesize

                                    197B

                                    MD5

                                    8088241160261560a02c84025d107592

                                    SHA1

                                    083121f7027557570994c9fc211df61730455bb5

                                    SHA256

                                    2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                    SHA512

                                    20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                  • memory/1040-40-0x0000018B6C050000-0x0000018B6C072000-memory.dmp

                                    Filesize

                                    136KB

                                  • memory/1476-127-0x000000001C650000-0x000000001C6A6000-memory.dmp

                                    Filesize

                                    344KB

                                  • memory/1476-126-0x000000001BF00000-0x000000001C002000-memory.dmp

                                    Filesize

                                    1.0MB

                                  • memory/1784-111-0x000000001C4E0000-0x000000001C536000-memory.dmp

                                    Filesize

                                    344KB

                                  • memory/1784-110-0x000000001BD10000-0x000000001BE12000-memory.dmp

                                    Filesize

                                    1.0MB

                                  • memory/1912-16-0x00000000026C0000-0x00000000026CC000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/1912-12-0x00007FFBA0863000-0x00007FFBA0865000-memory.dmp

                                    Filesize

                                    8KB

                                  • memory/1912-15-0x00000000026B0000-0x00000000026BC000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/1912-13-0x0000000000490000-0x00000000005A0000-memory.dmp

                                    Filesize

                                    1.1MB

                                  • memory/1912-14-0x00000000026A0000-0x00000000026B2000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/1912-17-0x00000000026D0000-0x00000000026DC000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/3228-136-0x000000001C330000-0x000000001C386000-memory.dmp

                                    Filesize

                                    344KB

                                  • memory/3228-135-0x000000001BBE0000-0x000000001BCE2000-memory.dmp

                                    Filesize

                                    1.0MB

                                  • memory/4392-118-0x000000001B490000-0x000000001B592000-memory.dmp

                                    Filesize

                                    1.0MB

                                  • memory/4392-119-0x000000001BC30000-0x000000001BC86000-memory.dmp

                                    Filesize

                                    344KB

                                  • memory/4392-113-0x00000000007F0000-0x0000000000802000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/4804-95-0x000000001C0C0000-0x000000001C22A000-memory.dmp

                                    Filesize

                                    1.4MB