Overview

overview

10

Static

static

3

ca2f91b5d5...47.exe

windows7-x64

10

ca2f91b5d5...47.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 03:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe

  • Size

    4.9MB

  • MD5

    4e3ae6b4f8ea1c5d2fb3a8bc008e2fff

  • SHA1

    22329e6ce220cce52f7dde6e03c082d31f27bbae

  • SHA256

    ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847

  • SHA512

    6394d0a6883e478bf7f196ef1c829ff7d579ebfde1ddbdd5c59a57eb40ba82c5c15f41f71bfa4f31227198c8d722c5872c0aa01d5e750dd19523a8237db5b655

  • SSDEEP

    49152:Ll5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score
10/10
dcratevasionexecutioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 12 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 33 IoCs
    evasiontrojan
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 10 IoCs
  • Checks whether UAC is enabled 1 TTPs 22 IoCs
    evasiontrojan
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 33 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe
    "C:\Users\Admin\AppData\Local\Temp\ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1764
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2664
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2164
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1124
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:952
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:896
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1676
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2560
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2124
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1988
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1924
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:828
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2200
    • C:\Users\Admin\Cookies\WmiPrvSE.exe
      "C:\Users\Admin\Cookies\WmiPrvSE.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3032
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d512a23-a4e3-42ab-803d-a234a2a9df0d.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Users\Admin\Cookies\WmiPrvSE.exe
          C:\Users\Admin\Cookies\WmiPrvSE.exe
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2000
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1763930-92ac-4d53-af0f-3621aa4c20e6.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:884
            • C:\Users\Admin\Cookies\WmiPrvSE.exe
              C:\Users\Admin\Cookies\WmiPrvSE.exe
              6⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2740
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55252e5f-6d24-4a62-a47a-9f4e39d79f40.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2600
                • C:\Users\Admin\Cookies\WmiPrvSE.exe
                  C:\Users\Admin\Cookies\WmiPrvSE.exe
                  8⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • System policy modification
                  PID:1808
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bff3c35-cd3c-4b8e-ac30-750c6dc4d5a7.vbs"
                    9⤵
                      PID:700
                      • C:\Users\Admin\Cookies\WmiPrvSE.exe
                        C:\Users\Admin\Cookies\WmiPrvSE.exe
                        10⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:1932
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00d90837-e3ed-4606-8ba4-0840da34968c.vbs"
                          11⤵
                            PID:2392
                            • C:\Users\Admin\Cookies\WmiPrvSE.exe
                              C:\Users\Admin\Cookies\WmiPrvSE.exe
                              12⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:2064
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c08eff61-3fae-4d1b-82fb-32dc7137eaa5.vbs"
                                13⤵
                                  PID:3056
                                  • C:\Users\Admin\Cookies\WmiPrvSE.exe
                                    C:\Users\Admin\Cookies\WmiPrvSE.exe
                                    14⤵
                                    • UAC bypass
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:1612
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2f55063-d043-4df2-8c53-2fd0e06b2d47.vbs"
                                      15⤵
                                        PID:996
                                        • C:\Users\Admin\Cookies\WmiPrvSE.exe
                                          C:\Users\Admin\Cookies\WmiPrvSE.exe
                                          16⤵
                                          • UAC bypass
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • System policy modification
                                          PID:2432
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd69200b-182b-47dc-a3d0-c36757f9ff9a.vbs"
                                            17⤵
                                              PID:1808
                                              • C:\Users\Admin\Cookies\WmiPrvSE.exe
                                                C:\Users\Admin\Cookies\WmiPrvSE.exe
                                                18⤵
                                                • UAC bypass
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • System policy modification
                                                PID:1460
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16479034-82db-4c3d-af5c-fd8296a722e3.vbs"
                                                  19⤵
                                                    PID:2764
                                                    • C:\Users\Admin\Cookies\WmiPrvSE.exe
                                                      C:\Users\Admin\Cookies\WmiPrvSE.exe
                                                      20⤵
                                                      • UAC bypass
                                                      • Executes dropped EXE
                                                      • Checks whether UAC is enabled
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • System policy modification
                                                      PID:644
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbe4cbba-3d2f-4142-9604-01c92a051de7.vbs"
                                                        21⤵
                                                          PID:2428
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0f8d115-696d-41fc-bba3-9df05642fda1.vbs"
                                                          21⤵
                                                            PID:2596
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21ac5a72-85ea-47ee-be12-2e39c331b5a5.vbs"
                                                        19⤵
                                                          PID:2924
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae68b5be-48a5-42b7-865e-cdd9d3d010e4.vbs"
                                                      17⤵
                                                        PID:2476
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47628496-a2ac-4013-b760-36468519d37e.vbs"
                                                    15⤵
                                                      PID:2776
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80ba7ae6-6868-4fea-b3ba-2731963cfd6d.vbs"
                                                  13⤵
                                                    PID:2424
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c934e922-3cec-465b-8014-49faacf9f9b1.vbs"
                                                11⤵
                                                  PID:2408
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4030b3ee-3f08-4ab0-8b95-b91ac2d11434.vbs"
                                              9⤵
                                                PID:1484
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9af99892-4a75-44b0-b0b9-95db8e6596fe.vbs"
                                            7⤵
                                              PID:1532
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa1676f4-4e7a-4495-99aa-72a3149551b7.vbs"
                                          5⤵
                                            PID:856
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e83e84e-4be8-43cd-bdb8-117aa6237fa6.vbs"
                                        3⤵
                                          PID:944
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2600
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2844
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2120
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Cookies\WmiPrvSE.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2620
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\WmiPrvSE.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2864
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Cookies\WmiPrvSE.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2820
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\de-DE\wininit.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2624
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\wininit.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2716
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\de-DE\wininit.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2256
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\Sample Videos\Idle.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1912
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\Idle.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2572
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\Sample Videos\Idle.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2992

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Temp\00d90837-e3ed-4606-8ba4-0840da34968c.vbs
                                      Filesize

                                      711B

                                      MD5

                                      0aaeec535e77a477cec4b931dd15d356

                                      SHA1

                                      4324739e9408728e33d31f440618cf52a16aa959

                                      SHA256

                                      7df9d7ba20ff6eadf57d6980c8cabcda6460f0ec101f5fcaf89f11584314607f

                                      SHA512

                                      5914292535f932e9def5bcdd3eba10ec8acfbab258902bbdce0a9ffd81afaf6223597ee5dc4a9887896bb4aaad8d38159059b53407c15948026bf97557ae64d2

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\16479034-82db-4c3d-af5c-fd8296a722e3.vbs
                                      Filesize

                                      711B

                                      MD5

                                      2b4884943050a1d7482f567f817e5eee

                                      SHA1

                                      30a20e688788208bc93f7ea3cfce5db48e03fcac

                                      SHA256

                                      1f51faec70f14dbb0744f75798a054219703be45ceb4bdf9a1c04981c952cb5f

                                      SHA512

                                      2a0abc0067117ec06c5f07c57ceeaebf7e08cbfdc4b194da0364a4677cfed4435185f088d8f75dcbbc4df3255da6496b7550e51080595892e41659cec6fd900d

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\1bff3c35-cd3c-4b8e-ac30-750c6dc4d5a7.vbs
                                      Filesize

                                      711B

                                      MD5

                                      3eb62b339662e510e0ddc515e0581108

                                      SHA1

                                      b934f40d37922f28e4d60b9f41545eb3304a1a42

                                      SHA256

                                      42b5dd133d877a0fcc1a5cb28add526170edac04130cfeee5826125dfb3ddcd1

                                      SHA512

                                      b2d697ba4b14dbd828a67c35aa94aa80d8fa867387fcd6e2edda83653e831937edde4151488620ac6d782bf0638eb5c4e28297a0fe161853d5c347a07857055e

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\1e83e84e-4be8-43cd-bdb8-117aa6237fa6.vbs
                                      Filesize

                                      487B

                                      MD5

                                      e44534f976685c8ecffe7f60fcf84bcf

                                      SHA1

                                      41e39347dfbaa8dd658db229fe1fa6f2c63305ec

                                      SHA256

                                      217e48b7a62edfc3ddb02d8c899b457640fdec39fd0859d12475c85d3397a747

                                      SHA512

                                      65a7dc8d674b5c1112740937fa2836e6bcc5fd2c80fd23aa95b01d05f96e83856e504becdacfd36711e76c744c9d11600a1fa1a29d5db3742be0a4e5e5866439

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\3d512a23-a4e3-42ab-803d-a234a2a9df0d.vbs
                                      Filesize

                                      711B

                                      MD5

                                      5296bc5801741202c188e76bcd3ec34b

                                      SHA1

                                      4047e409a26316b0869fae6da236f15f95bdbe0a

                                      SHA256

                                      d025fbef86ccd5d57cd0318ac6b0bf61a750d7da5d7277fd9f012aff2d82dfd3

                                      SHA512

                                      23f37d8ff8297e1a9131f5656a6a10edf74dc28575feaf04eb27bd3ed080b5c9daf436f22e6eda387ba55b74823c6d44e55810bd892189a7ae7cc06ca34f1b51

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\495ed7a571ccf08ae8b9f094a66930378fbbab46.exe
                                      Filesize

                                      4.9MB

                                      MD5

                                      9f858c55cd3f0a35a565230f3111e077

                                      SHA1

                                      8078ee58f72ba679148a77ccf7349df29a152c92

                                      SHA256

                                      cbec168771bb5e467f8a02a550d3d8d28e61e1e917d425e3df3196954ecf42d8

                                      SHA512

                                      0995d1a792236aae5262074ca145d027090478b6661d976f220ff7ba2a4fd5c05ce0268a368f177c593db44b864b8164176be76811a6aba31a7b38206337e537

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\55252e5f-6d24-4a62-a47a-9f4e39d79f40.vbs
                                      Filesize

                                      711B

                                      MD5

                                      a51b0a52ff2cd2c7b51a4c64bf8cfffd

                                      SHA1

                                      c1675049f02994d0b802f29f3a733b474a244881

                                      SHA256

                                      7418d306a388ddd5f5086e152f3e4a58f2a43f4c1be6041276aaed32ff723cdb

                                      SHA512

                                      813bf50f4fde98e87a587fe241bfaaacebcc9d6cea0a804fdf7f98f926f360553b4a55ee38ff76cae4cbb665fd2ba8a98a7c198735ac007038d4a0e638770b82

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\b1763930-92ac-4d53-af0f-3621aa4c20e6.vbs
                                      Filesize

                                      711B

                                      MD5

                                      3b453640376770c7ed9ddf19a4a49139

                                      SHA1

                                      ddf919357befa9e5d7bc7d210ac0f4eea71aa647

                                      SHA256

                                      f6545dc69990bfee216fedcdc748c920856604796631c0b7efe58a77890411fa

                                      SHA512

                                      0ccad00af4bc524b105130ebd3af9f3ddb39ff987ca236a4d8870db5cb66f3d8965515baeb76e044b894f720c6277af2eff9b05fe9a74b3265978054a5572622

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\bbe4cbba-3d2f-4142-9604-01c92a051de7.vbs
                                      Filesize

                                      710B

                                      MD5

                                      f75095c435cc54b4e872de1922eec7e0

                                      SHA1

                                      067a73f11aab870862f54b5068d4c81d99580a94

                                      SHA256

                                      1c6d766b1888932ce6b40de36a29c96997d31761af011f78415cae48ccee05b1

                                      SHA512

                                      367e4d50ee302739472a29639b758ed5df4816650f9cc9e44df4804ba2f0d60cea78e32f64ee7a1665042d6bb5d89a7dc76c376ae14d814a96931756844cd9ec

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\bd69200b-182b-47dc-a3d0-c36757f9ff9a.vbs
                                      Filesize

                                      711B

                                      MD5

                                      584f04ec0a3897cf41a8ebe92be3b0fc

                                      SHA1

                                      da3ae586c4554170601f3bdc790fc920ca562142

                                      SHA256

                                      33c7d8003e88d4337c728aeea9d1dd75104d27da8346b67c393d2846f138ead1

                                      SHA512

                                      e33f9b4a61f808ad206357b4f80ddd50cbcfb11e303019a66095c3792c644fac135fe41d2d21d88b8ad051f6fccacd20077c44340ce9fe109870f0ee339ca11c

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\c08eff61-3fae-4d1b-82fb-32dc7137eaa5.vbs
                                      Filesize

                                      711B

                                      MD5

                                      2394902cc50ab9f660fcc18339183e69

                                      SHA1

                                      467828b66e3444d0966889eaf7667df78306d7a6

                                      SHA256

                                      ceb858c7cf99a0c1519b3a87a63135485bf90432a011b7879d0b9c925643fbf8

                                      SHA512

                                      c22aeefd1224fa19eedb4669c90608fb1f0af79ee39c7c1d9e9cf44b24aca16ba75a6bec6daadb32b57c3ea8bf2b262f0fcb69d9a790576d927f8ba2307a2184

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\f2f55063-d043-4df2-8c53-2fd0e06b2d47.vbs
                                      Filesize

                                      711B

                                      MD5

                                      6b3ca7647177a30ce885ebc8f15ab0fd

                                      SHA1

                                      bcdcc238b8f2caed2ddf094abfd5ffd7a26020e4

                                      SHA256

                                      2386764d46738eb40ff40a4fd8e1d47bb6d7c921341bd685b8f1acca0eb665a8

                                      SHA512

                                      5f7b0d9de698dc9ce753b556202714472dbca92bb249215f768a5cc45dee580b7a67b8cec999a14a64b13376a05da08aa2f32a72bb99f10336c2f79fb90570ce

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\tmp30D0.tmp.exe
                                      Filesize

                                      75KB

                                      MD5

                                      e0a68b98992c1699876f818a22b5b907

                                      SHA1

                                      d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                      SHA256

                                      2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                      SHA512

                                      856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                      Download Submit

                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                                      Filesize

                                      7KB

                                      MD5

                                      7cf70a377a9839411de49bf1f4f61773

                                      SHA1

                                      4be1676995c3a8be69377425b19358bf78492b6d

                                      SHA256

                                      d79eb408b86d6bf0c951b7654d0cd285ea0a309b7e7be49968216a2b1007f6e8

                                      SHA512

                                      9e1ce5946b9811e0d0914087445c758911970a44b0907a467f03e3ae6da42d95860e78d0f7d15b336b80ae1bfe5264276a56e65b1e873d03091501d59f7c9136

                                      Download Submit

                                    • C:\Users\Default\OSPPSVC.exe
                                      Filesize

                                      4.9MB

                                      MD5

                                      4e3ae6b4f8ea1c5d2fb3a8bc008e2fff

                                      SHA1

                                      22329e6ce220cce52f7dde6e03c082d31f27bbae

                                      SHA256

                                      ca2f91b5d5d54a3fb916249210e53552b78ec7f4ffdce9be81884be15bef2847

                                      SHA512

                                      6394d0a6883e478bf7f196ef1c829ff7d579ebfde1ddbdd5c59a57eb40ba82c5c15f41f71bfa4f31227198c8d722c5872c0aa01d5e750dd19523a8237db5b655

                                      Download Submit

                                    • memory/644-248-0x00000000000B0000-0x00000000005A4000-memory.dmp

                                      Filesize

                                      5.0MB

                                      Download

                                    • memory/1764-5-0x00000000004A0000-0x00000000004A8000-memory.dmp

                                      Filesize

                                      32KB

                                      Download

                                    • memory/1764-14-0x00000000005C0000-0x00000000005C8000-memory.dmp

                                      Filesize

                                      32KB

                                      Download

                                    • memory/1764-10-0x0000000000580000-0x0000000000592000-memory.dmp

                                      Filesize

                                      72KB

                                      Download

                                    • memory/1764-15-0x00000000005D0000-0x00000000005D8000-memory.dmp

                                      Filesize

                                      32KB

                                      Download

                                    • memory/1764-119-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

                                      Filesize

                                      9.9MB

                                      Download

                                    • memory/1764-2-0x000000001B440000-0x000000001B56E000-memory.dmp

                                      Filesize

                                      1.2MB

                                      Download

                                    • memory/1764-3-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

                                      Filesize

                                      9.9MB

                                      Download

                                    • memory/1764-13-0x00000000005B0000-0x00000000005BE000-memory.dmp

                                      Filesize

                                      56KB

                                      Download

                                    • memory/1764-9-0x0000000000570000-0x000000000057A000-memory.dmp

                                      Filesize

                                      40KB

                                      Download

                                    • memory/1764-11-0x0000000000590000-0x000000000059A000-memory.dmp

                                      Filesize

                                      40KB

                                      Download

                                    • memory/1764-1-0x0000000000EF0000-0x00000000013E4000-memory.dmp

                                      Filesize

                                      5.0MB

                                      Download

                                    • memory/1764-0-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/1764-12-0x00000000005A0000-0x00000000005AE000-memory.dmp

                                      Filesize

                                      56KB

                                      Download

                                    • memory/1764-8-0x0000000000560000-0x0000000000570000-memory.dmp

                                      Filesize

                                      64KB

                                      Download

                                    • memory/1764-7-0x00000000004C0000-0x00000000004D6000-memory.dmp

                                      Filesize

                                      88KB

                                      Download

                                    • memory/1764-6-0x00000000004B0000-0x00000000004C0000-memory.dmp

                                      Filesize

                                      64KB

                                      Download

                                    • memory/1764-16-0x00000000005E0000-0x00000000005EC000-memory.dmp

                                      Filesize

                                      48KB

                                      Download

                                    • memory/1764-4-0x0000000000480000-0x000000000049C000-memory.dmp

                                      Filesize

                                      112KB

                                      Download

                                    • memory/1924-121-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

                                      Filesize

                                      32KB

                                      Download

                                    • memory/2000-135-0x00000000006E0000-0x00000000006F2000-memory.dmp

                                      Filesize

                                      72KB

                                      Download

                                    • memory/2664-120-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

                                      Filesize

                                      2.9MB

                                      Download

                                    • memory/3032-82-0x00000000012A0000-0x0000000001794000-memory.dmp

                                      Filesize

                                      5.0MB

                                      Download