Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2024, 01:51

General

  • Target

    JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe

  • Size

    1.3MB

  • MD5

    b0e7be27280e7a6e75df7c8590b35067

  • SHA1

    e1331032a6911e4257c59a22850181bcaeb17a58

  • SHA256

    375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923

  • SHA512

    1bdc408beb993c93f582d26a240f18f01c73632c922bca902d59eef40f84836e4ed06cbc44faf69d7dd6ec5b849fff7903c7327f4a3a264b4020e40c47c3327d

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 12 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 14 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 13 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 13 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:396
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3376
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5084
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1844
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4528
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ImmersiveControlPanel\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3836
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:372
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4060
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RoC84loMkT.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4636
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:4252
              • C:\Windows\ImmersiveControlPanel\conhost.exe
                "C:\Windows\ImmersiveControlPanel\conhost.exe"
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3580
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x4tck5X09i.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:684
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:2696
                    • C:\Windows\ImmersiveControlPanel\conhost.exe
                      "C:\Windows\ImmersiveControlPanel\conhost.exe"
                      8⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4236
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yvlYFj4oEg.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3772
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:2472
                          • C:\Windows\ImmersiveControlPanel\conhost.exe
                            "C:\Windows\ImmersiveControlPanel\conhost.exe"
                            10⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Modifies registry class
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:2700
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat"
                              11⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2704
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                12⤵
                                  PID:4076
                                • C:\Windows\ImmersiveControlPanel\conhost.exe
                                  "C:\Windows\ImmersiveControlPanel\conhost.exe"
                                  12⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:1008
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat"
                                    13⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:3592
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      14⤵
                                        PID:4848
                                      • C:\Windows\ImmersiveControlPanel\conhost.exe
                                        "C:\Windows\ImmersiveControlPanel\conhost.exe"
                                        14⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Modifies registry class
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of WriteProcessMemory
                                        PID:2860
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZHEG9SYztW.bat"
                                          15⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:2692
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            16⤵
                                              PID:3580
                                            • C:\Windows\ImmersiveControlPanel\conhost.exe
                                              "C:\Windows\ImmersiveControlPanel\conhost.exe"
                                              16⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Modifies registry class
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of WriteProcessMemory
                                              PID:2176
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat"
                                                17⤵
                                                • Suspicious use of WriteProcessMemory
                                                PID:4088
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  18⤵
                                                    PID:1980
                                                  • C:\Windows\ImmersiveControlPanel\conhost.exe
                                                    "C:\Windows\ImmersiveControlPanel\conhost.exe"
                                                    18⤵
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Modifies registry class
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:1144
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FdUsM3mSuD.bat"
                                                      19⤵
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:4052
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        20⤵
                                                          PID:4952
                                                        • C:\Windows\ImmersiveControlPanel\conhost.exe
                                                          "C:\Windows\ImmersiveControlPanel\conhost.exe"
                                                          20⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Modifies registry class
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1904
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat"
                                                            21⤵
                                                              PID:2700
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                22⤵
                                                                  PID:4080
                                                                • C:\Windows\ImmersiveControlPanel\conhost.exe
                                                                  "C:\Windows\ImmersiveControlPanel\conhost.exe"
                                                                  22⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Modifies registry class
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2928
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat"
                                                                    23⤵
                                                                      PID:1480
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        24⤵
                                                                          PID:4848
                                                                        • C:\Windows\ImmersiveControlPanel\conhost.exe
                                                                          "C:\Windows\ImmersiveControlPanel\conhost.exe"
                                                                          24⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Modifies registry class
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:4244
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat"
                                                                            25⤵
                                                                              PID:3908
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                26⤵
                                                                                  PID:4760
                                                                                • C:\Windows\ImmersiveControlPanel\conhost.exe
                                                                                  "C:\Windows\ImmersiveControlPanel\conhost.exe"
                                                                                  26⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Modifies registry class
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:4856
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat"
                                                                                    27⤵
                                                                                      PID:1104
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        28⤵
                                                                                          PID:404
                                                                                        • C:\Windows\ImmersiveControlPanel\conhost.exe
                                                                                          "C:\Windows\ImmersiveControlPanel\conhost.exe"
                                                                                          28⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:920
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\dllhost.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:3164
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\L2Schemas\dllhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:3960
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\L2Schemas\dllhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1724
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\ImmersiveControlPanel\conhost.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2872
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\conhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:3760
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\ImmersiveControlPanel\conhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:4760
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1276
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:684
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:4244
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\csrss.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:4756
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2696
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:3904

                                  Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

                                          Filesize

                                          1KB

                                          MD5

                                          baf55b95da4a601229647f25dad12878

                                          SHA1

                                          abc16954ebfd213733c4493fc1910164d825cac8

                                          SHA256

                                          ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                          SHA512

                                          24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                          Filesize

                                          2KB

                                          MD5

                                          d85ba6ff808d9e5444a4b369f5bc2730

                                          SHA1

                                          31aa9d96590fff6981b315e0b391b575e4c0804a

                                          SHA256

                                          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                          SHA512

                                          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          944B

                                          MD5

                                          6d3e9c29fe44e90aae6ed30ccf799ca8

                                          SHA1

                                          c7974ef72264bbdf13a2793ccf1aed11bc565dce

                                          SHA256

                                          2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                                          SHA512

                                          60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          944B

                                          MD5

                                          bd5940f08d0be56e65e5f2aaf47c538e

                                          SHA1

                                          d7e31b87866e5e383ab5499da64aba50f03e8443

                                          SHA256

                                          2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                                          SHA512

                                          c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                                        • C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat

                                          Filesize

                                          209B

                                          MD5

                                          ccef91a587de848baa885f3e518d7108

                                          SHA1

                                          1d9bb571f3613f9b19965f62d8f81e1fb6203694

                                          SHA256

                                          4eea67c9645585b0fc1a0e76b40f70abd6775f9d6b75047e8d0b92378560cffd

                                          SHA512

                                          3cadbc637478ef32a58fd8e8e5d1bfa636aa43569bd95e011451457fe01598ad2be437edb981dd2a4b60abd8bd790ad1b6d72e76b54bb5552b5cdfe0571a3aab

                                        • C:\Users\Admin\AppData\Local\Temp\FdUsM3mSuD.bat

                                          Filesize

                                          209B

                                          MD5

                                          b76f89b2b1a1f20db80f4a6bf8a6181c

                                          SHA1

                                          1add334d33edce5b1e6b98a649917f87ef5a4c63

                                          SHA256

                                          e4574c4583ce894f3a4f27e9a540a4347d49ac9a5e32e1d883a74234f4c193ca

                                          SHA512

                                          0d81f5c6b16896265e779cf9c3aa491deb9a564ba292d84ce7d7b35adcc04fc3d65dc3ac573fc448691f7ac088ce8b655ef1f97516b727ce0c2ceceb41775c3b

                                        • C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat

                                          Filesize

                                          209B

                                          MD5

                                          053ba1560a2ff6c53be0a3e1bac3d804

                                          SHA1

                                          bc839b9105729f3ffde8c1aaf6ba939538ac640a

                                          SHA256

                                          3aa5c67aa33214a03e6c0f37dc03f6b0eafd78ab7e18e6ee649d3b113b546322

                                          SHA512

                                          61490f5fe9dbc8dd9edf4a7e5ed23bbf41d1034c5d681f1533a94a3ea067b4c0d3b8e916784ad51728c903c599f86ab36873d49fb428e0b732df99fc04cc5bc9

                                        • C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat

                                          Filesize

                                          209B

                                          MD5

                                          032c7f25664db67d3af6df5d090bd697

                                          SHA1

                                          9c6e078fda983effa549d7f9fec0c9104f0889e5

                                          SHA256

                                          96dd12c9293dade842ee9ff14b9fdbb4a3bda5d5c850700ea2799c0a061cad46

                                          SHA512

                                          69799c70c344e407eb6f54340c8a6444030a3f6da3c4ddb599e7cb09e6a550f7d24a491fa227b504ca617db96c6b0da310222984cdd5fddb679cb0fa5fea08d9

                                        • C:\Users\Admin\AppData\Local\Temp\RoC84loMkT.bat

                                          Filesize

                                          209B

                                          MD5

                                          288adf9b0c0049e2a4d84ad06b94e972

                                          SHA1

                                          a4873c834475411333bbe5f7195a349e6f1a402b

                                          SHA256

                                          1a60f39b7121d65ef31efe59d91e43ddb57fd266aa611fe0836ae54fffde9b47

                                          SHA512

                                          69496fa94506b384b4b8b7326402b61c4ed706652e4f83d5be0c333c795c11cfd05558db1df2f97051c1a066ff2980a0498575d999a9fe6ab48bc21491b0a881

                                        • C:\Users\Admin\AppData\Local\Temp\ZHEG9SYztW.bat

                                          Filesize

                                          209B

                                          MD5

                                          7e9c29b11e79ea4aefb7ff8d103f89c2

                                          SHA1

                                          d88a65cb8d8611b6d6b52edfcd8180580e214ddd

                                          SHA256

                                          30b6bc7bdc96a68e6803d30a438bdeb883cfe76d830bde6de73870d009c99304

                                          SHA512

                                          61d47891ea585386daa71c0cb7e641d51316032b5c462bd0310e01f0fa15a6ac99be217aa9df7f14e924f52d99d11e6710b938367b45a541943c2c43294eb9f2

                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jlhxlotz.zse.ps1

                                          Filesize

                                          60B

                                          MD5

                                          d17fe0a3f47be24a6453e9ef58c94641

                                          SHA1

                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                          SHA256

                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                          SHA512

                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                        • C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat

                                          Filesize

                                          209B

                                          MD5

                                          25f8b0d6411f46137646358e4632dad5

                                          SHA1

                                          a120dd562ceb3cc56769ce0eab8f79c79ec04a6f

                                          SHA256

                                          c229d05f14dd6002bdca36da87d3f914ca168dc672462f3bc7824ba290342a28

                                          SHA512

                                          82b9cce1a045552292dfad14c4e250738bf373ba25610c9431dfbb15e889df2eadd3dcde64199aa9b85dd6f7bf9137d9c13beba9ca2962cd3f6f787c98c7b411

                                        • C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat

                                          Filesize

                                          209B

                                          MD5

                                          ec364c98613e208de731294e7fea0cee

                                          SHA1

                                          6b20cf6a4165c0c7ae31db39056d4cea4830d6b7

                                          SHA256

                                          a1fe0a50c9e77c573b73f9775d760df28f77858d3964b781952a0d2cc87cbb64

                                          SHA512

                                          1f605a73f444c431f3e06cfecf176bfd7d1800b337d7e390a7527e14485a7231080e5afc7901209f15723f5beab89689cbb2cd7a028d0b3b0d450ce5e03ab5d9

                                        • C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat

                                          Filesize

                                          209B

                                          MD5

                                          cb307687356d5e002c0a077b2eaf1e4f

                                          SHA1

                                          ff44f0622c2430951bc1c1f50ce32ac6518d0075

                                          SHA256

                                          c6e50ae175596933de88eef573da73fd4f51a98615794cd402edc67df25be0c7

                                          SHA512

                                          ae8e77d4a34801163ddd464fa1d758ed47cffb16e27ce0f239dcd8fa448286bae796681dc0b9dabfd743916ec57f2ba8544b61b442b8f1f4e3bcdd31f7390d99

                                        • C:\Users\Admin\AppData\Local\Temp\x4tck5X09i.bat

                                          Filesize

                                          209B

                                          MD5

                                          d9d47688a3fe603d18c58813a963cc9a

                                          SHA1

                                          1c1c75b34e747eab1c64d1b59f43248e2aaa7667

                                          SHA256

                                          b5e3b455a3182af300a9b815cd03c00b753061714590e2af3dcc735eef137023

                                          SHA512

                                          7e32105167bab922f1752805e166620fc0b4c719010ccee2f4d6439f1c4b6e7ec9e9efd08b4129e1173fafb05df75cb8f4645b44cb221890cc6d2bf64834a23e

                                        • C:\Users\Admin\AppData\Local\Temp\yvlYFj4oEg.bat

                                          Filesize

                                          209B

                                          MD5

                                          7652070c303de18f689f86f52229e22a

                                          SHA1

                                          66184ac2c29c244c36cdaa1506d33345e5df5753

                                          SHA256

                                          49f16adb844f7aab5cff5935bc839a413590e437ea018dfe355f6497f8b45cd0

                                          SHA512

                                          2a918b36797354169e3827c415054cd3f56d517f1958c14ca38a772c98a965c992e08456b50b7ad991fcc50a758f49cfa5133454f5433ea71415396984c8c01c

                                        • C:\providercommon\1zu9dW.bat

                                          Filesize

                                          36B

                                          MD5

                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                          SHA1

                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                          SHA256

                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                          SHA512

                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                        • C:\providercommon\DllCommonsvc.exe

                                          Filesize

                                          1.0MB

                                          MD5

                                          bd31e94b4143c4ce49c17d3af46bcad0

                                          SHA1

                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                          SHA256

                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                          SHA512

                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                          Filesize

                                          197B

                                          MD5

                                          8088241160261560a02c84025d107592

                                          SHA1

                                          083121f7027557570994c9fc211df61730455bb5

                                          SHA256

                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                          SHA512

                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                        • memory/372-45-0x000002A3670B0000-0x000002A3670D2000-memory.dmp

                                          Filesize

                                          136KB

                                        • memory/1008-115-0x000000001AD90000-0x000000001ADA2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/1904-141-0x00000000013C0000-0x00000000013D2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2700-108-0x00000000031C0000-0x00000000031D2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2860-122-0x0000000002780000-0x0000000002792000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2928-148-0x0000000002AA0000-0x0000000002AB2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/3580-92-0x0000000002890000-0x00000000028A2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/4236-101-0x00000000013E0000-0x00000000013F2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/4244-155-0x0000000002770000-0x0000000002782000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/5084-17-0x000000001AE70000-0x000000001AE7C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/5084-16-0x0000000002540000-0x000000000254C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/5084-15-0x000000001AE60000-0x000000001AE6C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/5084-14-0x00000000024D0000-0x00000000024E2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/5084-13-0x0000000000140000-0x0000000000250000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/5084-12-0x00007FF857E23000-0x00007FF857E25000-memory.dmp

                                          Filesize

                                          8KB