Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 01:12

General

  • Target

    JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe

  • Size

    1.3MB

  • MD5

    fd4723d4daed5b787199a3d5e21040b5

  • SHA1

    533cff7711b4d262509260280227fcb0d0433b67

  • SHA256

    cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5

  • SHA512

    821cc704eaacd6cdf1891a382629ada668952d151bdd30acc8e657bcf50d6cdd1c2f9e584cbf99a40e53af726600ac7ab413ed4f3c42a90cf805b089dd043cf9

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 12 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 17 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 16 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3212
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4408
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2080
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4856
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2740
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhostw.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5024
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Contacts\TextInputHost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1812
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1840
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4784
          • C:\Windows\Offline Web Pages\dllhost.exe
            "C:\Windows\Offline Web Pages\dllhost.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1520
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3892
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:912
                • C:\Windows\Offline Web Pages\dllhost.exe
                  "C:\Windows\Offline Web Pages\dllhost.exe"
                  7⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2232
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4816
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:440
                      • C:\Windows\Offline Web Pages\dllhost.exe
                        "C:\Windows\Offline Web Pages\dllhost.exe"
                        9⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3304
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3056
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:4040
                            • C:\Windows\Offline Web Pages\dllhost.exe
                              "C:\Windows\Offline Web Pages\dllhost.exe"
                              11⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:3272
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat"
                                12⤵
                                • Suspicious use of WriteProcessMemory
                                PID:3096
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  13⤵
                                    PID:3260
                                  • C:\Windows\Offline Web Pages\dllhost.exe
                                    "C:\Windows\Offline Web Pages\dllhost.exe"
                                    13⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Modifies registry class
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:4276
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat"
                                      14⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:1812
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        15⤵
                                          PID:1452
                                        • C:\Windows\Offline Web Pages\dllhost.exe
                                          "C:\Windows\Offline Web Pages\dllhost.exe"
                                          15⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Modifies registry class
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of WriteProcessMemory
                                          PID:1336
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat"
                                            16⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:2212
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              17⤵
                                                PID:4528
                                              • C:\Windows\Offline Web Pages\dllhost.exe
                                                "C:\Windows\Offline Web Pages\dllhost.exe"
                                                17⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Modifies registry class
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of WriteProcessMemory
                                                PID:4200
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Po3x2tXZG.bat"
                                                  18⤵
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:4904
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    19⤵
                                                      PID:4328
                                                    • C:\Windows\Offline Web Pages\dllhost.exe
                                                      "C:\Windows\Offline Web Pages\dllhost.exe"
                                                      19⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Modifies registry class
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:4320
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat"
                                                        20⤵
                                                          PID:3540
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            21⤵
                                                              PID:4816
                                                            • C:\Windows\Offline Web Pages\dllhost.exe
                                                              "C:\Windows\Offline Web Pages\dllhost.exe"
                                                              21⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Modifies registry class
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:3436
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat"
                                                                22⤵
                                                                  PID:2200
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    23⤵
                                                                      PID:3788
                                                                    • C:\Windows\Offline Web Pages\dllhost.exe
                                                                      "C:\Windows\Offline Web Pages\dllhost.exe"
                                                                      23⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Modifies registry class
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2988
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SzaURWjxsM.bat"
                                                                        24⤵
                                                                          PID:1264
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            25⤵
                                                                              PID:1796
                                                                            • C:\Windows\Offline Web Pages\dllhost.exe
                                                                              "C:\Windows\Offline Web Pages\dllhost.exe"
                                                                              25⤵
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Modifies registry class
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:1484
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Po3x2tXZG.bat"
                                                                                26⤵
                                                                                  PID:2956
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    27⤵
                                                                                      PID:4276
                                                                                    • C:\Windows\Offline Web Pages\dllhost.exe
                                                                                      "C:\Windows\Offline Web Pages\dllhost.exe"
                                                                                      27⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • Modifies registry class
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:4456
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat"
                                                                                        28⤵
                                                                                          PID:4580
                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                            29⤵
                                                                                              PID:4696
                                                                                            • C:\Windows\Offline Web Pages\dllhost.exe
                                                                                              "C:\Windows\Offline Web Pages\dllhost.exe"
                                                                                              29⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • Modifies registry class
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:3528
                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat"
                                                                                                30⤵
                                                                                                  PID:672
                                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                    31⤵
                                                                                                      PID:4892
                                                                                                    • C:\Windows\Offline Web Pages\dllhost.exe
                                                                                                      "C:\Windows\Offline Web Pages\dllhost.exe"
                                                                                                      31⤵
                                                                                                      • Checks computer location settings
                                                                                                      • Executes dropped EXE
                                                                                                      • Modifies registry class
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:4560
                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat"
                                                                                                        32⤵
                                                                                                          PID:3700
                                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                            33⤵
                                                                                                              PID:244
                                                                                                            • C:\Windows\Offline Web Pages\dllhost.exe
                                                                                                              "C:\Windows\Offline Web Pages\dllhost.exe"
                                                                                                              33⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:4520
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\taskhostw.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:964
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1964
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2148
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Contacts\TextInputHost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1872
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\TextInputHost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3616
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Contacts\TextInputHost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:532
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3984
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4604
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1052
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\AppData\dwm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:5000
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\AppData\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1304
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default\AppData\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4320

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

                                              Filesize

                                              1KB

                                              MD5

                                              baf55b95da4a601229647f25dad12878

                                              SHA1

                                              abc16954ebfd213733c4493fc1910164d825cac8

                                              SHA256

                                              ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                              SHA512

                                              24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                              Filesize

                                              2KB

                                              MD5

                                              d85ba6ff808d9e5444a4b369f5bc2730

                                              SHA1

                                              31aa9d96590fff6981b315e0b391b575e4c0804a

                                              SHA256

                                              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                              SHA512

                                              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              6d42b6da621e8df5674e26b799c8e2aa

                                              SHA1

                                              ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                                              SHA256

                                              5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                                              SHA512

                                              53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              d28a889fd956d5cb3accfbaf1143eb6f

                                              SHA1

                                              157ba54b365341f8ff06707d996b3635da8446f7

                                              SHA256

                                              21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                              SHA512

                                              0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              119B

                                              MD5

                                              fad926bf02f67fd6caf78778d3e43e37

                                              SHA1

                                              80b41a99ca8d4cbe336c04ae1dc7493ca750aabf

                                              SHA256

                                              2f71445e093de0ee1d7e78c6aa4aa8ee34288d0959c1ffd1e0b7dff8edbc9e56

                                              SHA512

                                              9adc9de17cd3b5197cbd65147a52d85b278364b5eaf7f302a9fff31390b89218ba328c2a424a6cf30c84fed1e03671e069d97b5317ee0993c6ad0056f3896be1

                                            • C:\Users\Admin\AppData\Local\Temp\6Po3x2tXZG.bat

                                              Filesize

                                              205B

                                              MD5

                                              2b5f0a11f5edd9a0e6ce856ba63ec6bb

                                              SHA1

                                              40364a17a22713f61066a418516ab845c30d59ad

                                              SHA256

                                              25c77ba2553bf00b3cf4729bfaa4aad8c3d228c7a7452958f376064ae7f2e28d

                                              SHA512

                                              fd929a3d0ce852cc0ac2c977775038d4a6711b03370e5356170a4ae9956d5b4b748f0cda64a3c29ec710f1db885a9dfb7457ae40d24ad723f8f579f8f210b8cc

                                            • C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat

                                              Filesize

                                              205B

                                              MD5

                                              4de336c0d7fe9e4b9e2a864ba37e3774

                                              SHA1

                                              377b76033aada950ab7ad19c6635b3d7be2b53dd

                                              SHA256

                                              70f8e4b6a6b1540e447babd53354b7d5752c05249e0ce89bf800b154a598640c

                                              SHA512

                                              27fa8e4f82f403a56b69662789b026e3966b66cbb2e73bd6356324dc7c4959dc6c250efe049438cb53a4e63f1d7f013dd520977b7b4fea98996a1f67c1ef780f

                                            • C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat

                                              Filesize

                                              205B

                                              MD5

                                              ea08afaffbf02b67d06529c715399d30

                                              SHA1

                                              cc936e9068f4aa69018a00ba920c4be95eac2d69

                                              SHA256

                                              dd09ff642109114ad40335af03725b67d2b0ab06c77c1d8211d163da2d188df9

                                              SHA512

                                              607d7a4471c33c657b4a6036d81fbfede978f67d03cee17a72f347dfdaf73c943f7a79575a224f2372b14445256cbf577ade709674e3ea8eccbf29f2d4934076

                                            • C:\Users\Admin\AppData\Local\Temp\SzaURWjxsM.bat

                                              Filesize

                                              205B

                                              MD5

                                              4e3117475d59e73fe2ce6dde9c12a321

                                              SHA1

                                              58404357ca96b2fe8021f5e54d5da8858377c0cf

                                              SHA256

                                              6a723e968f2afedfafa189e5344e96139e7c60e15e15f63aa4dbb092f28cb364

                                              SHA512

                                              6bcc12ae5b626f585732885689a95430fc1945e54d1bca37fac2f3b6b351e72e7ba3f2950648673be136090ced77cb87dd0460a677f22bdd02a943e029417dd7

                                            • C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat

                                              Filesize

                                              205B

                                              MD5

                                              9a04c44e1bcc580c622a18361c2b3418

                                              SHA1

                                              d723c9ae73fd566ff968f973956e9334a2876cfc

                                              SHA256

                                              453cb199508742b825d176619a22564c75273f3fed723df376cb86b6071d2e3e

                                              SHA512

                                              bd1d77953a9f57841bfe128247c9ba0e3bfc2b191092ab55e4bcc7cd1d52fa11ef15adc2da4bebb3466c904a3654c12449990e227202850ca85a72ccd9e04fd1

                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5pdga2gk.yxi.ps1

                                              Filesize

                                              60B

                                              MD5

                                              d17fe0a3f47be24a6453e9ef58c94641

                                              SHA1

                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                              SHA256

                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                              SHA512

                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                            • C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat

                                              Filesize

                                              205B

                                              MD5

                                              562c8905a641ae8dcf849d631dca8c81

                                              SHA1

                                              5a108f90697cd766739b218f5688d5e6b01dbfcc

                                              SHA256

                                              6e9bc302a38ab45ce241888aef5bceab16246e38888f1ceef35f0685b5f3c0d4

                                              SHA512

                                              314724ad2862b3d22fe703667d210517eea57b34c9192b8fcce5eb02c8a3dbe50546bf2686eabe0e568eb3d5aa70717e4ecd39bc4443dca572690c5f9b266f33

                                            • C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat

                                              Filesize

                                              205B

                                              MD5

                                              f5df0bad936959f0e60b87303115cf2f

                                              SHA1

                                              4b7e43a22294eb41e21df36884b85c186c643ac0

                                              SHA256

                                              2e65e09c317362363ed789740831110ec5e344cd1261a1c474ca420194e85c89

                                              SHA512

                                              259f44eb05dc67b97800125dcf109a5fe279a07aeb2c97ad953dd4f5a8dcc2d24fc988b65b54ff602f3075c0dc75765a2103279687e21c987355772a077d6cae

                                            • C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat

                                              Filesize

                                              205B

                                              MD5

                                              6db0462d2224fb62bd38b73e5abd0880

                                              SHA1

                                              44871b4dd7e57a90469475abbe0544f1e7211e0d

                                              SHA256

                                              25c5b15b87a4578b6c0eca7bb4bcde2b2ba462c0ccedd0f2fa12d00204f0c110

                                              SHA512

                                              5ef6ab06d34333386f2b7945e3ff8de2a5dd6ff2d848b76bab51bce8034ec8a33d1743a1c2d0322971e7cb98108ab15c0c75fe67b6db337a2b288255de7efc99

                                            • C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat

                                              Filesize

                                              205B

                                              MD5

                                              257dac3d890a91256cdc6160472e3f95

                                              SHA1

                                              a0f29b85e794057e8ebf50834e9fbf7ad53e6126

                                              SHA256

                                              ee7fea31bb316c8e71824f0462d9774a907bb3bd9939af11d41a097e505b57e3

                                              SHA512

                                              6802e4bc9ee063b436756914b138690c6abab70548c2b3906396becc2e1584857b1eb92588616eceef7848ef8a198a23dc1adc4e78b8844f25599f5285d22f8d

                                            • C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat

                                              Filesize

                                              205B

                                              MD5

                                              61bb84d2d0a8c9c833846da56cc50ce6

                                              SHA1

                                              8f63879d171b41b262ab93aab68c5d22884b51e2

                                              SHA256

                                              1bef605faa71c32815ad06ac016bd838d633862a6f9f6f6ec762693c599d4dd8

                                              SHA512

                                              e2ae2a79acc9d129059c5a0cb71b3b5628fdc1dd56ec3072ecc23061f7920d03b7ad94017ac12d36c33913b0ce19535c10cf850d4ab85de450c6c895e0493848

                                            • C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat

                                              Filesize

                                              205B

                                              MD5

                                              5f1719200284678ac748af612a82a85d

                                              SHA1

                                              0679d12a48fde8f61ff3bdc583ebca7c09a98a63

                                              SHA256

                                              d0323d12ef9cbfcc2cfc1f94203111eb26024be8d1b2b69cda3f874bba0959d1

                                              SHA512

                                              b20ea404230e20a53980c9e66267fff597978e0d26b48f00f164a911463195e0655e894cd241ed55b3637b0ea1cc85b1a9d2ce519c97a219dec81e6174a74fed

                                            • C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat

                                              Filesize

                                              205B

                                              MD5

                                              859101ab45bbabb5f5534e2dadf1dab8

                                              SHA1

                                              84b41326729b328fb0ee0701e943d146c44de53a

                                              SHA256

                                              9944cd416aef891c1ee284c6c167d616e98ca4ae5169c17b71e5ec0f5995111f

                                              SHA512

                                              544fd78ab652aa0f6c9eb47a15dd9cacc050fbdf485bab91bbcce88351f06a8465e4a1d6fc5154623a407b65b9d07a1a1047a3aa344c73a5f78e298159351452

                                            • C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat

                                              Filesize

                                              205B

                                              MD5

                                              8861f21ae3814b82b71c30bf8eaf8bcf

                                              SHA1

                                              c11905b0b693fff825fbca1b22643b1d3ad43a41

                                              SHA256

                                              797b493b669ff11c541fc022e2c40708aed9886d17cf60881a5f4bd75f7ab4f3

                                              SHA512

                                              60810fb29ad8777c2b504188188a1749e25cbab32e288ca75ecc7be31523fa855090c1fff630c2250387cb61f018e262b42f9764903b077eb5efc7395e257bc9

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • memory/1336-129-0x0000000003110000-0x0000000003122000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1484-161-0x0000000000990000-0x00000000009A2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1520-74-0x0000000000EF0000-0x0000000000F02000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2740-37-0x00000258A6590000-0x00000258A65B2000-memory.dmp

                                              Filesize

                                              136KB

                                            • memory/3272-115-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/3436-148-0x0000000002FE0000-0x0000000002FF2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/4276-122-0x0000000001100000-0x0000000001112000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/4456-168-0x000000001AEC0000-0x000000001AED2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/4560-181-0x0000000002A50000-0x0000000002A62000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/4856-16-0x000000001AD30000-0x000000001AD3C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/4856-15-0x000000001AD20000-0x000000001AD2C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/4856-14-0x0000000002390000-0x00000000023A2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/4856-13-0x0000000000100000-0x0000000000210000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/4856-17-0x000000001AD40000-0x000000001AD4C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/4856-12-0x00007FFDBCAD3000-0x00007FFDBCAD5000-memory.dmp

                                              Filesize

                                              8KB