Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-12-2024 20:41

General

  • Target

    JaffaCakes118_87d9f864331be955c76967b41393d770c1ff2f452c748a68b5c5c4408802449a.exe

  • Size

    1.3MB

  • MD5

    42651fff742c0a5e04db2916591aff08

  • SHA1

    5574495235b5fcc6ec78b50b6adb9238c0aaca99

  • SHA256

    87d9f864331be955c76967b41393d770c1ff2f452c748a68b5c5c4408802449a

  • SHA512

    4c7ebc12c746fec891fb6a69d0f73ec8c1769b7abfb5bbd30bf6d1a0a9453fd217b89ea5dd79f8d141206f31025bf2cf269d5f0585c0152517c1241938b128a1

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 9 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 16 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 14 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 14 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87d9f864331be955c76967b41393d770c1ff2f452c748a68b5c5c4408802449a.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87d9f864331be955c76967b41393d770c1ff2f452c748a68b5c5c4408802449a.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4120
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4152
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4540
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3724
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:864
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:644
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:752
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\appcompat\appraiser\Telemetry\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4460
          • C:\Recovery\WindowsRE\fontdrvhost.exe
            "C:\Recovery\WindowsRE\fontdrvhost.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2300
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1500
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:3840
                • C:\Recovery\WindowsRE\fontdrvhost.exe
                  "C:\Recovery\WindowsRE\fontdrvhost.exe"
                  7⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4344
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4760
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:2652
                      • C:\Recovery\WindowsRE\fontdrvhost.exe
                        "C:\Recovery\WindowsRE\fontdrvhost.exe"
                        9⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4176
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1220
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:2476
                            • C:\Recovery\WindowsRE\fontdrvhost.exe
                              "C:\Recovery\WindowsRE\fontdrvhost.exe"
                              11⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:1760
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ssDSZpddA3.bat"
                                12⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2456
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  13⤵
                                    PID:400
                                  • C:\Recovery\WindowsRE\fontdrvhost.exe
                                    "C:\Recovery\WindowsRE\fontdrvhost.exe"
                                    13⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Modifies registry class
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:1428
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat"
                                      14⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:1988
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        15⤵
                                          PID:2780
                                        • C:\Recovery\WindowsRE\fontdrvhost.exe
                                          "C:\Recovery\WindowsRE\fontdrvhost.exe"
                                          15⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Modifies registry class
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of WriteProcessMemory
                                          PID:3820
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat"
                                            16⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:3932
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              17⤵
                                                PID:592
                                              • C:\Recovery\WindowsRE\fontdrvhost.exe
                                                "C:\Recovery\WindowsRE\fontdrvhost.exe"
                                                17⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Modifies registry class
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of WriteProcessMemory
                                                PID:4624
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ssDSZpddA3.bat"
                                                  18⤵
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:3840
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    19⤵
                                                      PID:1008
                                                    • C:\Recovery\WindowsRE\fontdrvhost.exe
                                                      "C:\Recovery\WindowsRE\fontdrvhost.exe"
                                                      19⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Modifies registry class
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:4992
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat"
                                                        20⤵
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:3632
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          21⤵
                                                            PID:3712
                                                          • C:\Recovery\WindowsRE\fontdrvhost.exe
                                                            "C:\Recovery\WindowsRE\fontdrvhost.exe"
                                                            21⤵
                                                            • Checks computer location settings
                                                            • Executes dropped EXE
                                                            • Modifies registry class
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:4060
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0rnbwo7iYS.bat"
                                                              22⤵
                                                                PID:2532
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  23⤵
                                                                    PID:1612
                                                                  • C:\Recovery\WindowsRE\fontdrvhost.exe
                                                                    "C:\Recovery\WindowsRE\fontdrvhost.exe"
                                                                    23⤵
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    • Modifies registry class
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:1580
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CWxqMEPA9M.bat"
                                                                      24⤵
                                                                        PID:2932
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          25⤵
                                                                            PID:3596
                                                                          • C:\Recovery\WindowsRE\fontdrvhost.exe
                                                                            "C:\Recovery\WindowsRE\fontdrvhost.exe"
                                                                            25⤵
                                                                            • Checks computer location settings
                                                                            • Executes dropped EXE
                                                                            • Modifies registry class
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2924
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wxi7FenmH.bat"
                                                                              26⤵
                                                                                PID:5016
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  27⤵
                                                                                    PID:4392
                                                                                  • C:\Recovery\WindowsRE\fontdrvhost.exe
                                                                                    "C:\Recovery\WindowsRE\fontdrvhost.exe"
                                                                                    27⤵
                                                                                    • Checks computer location settings
                                                                                    • Executes dropped EXE
                                                                                    • Modifies registry class
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:724
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6n1oUPmZQq.bat"
                                                                                      28⤵
                                                                                        PID:1044
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          29⤵
                                                                                            PID:2072
                                                                                          • C:\Recovery\WindowsRE\fontdrvhost.exe
                                                                                            "C:\Recovery\WindowsRE\fontdrvhost.exe"
                                                                                            29⤵
                                                                                            • Checks computer location settings
                                                                                            • Executes dropped EXE
                                                                                            • Modifies registry class
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:864
                                                                                            • C:\Windows\System32\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat"
                                                                                              30⤵
                                                                                                PID:116
                                                                                                • C:\Windows\system32\w32tm.exe
                                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                  31⤵
                                                                                                    PID:1764
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3008
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:4900
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:4292
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2080
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2252
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:4824
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\appcompat\appraiser\Telemetry\System.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2084
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\appcompat\appraiser\Telemetry\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1144
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\appcompat\appraiser\Telemetry\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:812

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

                                        Filesize

                                        1KB

                                        MD5

                                        baf55b95da4a601229647f25dad12878

                                        SHA1

                                        abc16954ebfd213733c4493fc1910164d825cac8

                                        SHA256

                                        ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                        SHA512

                                        24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                        Filesize

                                        2KB

                                        MD5

                                        d85ba6ff808d9e5444a4b369f5bc2730

                                        SHA1

                                        31aa9d96590fff6981b315e0b391b575e4c0804a

                                        SHA256

                                        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                        SHA512

                                        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Filesize

                                        944B

                                        MD5

                                        6d3e9c29fe44e90aae6ed30ccf799ca8

                                        SHA1

                                        c7974ef72264bbdf13a2793ccf1aed11bc565dce

                                        SHA256

                                        2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                                        SHA512

                                        60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Filesize

                                        944B

                                        MD5

                                        77d622bb1a5b250869a3238b9bc1402b

                                        SHA1

                                        d47f4003c2554b9dfc4c16f22460b331886b191b

                                        SHA256

                                        f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

                                        SHA512

                                        d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

                                      • C:\Users\Admin\AppData\Local\Temp\0rnbwo7iYS.bat

                                        Filesize

                                        202B

                                        MD5

                                        1aeb036de22d634742f61ec099af055f

                                        SHA1

                                        fad973a871e17aa55b6aa5fa749799ae7461e329

                                        SHA256

                                        9b662deb69cab4478beb5bfeb7860275213dfaf17e93af557419290e86928e09

                                        SHA512

                                        a7d9314c5f99e6740c0fe11593eb88601e8124fce0ea7d2dc130beae7c7bfed4b52007d62679422d0ea1d66e89435963e216d0aa53c9c035e9733a727588c364

                                      • C:\Users\Admin\AppData\Local\Temp\2wxi7FenmH.bat

                                        Filesize

                                        202B

                                        MD5

                                        c98ce57b9289d4837cd3c06354a253dc

                                        SHA1

                                        e896e6fa9cae05fe1bc56a4cab29b7647ccce318

                                        SHA256

                                        e26f39f5533c99cfeb1762b3e51648ee1c563ce5472d7626ded61fefbbc13d95

                                        SHA512

                                        6a150d3ed20a70ae6717bd33745262efaa32d8e5f8734d2b64e816956ea454369239bbcec1adb8c0bd3cbb7c8e8b48f513f3684c9e3e2b526da9ee9890d8fcc9

                                      • C:\Users\Admin\AppData\Local\Temp\6n1oUPmZQq.bat

                                        Filesize

                                        202B

                                        MD5

                                        70025350638da5b208fe8860daef7c12

                                        SHA1

                                        5d43ef428a6e1ff62e6422140d9c76bf48b48299

                                        SHA256

                                        d1678284a7736fbfbabb96da43a732429bb39ce2f830e779d66acdf16063cf4d

                                        SHA512

                                        4fece6bb7c3afbb0b748827143eedd4b4a16f8abaf8cec603e017a3a75fd23732b30e36270d722fdfca4cb71c53a03c563a81db428ffc7f83132548038f9e99b

                                      • C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat

                                        Filesize

                                        202B

                                        MD5

                                        ab5e3ea2902e45ff87a3f0da7787c2a2

                                        SHA1

                                        b8533f5e4a9e9f9c6951b188bde871cc6b2456e3

                                        SHA256

                                        85f88906ef487f5075d260fb3137d979545c63ff88309b3ad7a738e940b545a7

                                        SHA512

                                        b9b2b510940694e104992c340f75fea375d7c728b11af82022fed14b6815ac053ab7c6983762679d9d851ede2f84343e7c3029c714e6a627bfeddb8d991379c6

                                      • C:\Users\Admin\AppData\Local\Temp\CWxqMEPA9M.bat

                                        Filesize

                                        202B

                                        MD5

                                        f2ea2b031dd6199ce6ef84dfe4819ce9

                                        SHA1

                                        9ebbf1a56e21b20e024c34cebc20801f5da941f8

                                        SHA256

                                        4a14ec6178a8c2160dbe405f37e4aab36fbbf0cbdf00c8e25daa1c4f0c951ee3

                                        SHA512

                                        dc9197662e310bf8c6563b31ede19b563d19706b004501e15d13f0448ebc3e262e7f43201d40b5241eed2eb57eb29249b73a00e60163ed4ec5f29eae0d1fdb94

                                      • C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat

                                        Filesize

                                        202B

                                        MD5

                                        4aff229343086caf8e3ff89efd78c081

                                        SHA1

                                        37f80bb77b80e28b9ec38919023b5003c9b4dd9c

                                        SHA256

                                        4c78df485f40337e9ba3f95c48b3ed6727fd02cdb7cb9cd9f0510003f4d57611

                                        SHA512

                                        cc6c709056ce62b89fea6a8355dfb561199800fa11ebc322f13e894b71a9d42e9300b2d9af1164a4ad179bc68ed348d1ab158e2d56c7bb45eb775f56565bb639

                                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4wgvfctq.sui.psm1

                                        Filesize

                                        60B

                                        MD5

                                        d17fe0a3f47be24a6453e9ef58c94641

                                        SHA1

                                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                        SHA256

                                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                        SHA512

                                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                      • C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat

                                        Filesize

                                        202B

                                        MD5

                                        760c8347641449849b1601e8ca56a56a

                                        SHA1

                                        7f8b10afa7410598e9af22aad805af44e8a0bf83

                                        SHA256

                                        71a4b26117521712855f6e6b4d74af0c769aac669821762cef21a13a65198edd

                                        SHA512

                                        d4f7292a9353fc7e3088e47a0a9a1dfc3463d27ec5f4dd5c2f2c8f83227855228e393ae65dde7f9801f1da8ba895d126f8f3de7cc19b88674185cdfa3e1d0c00

                                      • C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat

                                        Filesize

                                        202B

                                        MD5

                                        bcc3d9c4c13d7179e75858bfc76c380a

                                        SHA1

                                        f77c391495fdec16193cc479216b324415bb2979

                                        SHA256

                                        e8f67878d59ec5339077f3f52d321110cb6aec21788b8d3e6618ebb245b1bccc

                                        SHA512

                                        525a2557de69876901dbf80aa801091c0546bfc538d2731a7e0c03c16a6b6efa2ba9d7e961130cdf093dcad3afe88823317179b65676d93727e10c913bd627a8

                                      • C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat

                                        Filesize

                                        202B

                                        MD5

                                        6bdbc67b5c817ae6f05f1158f88e7478

                                        SHA1

                                        4c2acd2d605f9f8c4f22499d8fceb862bc8d8269

                                        SHA256

                                        dae8ed4217116df7eb43e97e9dbcda533ba9aa0817ba1cf45ea9a72dbe4a7692

                                        SHA512

                                        2790c4f5f1c24a8084df26731638445f9d6438ee4f74ff0356598d90d596afe23eef467579185c3639793ef4bfd01844f5acf231b595c9c3cabdf218d23747fc

                                      • C:\Users\Admin\AppData\Local\Temp\ssDSZpddA3.bat

                                        Filesize

                                        202B

                                        MD5

                                        8115e9730501787aebb566a55a46ebdb

                                        SHA1

                                        d91d52474d7bd01a1d14b2f35adc547f478033b0

                                        SHA256

                                        a4d3a1a0e22b7a0d82a187913c2f183f3cbbfffb64fe7e33294ae4a6e42e6e27

                                        SHA512

                                        946a893f12f75b335a6dce7ed3f7b94671d7efbea42c54d686ef9242cfae18808cb35835ea5b6be94770009da1eaa5f0c3e0eefb74201f1f9f34f69eb85ab891

                                      • C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat

                                        Filesize

                                        202B

                                        MD5

                                        236f8dbe37593d1c39b5987ac2b1bac1

                                        SHA1

                                        d03ff090396e4fc02b9621b79d8dd23554181aaf

                                        SHA256

                                        d729860d45d9eb054adbbe8a2088f9723358182fdb88b8f56fe31e7021aca3c2

                                        SHA512

                                        ffb217e746f9014de50ec5cebfe631b305bac3612c8b5820eb12fe8ee71ed0d86ef11d01644454d8107dbd9da8442c387344e535a6a9a628408dbc249f6c0a35

                                      • C:\providercommon\1zu9dW.bat

                                        Filesize

                                        36B

                                        MD5

                                        6783c3ee07c7d151ceac57f1f9c8bed7

                                        SHA1

                                        17468f98f95bf504cc1f83c49e49a78526b3ea03

                                        SHA256

                                        8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                        SHA512

                                        c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                      • C:\providercommon\DllCommonsvc.exe

                                        Filesize

                                        1.0MB

                                        MD5

                                        bd31e94b4143c4ce49c17d3af46bcad0

                                        SHA1

                                        f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                        SHA256

                                        b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                        SHA512

                                        f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                      • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                        Filesize

                                        197B

                                        MD5

                                        8088241160261560a02c84025d107592

                                        SHA1

                                        083121f7027557570994c9fc211df61730455bb5

                                        SHA256

                                        2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                        SHA512

                                        20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                      • memory/864-159-0x0000000001540000-0x0000000001552000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/1580-139-0x0000000001560000-0x0000000001572000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/1760-102-0x00000000018E0000-0x00000000018F2000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2300-72-0x0000000002810000-0x0000000002822000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2924-146-0x00000000010A0000-0x00000000010B2000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/3724-16-0x0000000002FE0000-0x0000000002FEC000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/3724-13-0x0000000000D30000-0x0000000000E40000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/3724-14-0x0000000001620000-0x0000000001632000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/3724-12-0x00007FFCECF73000-0x00007FFCECF75000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/3724-15-0x0000000002FF0000-0x0000000002FFC000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/3724-17-0x0000000003000000-0x000000000300C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/4460-49-0x000001D13B1F0000-0x000001D13B212000-memory.dmp

                                        Filesize

                                        136KB