Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-12-2024 19:53

General

  • Target

    JaffaCakes118_796fb13d4ec91acabb8ea8447699850ddbc189157e3a9a91c0477a5b83c72012.exe

  • Size

    1.3MB

  • MD5

    76f57cdae6224f6d655996f2953535b5

  • SHA1

    30feb1edd193e937514586430b792b508eac1a0c

  • SHA256

    796fb13d4ec91acabb8ea8447699850ddbc189157e3a9a91c0477a5b83c72012

  • SHA512

    fe5eb19e3b84a78a8a198e075d4858f986302d9e1b13ca32285ec3b5b751ce6201e4e22ae2d657c435020ac261fbc69424099f7f0d7aba83ffbb88df0eb687fd

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 14 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 13 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_796fb13d4ec91acabb8ea8447699850ddbc189157e3a9a91c0477a5b83c72012.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_796fb13d4ec91acabb8ea8447699850ddbc189157e3a9a91c0477a5b83c72012.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3080
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:548
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4476
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3116
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\StartMenuExperienceHost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3248
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\de-DE\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4500
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2596
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1680
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5000
          • C:\Program Files\Internet Explorer\de-DE\wininit.exe
            "C:\Program Files\Internet Explorer\de-DE\wininit.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2876
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0uTXzTWsAa.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1820
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:1560
                • C:\Program Files\Internet Explorer\de-DE\wininit.exe
                  "C:\Program Files\Internet Explorer\de-DE\wininit.exe"
                  7⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4420
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2zdeBu3xOP.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:216
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:1964
                      • C:\Program Files\Internet Explorer\de-DE\wininit.exe
                        "C:\Program Files\Internet Explorer\de-DE\wininit.exe"
                        9⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2832
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4864
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:1988
                            • C:\Program Files\Internet Explorer\de-DE\wininit.exe
                              "C:\Program Files\Internet Explorer\de-DE\wininit.exe"
                              11⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:3548
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat"
                                12⤵
                                • Suspicious use of WriteProcessMemory
                                PID:1668
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  13⤵
                                    PID:5072
                                  • C:\Program Files\Internet Explorer\de-DE\wininit.exe
                                    "C:\Program Files\Internet Explorer\de-DE\wininit.exe"
                                    13⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Modifies registry class
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:2296
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat"
                                      14⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:4732
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        15⤵
                                          PID:2440
                                        • C:\Program Files\Internet Explorer\de-DE\wininit.exe
                                          "C:\Program Files\Internet Explorer\de-DE\wininit.exe"
                                          15⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Modifies registry class
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of WriteProcessMemory
                                          PID:2812
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat"
                                            16⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:2760
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              17⤵
                                                PID:368
                                              • C:\Program Files\Internet Explorer\de-DE\wininit.exe
                                                "C:\Program Files\Internet Explorer\de-DE\wininit.exe"
                                                17⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Modifies registry class
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of WriteProcessMemory
                                                PID:1148
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\t6OOvELCCF.bat"
                                                  18⤵
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:4812
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    19⤵
                                                      PID:3796
                                                    • C:\Program Files\Internet Explorer\de-DE\wininit.exe
                                                      "C:\Program Files\Internet Explorer\de-DE\wininit.exe"
                                                      19⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Modifies registry class
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:5108
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7hZg3igX7v.bat"
                                                        20⤵
                                                          PID:3192
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            21⤵
                                                              PID:1792
                                                            • C:\Program Files\Internet Explorer\de-DE\wininit.exe
                                                              "C:\Program Files\Internet Explorer\de-DE\wininit.exe"
                                                              21⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Modifies registry class
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:640
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat"
                                                                22⤵
                                                                  PID:1872
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    23⤵
                                                                      PID:3728
                                                                    • C:\Program Files\Internet Explorer\de-DE\wininit.exe
                                                                      "C:\Program Files\Internet Explorer\de-DE\wininit.exe"
                                                                      23⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Modifies registry class
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:392
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat"
                                                                        24⤵
                                                                          PID:968
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            25⤵
                                                                              PID:2896
                                                                            • C:\Program Files\Internet Explorer\de-DE\wininit.exe
                                                                              "C:\Program Files\Internet Explorer\de-DE\wininit.exe"
                                                                              25⤵
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Modifies registry class
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2148
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat"
                                                                                26⤵
                                                                                  PID:3704
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    27⤵
                                                                                      PID:3324
                                                                                    • C:\Program Files\Internet Explorer\de-DE\wininit.exe
                                                                                      "C:\Program Files\Internet Explorer\de-DE\wininit.exe"
                                                                                      27⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • Modifies registry class
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2276
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p8yPRkR6MR.bat"
                                                                                        28⤵
                                                                                          PID:2192
                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                            29⤵
                                                                                              PID:4768
                                                                                            • C:\Program Files\Internet Explorer\de-DE\wininit.exe
                                                                                              "C:\Program Files\Internet Explorer\de-DE\wininit.exe"
                                                                                              29⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:2144
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1568
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1928
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2444
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\de-DE\wininit.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1920
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\wininit.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2324
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\de-DE\wininit.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2396
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2636
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:416
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:3592
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\en-US\dwm.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:4540
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\en-US\dwm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:4856
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\dwm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:732
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\dllhost.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:3552
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\dllhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:4564
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\dllhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1860

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                      Filesize

                                      2KB

                                      MD5

                                      d85ba6ff808d9e5444a4b369f5bc2730

                                      SHA1

                                      31aa9d96590fff6981b315e0b391b575e4c0804a

                                      SHA256

                                      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                      SHA512

                                      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

                                      Filesize

                                      1KB

                                      MD5

                                      baf55b95da4a601229647f25dad12878

                                      SHA1

                                      abc16954ebfd213733c4493fc1910164d825cac8

                                      SHA256

                                      ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                      SHA512

                                      24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Filesize

                                      944B

                                      MD5

                                      6d42b6da621e8df5674e26b799c8e2aa

                                      SHA1

                                      ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                                      SHA256

                                      5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                                      SHA512

                                      53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Filesize

                                      944B

                                      MD5

                                      62623d22bd9e037191765d5083ce16a3

                                      SHA1

                                      4a07da6872672f715a4780513d95ed8ddeefd259

                                      SHA256

                                      95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

                                      SHA512

                                      9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

                                    • C:\Users\Admin\AppData\Local\Temp\0uTXzTWsAa.bat

                                      Filesize

                                      217B

                                      MD5

                                      3ee9015cfd51552ea24c158844a4d8f2

                                      SHA1

                                      3011e96c1f995b18393c1f76414a643610db4e47

                                      SHA256

                                      10ace3b8e30369fbabd23115aa64a8304053e3531c526fa2780781597b868145

                                      SHA512

                                      cb88d6dfe32293ae3ce2026d237d589cb2fc5c9df68868c9a9e20477dbec0d1903e92077aeb4932164cbe2425b885efca448124190a598bb1862694c3b350553

                                    • C:\Users\Admin\AppData\Local\Temp\2zdeBu3xOP.bat

                                      Filesize

                                      217B

                                      MD5

                                      8a537b5381df9182ac1f7b1d6ec170d6

                                      SHA1

                                      f99ae01147c002cef03bd0cde311b23664151ff2

                                      SHA256

                                      0034ccfef1aad1bf276f5e31684aeeb4c4d55c6379e2ed35b5e21dc3e2e67430

                                      SHA512

                                      77d09f63e841937e5d1c709def9b09a3c1903511898e2187fd6f09bfae820383f52a5f84d348687efaa7f956e8200306d0f07fc2e3a34f405665931e96775f1f

                                    • C:\Users\Admin\AppData\Local\Temp\7hZg3igX7v.bat

                                      Filesize

                                      217B

                                      MD5

                                      ebb3fb5d2be2a97f5a3e3aaa63b75c76

                                      SHA1

                                      c79055fa225fe0cdbbe6cf9603c7b5a497949518

                                      SHA256

                                      d6155e6d3af6b7bdb985a35b832613233ff01ebea79ae09e1e0daf23b10d8c1b

                                      SHA512

                                      649b5b90e5d0a71bd81a4144189983d871fc012a3f0fec72b62d4fd13d81490acc6fcf5b64109e850d27e490e5cce8d01d95b9393a5e20c070c570d35562165e

                                    • C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat

                                      Filesize

                                      217B

                                      MD5

                                      72919b8efee24cff5c65ce514cf4c81b

                                      SHA1

                                      c08849bf5c3f8bdb892406cf881ed5ea2df6820e

                                      SHA256

                                      1853411f71bf7cef57b1d16f93263ee85d0dd2b57de5a7689a10d0954931dce9

                                      SHA512

                                      6f805c1518c0b55c973f4e91425798927fcaf5ef5ce038db5806e56019125c967a3c9a1c138bfb871d3cee91226e05dab89199d6063a7bc0828b126101c99c98

                                    • C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat

                                      Filesize

                                      217B

                                      MD5

                                      f1bccb54852649c7f6425c1406517303

                                      SHA1

                                      a06873e6c1fc165ec6f5f324e1e60e7a50185a19

                                      SHA256

                                      d92664ed6d11d42af746713e5325c61271028c3c22664348cb654a338b55895a

                                      SHA512

                                      62cb92506ad2c7420d7e55dea3b9703fa86f9638ab231ed871cbabaf89915f287bcd067aa02509fe992869d4945dd9ca0e2eb101199315e5d7ab9aa4f9520d93

                                    • C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat

                                      Filesize

                                      217B

                                      MD5

                                      01c60724aa7c638a54434a214e5e6fc1

                                      SHA1

                                      e853adbd0e9a71caac96583814746530168491a9

                                      SHA256

                                      11d16cc14b15536dba9fb2d370a21aebcaea797bec53312829a2b61dc929b2b8

                                      SHA512

                                      b15c91f2b3524d737225e7e56725c90980d27adbed61a96c88e98bd1e8e4fddc936fad7db8cc373b802c0e973d3ff71cb620fb21f2b02bb5b008eeab93cb5883

                                    • C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat

                                      Filesize

                                      217B

                                      MD5

                                      5015524f5b6880d3d965bb67ce73287f

                                      SHA1

                                      7cdc51293ffad09660b51a3ad6714ed758d6b0d9

                                      SHA256

                                      8c30979f9d1afd4963329b319d71894ae8008c6bbb2fa9bbeba9b8024c58c6a8

                                      SHA512

                                      2d0e86bf3ac7c6dcdc2df1a86573e850fb4789aa62ad59536cea2203f6c02b0c1042cdc5ea5852243b948ab17723208b99d4d4ebf1fadb7f7f2baff0069ed3b5

                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wcrri103.2ra.ps1

                                      Filesize

                                      60B

                                      MD5

                                      d17fe0a3f47be24a6453e9ef58c94641

                                      SHA1

                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                      SHA256

                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                      SHA512

                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                    • C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat

                                      Filesize

                                      217B

                                      MD5

                                      899ec793015d204393bd0d1b20bf1fdc

                                      SHA1

                                      713669757eb0822dd6849a0f0dcd569c9266a1ae

                                      SHA256

                                      ed6e62350776e98dc6a7108a451b6cb5418c1a64f101e88e35e560cc9f96f76f

                                      SHA512

                                      33f334fd0df3076bf10c5786169feb3036a5b0d354cd5dfbcb3fa0dad8488166461779cfc5a40f607bbf19ba1ae3f29c1351b9fa01324844c70c2c23be8723ac

                                    • C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat

                                      Filesize

                                      217B

                                      MD5

                                      12bf6a845364b7be0d519cc48bd9874c

                                      SHA1

                                      37e6c21c5162bbfcc96e37dafa82f2ed36dbc714

                                      SHA256

                                      3dbdfdb1c411ea84a2cf989742fe3ea7bdcc27e7cce796cb57a792011e0864ee

                                      SHA512

                                      a5757d265d7c93253f45570834f96e999d95f255f80da7fd0956571e71141e6172659de249c2dcc63570756dbaf265855c8942490602f7979bd003bb03dd0907

                                    • C:\Users\Admin\AppData\Local\Temp\p8yPRkR6MR.bat

                                      Filesize

                                      217B

                                      MD5

                                      fc5238e395c2d8e873d65aa7a3d9f5b5

                                      SHA1

                                      fb699ac070d92d927e0dc65630048289e5f14b91

                                      SHA256

                                      02f11fcfdf3e86dc502115019c740aff9e7114acca130ebe5da4251cdcff84de

                                      SHA512

                                      70836e8051c79aa556cb3ff85cc3a94d2d9018173126da7232a5acd41f762e6888fdedb20f6f8092d700ab71b2922cd81e045040fa836cb84e204383f5501b80

                                    • C:\Users\Admin\AppData\Local\Temp\t6OOvELCCF.bat

                                      Filesize

                                      217B

                                      MD5

                                      b2944638cb06df63dd8b1a35aebaed3b

                                      SHA1

                                      0b61ea5cb4d80bf1c844f0f70c35207856531d88

                                      SHA256

                                      0d06d9d0412d896dcffa5005b35ddddd3c574c808f568d730819c972ef349864

                                      SHA512

                                      e197513ffb0ce9b2dce1179995e4c5a39143d43fd1bbd91f835a887a042ceb5ab4c0bb371289366cb99d2e1c3baac29fb5fcb1874c4cc0183af23ea61fc1528e

                                    • C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat

                                      Filesize

                                      217B

                                      MD5

                                      6071a29efef0d412f99fd3f97d3f7635

                                      SHA1

                                      ea4d4f734d2e44256c41ec00db904d277547d826

                                      SHA256

                                      d818f1ed0d4b7057fa528a7db7ab3ad785572f5c3279298104650743e3231c5c

                                      SHA512

                                      61374c4e3b709ed9f051cff3487d7d0b233d90f401dc2082dc09b6985b8bea40d709d59556ec046afdfd9a22f5b94d13bd6e7e59951228b300058c4908b3e13b

                                    • C:\providercommon\1zu9dW.bat

                                      Filesize

                                      36B

                                      MD5

                                      6783c3ee07c7d151ceac57f1f9c8bed7

                                      SHA1

                                      17468f98f95bf504cc1f83c49e49a78526b3ea03

                                      SHA256

                                      8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                      SHA512

                                      c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                    • C:\providercommon\DllCommonsvc.exe

                                      Filesize

                                      1.0MB

                                      MD5

                                      bd31e94b4143c4ce49c17d3af46bcad0

                                      SHA1

                                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                      SHA256

                                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                      SHA512

                                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                    • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                      Filesize

                                      197B

                                      MD5

                                      8088241160261560a02c84025d107592

                                      SHA1

                                      083121f7027557570994c9fc211df61730455bb5

                                      SHA256

                                      2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                      SHA512

                                      20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                    • memory/1148-148-0x00000000014E0000-0x00000000014F2000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/1680-48-0x000001EAD83D0000-0x000001EAD83F2000-memory.dmp

                                      Filesize

                                      136KB

                                    • memory/2148-173-0x0000000003040000-0x0000000003052000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/2296-134-0x0000000001680000-0x0000000001692000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/2812-141-0x0000000002300000-0x0000000002312000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/2876-94-0x0000000001600000-0x0000000001612000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/4476-17-0x0000000002B40000-0x0000000002B4C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/4476-16-0x0000000001220000-0x000000000122C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/4476-15-0x0000000001230000-0x000000000123C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/4476-14-0x00000000010B0000-0x00000000010C2000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/4476-13-0x0000000000800000-0x0000000000910000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/4476-12-0x00007FFD21D33000-0x00007FFD21D35000-memory.dmp

                                      Filesize

                                      8KB