Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/12/2024, 02:48

General

  • Target

    JaffaCakes118_674b0e9306ee438b50e6facff73dbc3a10a48e3cd1d6b7df39d96a6914a0a25c.exe

  • Size

    1.3MB

  • MD5

    e528a270f37e906c1aab696b5cb6249b

  • SHA1

    6a0e39acd6078a45ad016fdf0e7720a9e3970ba5

  • SHA256

    674b0e9306ee438b50e6facff73dbc3a10a48e3cd1d6b7df39d96a6914a0a25c

  • SHA512

    15786861b57c0a7158d73267c21f84702cc1d7be93d83499c84e5e47adc55c5dcb0d15696b6b8070a4925507571e2f697e33bae270e3e10f0f5f40c2dea20f20

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 16 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 14 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_674b0e9306ee438b50e6facff73dbc3a10a48e3cd1d6b7df39d96a6914a0a25c.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_674b0e9306ee438b50e6facff73dbc3a10a48e3cd1d6b7df39d96a6914a0a25c.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4636
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:412
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5000
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\http\OfficeClickToRun.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3616
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4452
          • C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe
            "C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4540
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hlBWXN5z7R.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2460
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:4988
                • C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe
                  "C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"
                  7⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:968
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\srJhtCwLGi.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4720
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:4460
                      • C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe
                        "C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"
                        9⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1224
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VF9LbKHiRa.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3068
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:4648
                            • C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe
                              "C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"
                              11⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:4888
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat"
                                12⤵
                                • Suspicious use of WriteProcessMemory
                                PID:1404
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  13⤵
                                    PID:4964
                                  • C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe
                                    "C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"
                                    13⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Modifies registry class
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:1100
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j2qd1ZwTnL.bat"
                                      14⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:1916
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        15⤵
                                          PID:3836
                                        • C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe
                                          "C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"
                                          15⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Modifies registry class
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of WriteProcessMemory
                                          PID:3296
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat"
                                            16⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:3872
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              17⤵
                                                PID:4740
                                              • C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe
                                                "C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"
                                                17⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Modifies registry class
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of WriteProcessMemory
                                                PID:548
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z7DRyUOV59.bat"
                                                  18⤵
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:3392
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    19⤵
                                                      PID:3404
                                                    • C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe
                                                      "C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"
                                                      19⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Modifies registry class
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:3984
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SK7IuFDp7o.bat"
                                                        20⤵
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:4332
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          21⤵
                                                            PID:2068
                                                          • C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe
                                                            "C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"
                                                            21⤵
                                                            • Checks computer location settings
                                                            • Executes dropped EXE
                                                            • Modifies registry class
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:928
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat"
                                                              22⤵
                                                                PID:4112
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  23⤵
                                                                    PID:3320
                                                                  • C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe
                                                                    "C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"
                                                                    23⤵
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    • Modifies registry class
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:3668
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat"
                                                                      24⤵
                                                                        PID:3588
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          25⤵
                                                                            PID:5012
                                                                          • C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe
                                                                            "C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"
                                                                            25⤵
                                                                            • Checks computer location settings
                                                                            • Executes dropped EXE
                                                                            • Modifies registry class
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2744
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat"
                                                                              26⤵
                                                                                PID:2260
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  27⤵
                                                                                    PID:4804
                                                                                  • C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe
                                                                                    "C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"
                                                                                    27⤵
                                                                                    • Checks computer location settings
                                                                                    • Executes dropped EXE
                                                                                    • Modifies registry class
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:3076
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hlBWXN5z7R.bat"
                                                                                      28⤵
                                                                                        PID:3112
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          29⤵
                                                                                            PID:1860
                                                                                          • C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe
                                                                                            "C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"
                                                                                            29⤵
                                                                                            • Checks computer location settings
                                                                                            • Executes dropped EXE
                                                                                            • Modifies registry class
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:4104
                                                                                            • C:\Windows\System32\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat"
                                                                                              30⤵
                                                                                                PID:1652
                                                                                                • C:\Windows\system32\w32tm.exe
                                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                  31⤵
                                                                                                    PID:4356
                                                                                                  • C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe
                                                                                                    "C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"
                                                                                                    31⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:2416
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\lua\http\OfficeClickToRun.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1860
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\http\OfficeClickToRun.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:4036
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\lua\http\OfficeClickToRun.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:5052
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3392
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3068
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3548

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                        Filesize

                                        2KB

                                        MD5

                                        d85ba6ff808d9e5444a4b369f5bc2730

                                        SHA1

                                        31aa9d96590fff6981b315e0b391b575e4c0804a

                                        SHA256

                                        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                        SHA512

                                        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sysmon.exe.log

                                        Filesize

                                        1KB

                                        MD5

                                        baf55b95da4a601229647f25dad12878

                                        SHA1

                                        abc16954ebfd213733c4493fc1910164d825cac8

                                        SHA256

                                        ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                        SHA512

                                        24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Filesize

                                        944B

                                        MD5

                                        6d42b6da621e8df5674e26b799c8e2aa

                                        SHA1

                                        ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                                        SHA256

                                        5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                                        SHA512

                                        53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

                                      • C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat

                                        Filesize

                                        215B

                                        MD5

                                        02923d17619517693633e52dcf28735f

                                        SHA1

                                        3ab44b8289ef113d251962ddcd5adfaa63b10ffa

                                        SHA256

                                        def61b8c8df9e43f43b9c104532da5909295a1701fc323b8345cbaf2e7e288ea

                                        SHA512

                                        8694a351ecd61d5aa2d97eed13951c094b976b9483751002a7f9d0d7d1ebc20350b1c80eba41a12e34630d55f0347b7adf71214e13c13fb8b7c7e1fa780e54eb

                                      • C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat

                                        Filesize

                                        215B

                                        MD5

                                        a97d547ff0d82000c21b42ed1422449b

                                        SHA1

                                        28df52a93ba1dec3b54295b660efbd7177b7a343

                                        SHA256

                                        b66371d4a7c40b57ddfe21719e21e3797312d2c04e5a1f91b3632137acfb8e34

                                        SHA512

                                        a513b428333ff990f3b4cd301f248d8946ebb6e298fcf6c266231b49c40be1a7745a0cd2da216cfced9ca4f836d714eb138914e16fd5d6f317cc7b3370251782

                                      • C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat

                                        Filesize

                                        215B

                                        MD5

                                        aafc79d706e5814c56321c63aaede31c

                                        SHA1

                                        831908965b91c4729d7d3dfbc757e4b0597f9b9a

                                        SHA256

                                        187eb8b02dd0cbadf00fc4365448b368b62f0bec1024c73a8beac8c6728b84a0

                                        SHA512

                                        68dc993be0504c3cecf385eb0a50540262e688edc24dccf4e1d2edaac051e4a81956ec6005b560fbdddfde74421972e32decc432ca9c359e8d6e18514f47b271

                                      • C:\Users\Admin\AppData\Local\Temp\SK7IuFDp7o.bat

                                        Filesize

                                        215B

                                        MD5

                                        03d17eed9d7b9d49a8d5aed6006e0ae7

                                        SHA1

                                        2a85e401fd798bfb19b813f75f63489c4aab229b

                                        SHA256

                                        3510fea14a3b4c930a48c4d7b44908103ee7ef85171d99ce0568b5bdbf6d71a5

                                        SHA512

                                        d6050f239a9a96cb8124b2b0e08b764507d04e45cbadb49bd6a2cbec4349898d591f27132021b7be69a26f9bb53e39dbf5568e654f1f1fed8ea46cfd8e43e19d

                                      • C:\Users\Admin\AppData\Local\Temp\VF9LbKHiRa.bat

                                        Filesize

                                        215B

                                        MD5

                                        da5db77673fd3948bc018e367a843f09

                                        SHA1

                                        3268e31f2e99dba0074fb156f1c8c8acf9cd1365

                                        SHA256

                                        e66b7713f972f8f675c4d6d0e2907ea00455d973ce86703e230aa61d38ccb786

                                        SHA512

                                        893688ef8d11130980144e3b2095f19604decc0df8c183450a8b30c9386f301c5ed83d0b2f9b28309efefdc7cdb9baa401099b45a1e02dbf56715fc33ad8f01c

                                      • C:\Users\Admin\AppData\Local\Temp\Z7DRyUOV59.bat

                                        Filesize

                                        215B

                                        MD5

                                        f612c8218d78c3827d3b311966ed6df8

                                        SHA1

                                        f14b800b35ce85055a03e6925d4110809edec705

                                        SHA256

                                        1e2417c19362695d0f04ded09904e7b4e71447edf0601ca0a4e1ddb57d0e7c86

                                        SHA512

                                        ba2c7ae9b7d6e3755b5c8cd69ad53cc37960ad6f9a1cec95e8ba02c54f07dbf63e4ab0923b243e1d7b819eed3778e3889b0169d573e76163d25d6c8ad3859706

                                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xhlnczmr.kqk.ps1

                                        Filesize

                                        60B

                                        MD5

                                        d17fe0a3f47be24a6453e9ef58c94641

                                        SHA1

                                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                        SHA256

                                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                        SHA512

                                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                      • C:\Users\Admin\AppData\Local\Temp\hlBWXN5z7R.bat

                                        Filesize

                                        215B

                                        MD5

                                        71c17b25a98f5b99028ea703504af749

                                        SHA1

                                        4f9304cdba60214afa99b97a7f8616cf6ce12618

                                        SHA256

                                        fd669c4f905510865a7b71a4aabde0bacc2a2e190275f999934c3aca3aa8a66b

                                        SHA512

                                        f4fadf577e4941f1f8ff46dd00b10f42e2489ee6f88bf49d8d97121b8bcb75087be959e6dd15adf80c2101cc31ec95149bf4bab934f1c7f48b1484335a039438

                                      • C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat

                                        Filesize

                                        215B

                                        MD5

                                        1ebde8838f7e121ab8ccc89dda167a46

                                        SHA1

                                        b7651a3c661686385ee30b691710d7c38ff3275d

                                        SHA256

                                        25155dbd4ea2d46ec35ca6dffb48dadc1e53ac25c07f6f1ff540ae707b869396

                                        SHA512

                                        796235497abebe56425a35f63b84971260ee4ae376af9c9393a9d7a68102047c7dc185b5fefbff9895200ad4a392c522b6701c59ea56bda1a1c14fcc807708b9

                                      • C:\Users\Admin\AppData\Local\Temp\j2qd1ZwTnL.bat

                                        Filesize

                                        215B

                                        MD5

                                        f41ccfb86d3bce22264452d5d8364fec

                                        SHA1

                                        747a569bef73177b4d30631651ecb62759b45e73

                                        SHA256

                                        1b5eaa794f7a476eb2743aa43cc58c8745678face2059a3ee9010ce16dee3c9c

                                        SHA512

                                        4791e69de7298bf796b65fd1f6fadcd341603ce9589f28215a712dc48eebc7ed16aaed6a1b243503971c2a74ef41f42cb4848f926d021eb68ae15f7fe50106ea

                                      • C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat

                                        Filesize

                                        215B

                                        MD5

                                        658112f873226ccfb9691f221ae8d4e4

                                        SHA1

                                        28074cca5a3b684e43b416934afb77cedc201e99

                                        SHA256

                                        32cefa0cf45a4d61127360dd40c7587c54d86e9601acf7ebf76b700df1c5c374

                                        SHA512

                                        a54c704cad76c088f401dfc40c903a5738709629bdf4d62e8465193cac9b9318792d1f0100e1b3eeeddb60886fc39e94e55486276718cb9da985c4b4b043115c

                                      • C:\Users\Admin\AppData\Local\Temp\srJhtCwLGi.bat

                                        Filesize

                                        215B

                                        MD5

                                        116c2ff937a6b533fd41baee8b0cc726

                                        SHA1

                                        ab1b847ee231e67722739f1c3870a3c9592f6be7

                                        SHA256

                                        6774df72fd231169f7cf73fd6ebbd64f1b77a7a3c6c546ec0af24ea45ebb2088

                                        SHA512

                                        e43b9c41bbc7d5b2a773a6aa0b275bd2e7af7739063cdd3337723e135b42be85caa8935786d35fecc10bc6730eac6f4ac1db69d9e670bdfaeac37ee8c200a9d3

                                      • C:\providercommon\1zu9dW.bat

                                        Filesize

                                        36B

                                        MD5

                                        6783c3ee07c7d151ceac57f1f9c8bed7

                                        SHA1

                                        17468f98f95bf504cc1f83c49e49a78526b3ea03

                                        SHA256

                                        8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                        SHA512

                                        c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                      • C:\providercommon\DllCommonsvc.exe

                                        Filesize

                                        1.0MB

                                        MD5

                                        bd31e94b4143c4ce49c17d3af46bcad0

                                        SHA1

                                        f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                        SHA256

                                        b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                        SHA512

                                        f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                      • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                        Filesize

                                        197B

                                        MD5

                                        8088241160261560a02c84025d107592

                                        SHA1

                                        083121f7027557570994c9fc211df61730455bb5

                                        SHA256

                                        2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                        SHA512

                                        20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                      • memory/412-16-0x0000000001460000-0x000000000146C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/412-17-0x0000000001470000-0x000000000147C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/412-15-0x0000000001450000-0x000000000145C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/412-14-0x00000000012A0000-0x00000000012B2000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/412-13-0x00000000009C0000-0x0000000000AD0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/412-12-0x00007FF823C43000-0x00007FF823C45000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/548-109-0x0000000001850000-0x0000000001862000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/1224-83-0x000000001B720000-0x000000001B732000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/3076-140-0x0000000001490000-0x00000000014A2000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/3296-102-0x0000000002E20000-0x0000000002E32000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/4452-42-0x000002752B770000-0x000002752B792000-memory.dmp

                                        Filesize

                                        136KB

                                      • memory/4540-61-0x0000000002B10000-0x0000000002B22000-memory.dmp

                                        Filesize

                                        72KB