Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/12/2024, 18:16

General

  • Target

    JaffaCakes118_e185ece2d9fff8f8e11b23e595307f5409b359e4d91438d240afed6af17da651.exe

  • Size

    1.3MB

  • MD5

    d40139b905cf0ec11a2b5e4969e16d5f

  • SHA1

    1a887bbc407efe7cccbe07598a3a67f20dbe29ff

  • SHA256

    e185ece2d9fff8f8e11b23e595307f5409b359e4d91438d240afed6af17da651

  • SHA512

    ee798c7b6b86a8b51a420036daff14818fb855b50e47a2e1f5ac89ae835355c4ff8f2976e09c07665af2bdb87bec7614173a5d1a600269300cc0de8d5e851999

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 9 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 13 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 14 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e185ece2d9fff8f8e11b23e595307f5409b359e4d91438d240afed6af17da651.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e185ece2d9fff8f8e11b23e595307f5409b359e4d91438d240afed6af17da651.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4900
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:368
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1372
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3468
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4916
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3792
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\fontdrvhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4172
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Fn6r3s7Cpa.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2612
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1256
              • C:\Recovery\WindowsRE\DllCommonsvc.exe
                "C:\Recovery\WindowsRE\DllCommonsvc.exe"
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3016
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VJj2LbMAw3.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3732
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:1456
                    • C:\Recovery\WindowsRE\DllCommonsvc.exe
                      "C:\Recovery\WindowsRE\DllCommonsvc.exe"
                      8⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:556
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bGwFtC02oQ.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2236
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:4324
                          • C:\Recovery\WindowsRE\DllCommonsvc.exe
                            "C:\Recovery\WindowsRE\DllCommonsvc.exe"
                            10⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Modifies registry class
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:3300
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat"
                              11⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2820
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                12⤵
                                  PID:3892
                                • C:\Recovery\WindowsRE\DllCommonsvc.exe
                                  "C:\Recovery\WindowsRE\DllCommonsvc.exe"
                                  12⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:4968
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFXOGCU6Cq.bat"
                                    13⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:3784
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      14⤵
                                        PID:2480
                                      • C:\Recovery\WindowsRE\DllCommonsvc.exe
                                        "C:\Recovery\WindowsRE\DllCommonsvc.exe"
                                        14⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Modifies registry class
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of WriteProcessMemory
                                        PID:4424
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bGwFtC02oQ.bat"
                                          15⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:4680
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            16⤵
                                              PID:4008
                                            • C:\Recovery\WindowsRE\DllCommonsvc.exe
                                              "C:\Recovery\WindowsRE\DllCommonsvc.exe"
                                              16⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Modifies registry class
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of WriteProcessMemory
                                              PID:4684
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat"
                                                17⤵
                                                • Suspicious use of WriteProcessMemory
                                                PID:1660
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  18⤵
                                                    PID:2240
                                                  • C:\Recovery\WindowsRE\DllCommonsvc.exe
                                                    "C:\Recovery\WindowsRE\DllCommonsvc.exe"
                                                    18⤵
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Modifies registry class
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:4788
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat"
                                                      19⤵
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:4548
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        20⤵
                                                          PID:3472
                                                        • C:\Recovery\WindowsRE\DllCommonsvc.exe
                                                          "C:\Recovery\WindowsRE\DllCommonsvc.exe"
                                                          20⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Modifies registry class
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:3240
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhLzHEla3w.bat"
                                                            21⤵
                                                              PID:4020
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                22⤵
                                                                  PID:2948
                                                                • C:\Recovery\WindowsRE\DllCommonsvc.exe
                                                                  "C:\Recovery\WindowsRE\DllCommonsvc.exe"
                                                                  22⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Modifies registry class
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:4260
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x1DfgQ9qXa.bat"
                                                                    23⤵
                                                                      PID:2008
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        24⤵
                                                                          PID:2364
                                                                        • C:\Recovery\WindowsRE\DllCommonsvc.exe
                                                                          "C:\Recovery\WindowsRE\DllCommonsvc.exe"
                                                                          24⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Modifies registry class
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:3024
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1n8esAjYxK.bat"
                                                                            25⤵
                                                                              PID:768
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                26⤵
                                                                                  PID:5080
                                                                                • C:\Recovery\WindowsRE\DllCommonsvc.exe
                                                                                  "C:\Recovery\WindowsRE\DllCommonsvc.exe"
                                                                                  26⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Modifies registry class
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:1108
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZBm8ilTxac.bat"
                                                                                    27⤵
                                                                                      PID:3552
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        28⤵
                                                                                          PID:4912
                                                                                        • C:\Recovery\WindowsRE\DllCommonsvc.exe
                                                                                          "C:\Recovery\WindowsRE\DllCommonsvc.exe"
                                                                                          28⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Modifies registry class
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:4056
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x1DfgQ9qXa.bat"
                                                                                            29⤵
                                                                                              PID:2720
                                                                                              • C:\Windows\system32\w32tm.exe
                                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                30⤵
                                                                                                  PID:1136
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3084
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2396
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1844
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Cookies\Idle.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2800
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3128
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Cookies\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:4724
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\addins\fontdrvhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:4972
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\addins\fontdrvhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3720
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\addins\fontdrvhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1708

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

                                        Filesize

                                        1KB

                                        MD5

                                        7f3c0ae41f0d9ae10a8985a2c327b8fb

                                        SHA1

                                        d58622bf6b5071beacf3b35bb505bde2000983e3

                                        SHA256

                                        519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

                                        SHA512

                                        8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                        Filesize

                                        2KB

                                        MD5

                                        d85ba6ff808d9e5444a4b369f5bc2730

                                        SHA1

                                        31aa9d96590fff6981b315e0b391b575e4c0804a

                                        SHA256

                                        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                        SHA512

                                        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Filesize

                                        944B

                                        MD5

                                        6d42b6da621e8df5674e26b799c8e2aa

                                        SHA1

                                        ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                                        SHA256

                                        5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                                        SHA512

                                        53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Filesize

                                        944B

                                        MD5

                                        6d3e9c29fe44e90aae6ed30ccf799ca8

                                        SHA1

                                        c7974ef72264bbdf13a2793ccf1aed11bc565dce

                                        SHA256

                                        2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                                        SHA512

                                        60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                                      • C:\Users\Admin\AppData\Local\Temp\1n8esAjYxK.bat

                                        Filesize

                                        203B

                                        MD5

                                        275116043e5c70f3bee0a1fa8c7fb75d

                                        SHA1

                                        319b94c96b2953b9a6f41e07e48d34e672804f73

                                        SHA256

                                        1ca10611127323cea1ca887e9a271cc221112640887ea7c8b66e01c52ab54027

                                        SHA512

                                        31492caf98e97cbaa66fe0fb9744c4142c78bb586efba2f0d12795915a687095751bb86f5c1dcdfddba0bc5fdff560977f25c36e97b5eb040370114b7b74b8e0

                                      • C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat

                                        Filesize

                                        203B

                                        MD5

                                        7d5713e7faa7234db3ec888edb5d67a7

                                        SHA1

                                        73e341e16674db3378876d060b5b1a486af2a0ba

                                        SHA256

                                        0ceb78663532390abf286e4ec18fa4d7ef68b06c1e85ce4def18058dcac0564b

                                        SHA512

                                        b117ddd7d81f752a877770e353f560b5aa7f14f2008ae0d1603fe68ba57ed4df0b77102e30ffa42fc89e6948689b7f60357e8ae78b67b50d4a11f27590d2cd6d

                                      • C:\Users\Admin\AppData\Local\Temp\Fn6r3s7Cpa.bat

                                        Filesize

                                        203B

                                        MD5

                                        a1b4b7da107cc98dfc9f38a449508131

                                        SHA1

                                        9a1cb76a45a2ad9cee918a352609dc29432847f1

                                        SHA256

                                        231956c1668190d535b30af334a281a8bd763734c5330d8031e1908638ca2944

                                        SHA512

                                        a7d16df269b3acf8350c5bb609c1a5e272d9519d813486733c4165d195e81d777539d828fb45b2a5d005c43895b5e294a7554e2a03879f60f7a15ef964113fac

                                      • C:\Users\Admin\AppData\Local\Temp\JhLzHEla3w.bat

                                        Filesize

                                        203B

                                        MD5

                                        27e9c5630e6ac61359f096ff08dd41ac

                                        SHA1

                                        3b90ce1c5ed7d126ba64d7254accdd7c9bd40832

                                        SHA256

                                        5df44830053cedc6b6dfa6bb710b606fcad4c114883c8b73bbe8fbba5d3b6995

                                        SHA512

                                        9f20a46047dacf7b5ac6779b5eae18ab587063bfcd55dfe06655d67f47f34a4db223c926cc209b94911aa0f2d21c3af899d7017d7794c5d4e0c82ba550906403

                                      • C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat

                                        Filesize

                                        203B

                                        MD5

                                        6ef025ce7e54492caf1ffd1a167b824b

                                        SHA1

                                        1dde82e46e119400c927f5c66413ba91d0857677

                                        SHA256

                                        a83e032b71e3370909707dfddf03ffdd3ef63dc5ba450d62f5ea44148cd92ea1

                                        SHA512

                                        50199aa1c2944fecd62b273aa12be7ec0e0c9e7e03501efc52cabb014c76377b5425292916d26b95e5e5b47f7f23157c0db3338818a0d4dea82db9238fa0cf05

                                      • C:\Users\Admin\AppData\Local\Temp\VJj2LbMAw3.bat

                                        Filesize

                                        203B

                                        MD5

                                        c5a7f66826f0b19584e6154f88fc69f0

                                        SHA1

                                        7756bd40c89c65921fd9370df0c08e0a236ff305

                                        SHA256

                                        89a6eb526dca9b77ad9e219668e1237dfdf0c9ef032e43fbd63ba0487a2a388f

                                        SHA512

                                        362c0c2c31b9b53d4cfd7db54fb350f71f4a57890f09a8dcacc5f455d1f610f7205f734fc83ea6626a8d8935405a7190f949abfc054095088affe72b5b300c06

                                      • C:\Users\Admin\AppData\Local\Temp\ZBm8ilTxac.bat

                                        Filesize

                                        203B

                                        MD5

                                        5a10a0651ab8c00157e2c7c3c21c2791

                                        SHA1

                                        52ffaf415585cc982f8ad94a268d7fe43aefabe2

                                        SHA256

                                        10be3a48c321dce858c684383aa39433f5b9ae8985bb21c563890dfa2b897da2

                                        SHA512

                                        2ddcd5165866026c3221c33f2103f802c59b3a67cab85e819359d177bb351991968a8a14525897c8615079d494bd80adc56f27f8288360dcb493e428ff3336c8

                                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x5h5s4v3.mpn.ps1

                                        Filesize

                                        60B

                                        MD5

                                        d17fe0a3f47be24a6453e9ef58c94641

                                        SHA1

                                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                        SHA256

                                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                        SHA512

                                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                      • C:\Users\Admin\AppData\Local\Temp\bGwFtC02oQ.bat

                                        Filesize

                                        203B

                                        MD5

                                        4786e17674bdde71af78c637f44049f4

                                        SHA1

                                        26537a58a51535cac95504c32d830db30d323440

                                        SHA256

                                        46f7dd9e25590e700ab4f2520aff20bf030baac8ac28969d65eb91b4d2c64777

                                        SHA512

                                        b10cfcfedca6ca0fa147ba16f0c901f1e135d97849bd7c2f1e81642fa4c4cd346bbe6adc36e5e8338bdb66306f6ac71a93e620e22459c9d592c2ece0023ed7f6

                                      • C:\Users\Admin\AppData\Local\Temp\jFXOGCU6Cq.bat

                                        Filesize

                                        203B

                                        MD5

                                        bb21bef4b303be4694f3632c00cdf34f

                                        SHA1

                                        77b5101b4aa2f2ade0797b843d07f643701c31af

                                        SHA256

                                        febe1d0a0e59795d78b1ab1153132534f4d455d157c72e0aba8ec02fbfed2c7b

                                        SHA512

                                        641fe60db269204de461953dd4117b501d4594697f22fcc021a77398c7e8f492009b37ef04b164c2f9dd2d61f511f8f45b143d4f3472add097508ed6f4905fd0

                                      • C:\Users\Admin\AppData\Local\Temp\x1DfgQ9qXa.bat

                                        Filesize

                                        203B

                                        MD5

                                        d1c278301c847f774cac11dbda72b86e

                                        SHA1

                                        086374df12ac364825721b3118704a2e89db973d

                                        SHA256

                                        047d10a0d722b24d2e613f7aea113247fe497e49554acddf1bc6f4c8d10987ec

                                        SHA512

                                        74b71cc2371745a679b4f9efb747b37254511e73a1ad0a44fbb65b2f0af9af94ed02ddbf7c486b8f5686ddb3bd1a1d3e418c840701e6cbc0957828459dd4a4ef

                                      • C:\providercommon\1zu9dW.bat

                                        Filesize

                                        36B

                                        MD5

                                        6783c3ee07c7d151ceac57f1f9c8bed7

                                        SHA1

                                        17468f98f95bf504cc1f83c49e49a78526b3ea03

                                        SHA256

                                        8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                        SHA512

                                        c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                      • C:\providercommon\DllCommonsvc.exe

                                        Filesize

                                        1.0MB

                                        MD5

                                        bd31e94b4143c4ce49c17d3af46bcad0

                                        SHA1

                                        f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                        SHA256

                                        b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                        SHA512

                                        f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                      • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                        Filesize

                                        197B

                                        MD5

                                        8088241160261560a02c84025d107592

                                        SHA1

                                        083121f7027557570994c9fc211df61730455bb5

                                        SHA256

                                        2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                        SHA512

                                        20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                      • memory/1372-16-0x0000000001620000-0x000000000162C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/1372-15-0x0000000001640000-0x000000000164C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/1372-14-0x0000000001610000-0x0000000001622000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/1372-17-0x0000000001650000-0x000000000165C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/1372-12-0x00007FFA07433000-0x00007FFA07435000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/1372-13-0x0000000000D40000-0x0000000000E50000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/3016-80-0x0000000001530000-0x0000000001542000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/3016-85-0x000000001C940000-0x000000001CAAA000-memory.dmp

                                        Filesize

                                        1.4MB

                                      • memory/3024-143-0x000000001B3E0000-0x000000001B3F2000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/3240-129-0x000000001B790000-0x000000001B7A2000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/4056-156-0x0000000001800000-0x0000000001812000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/4172-32-0x000001D2EC4D0000-0x000001D2EC4F2000-memory.dmp

                                        Filesize

                                        136KB

                                      • memory/4260-136-0x0000000001750000-0x0000000001762000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/4424-112-0x000000001C340000-0x000000001C4AA000-memory.dmp

                                        Filesize

                                        1.4MB

                                      • memory/4424-107-0x00000000011B0000-0x00000000011C2000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/4684-119-0x000000001C3D0000-0x000000001C53A000-memory.dmp

                                        Filesize

                                        1.4MB

                                      • memory/4788-126-0x000000001C070000-0x000000001C1DA000-memory.dmp

                                        Filesize

                                        1.4MB

                                      • memory/4968-104-0x000000001C710000-0x000000001C87A000-memory.dmp

                                        Filesize

                                        1.4MB