Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2024, 02:01

General

  • Target

    JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe

  • Size

    1.3MB

  • MD5

    8d758308ba356cd4992ecfdd50db9774

  • SHA1

    bd07292d17333584c99654a584fae2420f589ed0

  • SHA256

    b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2

  • SHA512

    8ffe7d228ee170dd2b9203bd68cd3ceca415a2eb638977f0269df5f3d4c5c46e1b89b3ed203a5ecb6b1bc22a7246268b942ee83d5fedf0f0ef626a4eb3dd5d3c

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 9 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 14 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 14 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1140
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3884
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1988
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4256
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4220
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1456
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\sihost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1196
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3488
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6kHtwRJ3KO.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3424
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2996
              • C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
                "C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4720
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2276
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:4280
                    • C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
                      "C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"
                      8⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1652
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2360
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:3180
                          • C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
                            "C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"
                            10⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Modifies registry class
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:4524
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\or7X1gMNi7.bat"
                              11⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2792
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                12⤵
                                  PID:3388
                                • C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
                                  "C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"
                                  12⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:4536
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat"
                                    13⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:884
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      14⤵
                                        PID:4544
                                      • C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
                                        "C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"
                                        14⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Modifies registry class
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of WriteProcessMemory
                                        PID:3172
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat"
                                          15⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:1196
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            16⤵
                                              PID:460
                                            • C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
                                              "C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"
                                              16⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Modifies registry class
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of WriteProcessMemory
                                              PID:1268
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZDYK5nApHO.bat"
                                                17⤵
                                                • Suspicious use of WriteProcessMemory
                                                PID:3396
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  18⤵
                                                    PID:4000
                                                  • C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
                                                    "C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"
                                                    18⤵
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Modifies registry class
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:4200
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2sHl3bGdB9.bat"
                                                      19⤵
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:2896
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        20⤵
                                                          PID:1248
                                                        • C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
                                                          "C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"
                                                          20⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Modifies registry class
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2992
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SQTB2Yz9K3.bat"
                                                            21⤵
                                                              PID:4596
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                22⤵
                                                                  PID:5096
                                                                • C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
                                                                  "C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"
                                                                  22⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Modifies registry class
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:984
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4oJokgKWVw.bat"
                                                                    23⤵
                                                                      PID:1468
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        24⤵
                                                                          PID:2032
                                                                        • C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
                                                                          "C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"
                                                                          24⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Modifies registry class
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:3068
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat"
                                                                            25⤵
                                                                              PID:2880
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                26⤵
                                                                                  PID:2060
                                                                                • C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
                                                                                  "C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"
                                                                                  26⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Modifies registry class
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:3404
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QO5FEA9wo1.bat"
                                                                                    27⤵
                                                                                      PID:4424
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        28⤵
                                                                                          PID:1472
                                                                                        • C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
                                                                                          "C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"
                                                                                          28⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Modifies registry class
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2904
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat"
                                                                                            29⤵
                                                                                              PID:2448
                                                                                              • C:\Windows\system32\w32tm.exe
                                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                30⤵
                                                                                                  PID:3616
                                                                                                • C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
                                                                                                  "C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"
                                                                                                  30⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:1960
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2728
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3540
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2704
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Local Settings\sihost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:5016
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\sihost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1836
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Local Settings\sihost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3012
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:5020
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:968
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2028

                                      Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

                                              Filesize

                                              1KB

                                              MD5

                                              baf55b95da4a601229647f25dad12878

                                              SHA1

                                              abc16954ebfd213733c4493fc1910164d825cac8

                                              SHA256

                                              ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                              SHA512

                                              24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                              Filesize

                                              2KB

                                              MD5

                                              d85ba6ff808d9e5444a4b369f5bc2730

                                              SHA1

                                              31aa9d96590fff6981b315e0b391b575e4c0804a

                                              SHA256

                                              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                              SHA512

                                              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              6d3e9c29fe44e90aae6ed30ccf799ca8

                                              SHA1

                                              c7974ef72264bbdf13a2793ccf1aed11bc565dce

                                              SHA256

                                              2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                                              SHA512

                                              60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                                            • C:\Users\Admin\AppData\Local\Temp\2sHl3bGdB9.bat

                                              Filesize

                                              217B

                                              MD5

                                              d20df6e4d4ad860dd339e157dca06d59

                                              SHA1

                                              1cda8136ec8345069b6349d4a60c9be990ced39f

                                              SHA256

                                              2d43a4b5ebb84fc3c26a2431cf375c4075d9f0cd4ab85d2650c2be1091c6f25c

                                              SHA512

                                              db88574cedfaf74e1ac9a88e962d1f3e2a7aff44427c5aa965b85f3b7646ab4ea91fa4506f6408150ab97e7c9d072e15aab7a57d7d59ee593e290d4b7263d994

                                            • C:\Users\Admin\AppData\Local\Temp\4oJokgKWVw.bat

                                              Filesize

                                              217B

                                              MD5

                                              d078d08efe29118ad576173b8a5570d7

                                              SHA1

                                              764384ba347058307e3caf3c141b81aa89de6479

                                              SHA256

                                              5ac284d0b3bda9f5ab3aaef9bb49b76c9ae4f1d1bdb3a1174daaff7fe76216c7

                                              SHA512

                                              3f6809f14bfa0922f7fcfb29c25e6226e7cc8ab7f3c79895340b4c50357b5dac9141c9116cf1ab080f2d91f08ccf1588fa0fc1dcbdbfff71b80534dc4a5e21eb

                                            • C:\Users\Admin\AppData\Local\Temp\6kHtwRJ3KO.bat

                                              Filesize

                                              217B

                                              MD5

                                              2f00d970324926e019257770114abf9d

                                              SHA1

                                              9aa3ebe152f3730e8ac1d89cb3f7f91d4d1921cf

                                              SHA256

                                              3c21286ae39f5065784042fa96683614f4c41a25d1946c2426faf8c6069494b5

                                              SHA512

                                              d78a7fdba18e47c7c8356c12adfab458aa85b8c29f559a5a3ae5200887bad84a80f75e76ab679375b8a538bcf10bcc0a8529b1528db6721d94fc493cde1aead3

                                            • C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat

                                              Filesize

                                              217B

                                              MD5

                                              0b68816464a3130b1ccebc1dbc42dda2

                                              SHA1

                                              ff5eac6e35d2e9bc4f9cb38ba98e7bfbe61b807e

                                              SHA256

                                              5ac3259613379e0dde45cc4e0945c31e2660c65dc1ac8575aad1ba9c4684fa42

                                              SHA512

                                              c8b2531baf8b59b728a1ba16593767ad5e05db5caa95c2f5c2c009d851c2149f79d21a1a60df877b95c140b08dbb6e43625c8f426cc083939bd933546eca3137

                                            • C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat

                                              Filesize

                                              217B

                                              MD5

                                              dcd7c1166dbf6182c727a27d18c1be7d

                                              SHA1

                                              7d04a10517933952ead697514a64be24a10c3919

                                              SHA256

                                              047f472434ba5b4852e88ff2a077d34102421e9923290bace95832072d305123

                                              SHA512

                                              4cfabec7695d46532c3e4e3273c4b3c2381cd4e856bd2d4382170e0bbf5d3a055335773061e9f1d586d3acfa67ad007139ce90382762e2355ae8a6f06953b95c

                                            • C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat

                                              Filesize

                                              217B

                                              MD5

                                              5bb96bf6328de313d299638f01192e5b

                                              SHA1

                                              1b04693ae73dd2e57f4bd9b454c6601dded80973

                                              SHA256

                                              50e20e01ef779868980a2123f4ea04eb9ec642010c5b11b4241a3a232f561b40

                                              SHA512

                                              29687b1df8de94796f3df4a9c5477d59109761eee6c8a28b40dcf450306ac9f04ff93dafa2db42afe98cf79eaf30dfc01ca179b57e6bfbd661796331754d2101

                                            • C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat

                                              Filesize

                                              217B

                                              MD5

                                              ebc3b1b3deeccee588ac6b63002cfd66

                                              SHA1

                                              1d93e65168a15d87ff63083608e9b608aa5a4d9d

                                              SHA256

                                              49946d8dc79103a10902140b13011659545990a883f6a22b2697ce7f7d090c0c

                                              SHA512

                                              551c32a6debea76832d83fdb4720aa66626fe73b789ee16bb5cec52aa4f1175d91cb539e1e3a004b4b29306c19175ca02cc1f1c529652725d0bc7bc1cd9aaae2

                                            • C:\Users\Admin\AppData\Local\Temp\QO5FEA9wo1.bat

                                              Filesize

                                              217B

                                              MD5

                                              a5b3eac5a5094cc3498ddac4be8cafc3

                                              SHA1

                                              0757b15acc8d09c0ea6bfc57919fe0b51863db91

                                              SHA256

                                              f894dddf2ddc660649ef050fa1b3ae7707b8593620831f8f3ddfabacbcb3b48d

                                              SHA512

                                              04dd6bae14205b5957852d3bdb3ec1c190d960144fd5d927973e0d223543f9f24f44672a362cbd83cffe51f570524b2f4423315c1ee0de633414ced3872755ba

                                            • C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat

                                              Filesize

                                              217B

                                              MD5

                                              0bc81441f2cbd90177888a5a4d4f7986

                                              SHA1

                                              9e4648eda84b29bbdeaed6cac6917b2cc4cdd139

                                              SHA256

                                              ad6d5e229659dec7e6219051bb932f8bdbce86276a2ef7dca1a7922fb12fa7cf

                                              SHA512

                                              3155850f209927c606191ea364b052ed4a2434fe6eff0404a1b1c8f0552b44881282316662908a185c45841d4aa65f0a8b23a760f0ecdb5e561a9650772b06cf

                                            • C:\Users\Admin\AppData\Local\Temp\SQTB2Yz9K3.bat

                                              Filesize

                                              217B

                                              MD5

                                              75337f8691dc9c196dd1856836c92305

                                              SHA1

                                              faf6af7f9a63851584e78ff28b61f82f713b8ade

                                              SHA256

                                              1c4fabf8bdda2d82b421c65ad2483e0c9c8616213268fef2ad4cfb957cacf484

                                              SHA512

                                              be5a3bd4cd74aae4a45ee62ca0bdd7f89d7aa9f3bb20d19e8b6dd807ca13c2df32121add344df72f1992c7006324b3615130a34ed56c80c857fbb19d4052aeb5

                                            • C:\Users\Admin\AppData\Local\Temp\ZDYK5nApHO.bat

                                              Filesize

                                              217B

                                              MD5

                                              93fe14af2ec2a9cf697ee9d79ca83afa

                                              SHA1

                                              1caea778544cf597d70a28868a73536197cd29aa

                                              SHA256

                                              0eb08f15a004a90aeafc565b4d0a844bceefd916100ba9018d3bb8607b2fd50a

                                              SHA512

                                              9b0e122ac5acfe75a497b916f874048c5050b0ffdc86040d95a30896567de43fa5197778bee2964cb7f0ff3e3fa53e0f9ebb0248c4b83fae963df95e5b5484bf

                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cgjg3jmg.bpd.ps1

                                              Filesize

                                              60B

                                              MD5

                                              d17fe0a3f47be24a6453e9ef58c94641

                                              SHA1

                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                              SHA256

                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                              SHA512

                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                            • C:\Users\Admin\AppData\Local\Temp\or7X1gMNi7.bat

                                              Filesize

                                              217B

                                              MD5

                                              8cf869d8ac0b9f0f7072e30ef243caa7

                                              SHA1

                                              363107f124ac71bb261f69419fb027cfa4dd789a

                                              SHA256

                                              b5755586eebbfbed973453bf38a28cbe201a0467b929c9a9dd2ed92c904e4053

                                              SHA512

                                              cb023648ffcbaa345035460865aba28e2a5b9fd5669bc64ef5c2035b5bc3f183a2d11196504262482013935d9fd33261f94ecddd9d540873f08912aa2d20bd75

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • memory/984-132-0x0000000001680000-0x0000000001692000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1196-34-0x0000020C4C340000-0x0000020C4C362000-memory.dmp

                                              Filesize

                                              136KB

                                            • memory/1652-88-0x0000000002250000-0x0000000002262000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/3404-145-0x0000000000C40000-0x0000000000C52000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/4256-14-0x0000000002290000-0x00000000022A2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/4256-12-0x00007FFDF1813000-0x00007FFDF1815000-memory.dmp

                                              Filesize

                                              8KB

                                            • memory/4256-15-0x000000001ACF0000-0x000000001ACFC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/4256-16-0x00000000023B0000-0x00000000023BC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/4256-13-0x00000000000C0000-0x00000000001D0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/4256-17-0x00000000023C0000-0x00000000023CC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/4524-95-0x0000000003010000-0x0000000003022000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/4720-79-0x0000000002350000-0x0000000002362000-memory.dmp

                                              Filesize

                                              72KB