dcrat | 54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
Size

1.8MB
MD5

7ef44e6c54801a42dc9cff0bf0459036
SHA1

45322aee2375b98a8b443e08d5e9f58ac10e9e2d
SHA256

54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab
SHA512

dfdd479a802f308cc1b49886020cf420127dd87be5642d27452c3ee08198b1efbfca8358e62ed91141ed778ce3cef7ff154e0114eae27220ce81d6cd1acb5250
SSDEEP

49152:ZWqKKPZ1snfJ+rqDPuQDLME5MT4rDQNpfh:DKKZ1sRD2Q3N5MT4r

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3520	548	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	548	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	548	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	548	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	548	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	548	schtasks.exe	82

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3160-1-0x0000000000480000-0x000000000064C000-memory.dmp	dcrat
behavioral2/files/0x0009000000023bc7-34.dat	dcrat
behavioral2/files/0x000a000000023c1a-53.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4540	powershell.exe
5028	powershell.exe
3760	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 1 IoCs

pid	Process
2316	csrss.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Offline Web Pages\SearchApp.exe	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File created	C:\Windows\Offline Web Pages\38384e6a620884	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File opened for modification	C:\Windows\Offline Web Pages\RCXA1E1.tmp	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File opened for modification	C:\Windows\Offline Web Pages\RCXA25F.tmp	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
File opened for modification	C:\Windows\Offline Web Pages\SearchApp.exe	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	csrss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2384	schtasks.exe
1108	schtasks.exe
3520	schtasks.exe
3556	schtasks.exe
4304	schtasks.exe
4456	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3160	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
3160	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
3160	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
3160	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
3160	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
3160	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
3160	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
3160	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
3160	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
3160	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
3160	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
3160	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
3160	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
3760	powershell.exe
3160	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
4540	powershell.exe
3760	powershell.exe
5028	powershell.exe
3160	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
4540	powershell.exe
5028	powershell.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe
2316	csrss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2316	csrss.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3160	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
Token: SeDebugPrivilege	3760	powershell.exe
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	2316	csrss.exe
Token: SeBackupPrivilege	3540	vssvc.exe
Token: SeRestorePrivilege	3540	vssvc.exe
Token: SeAuditPrivilege	3540	vssvc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 5028	3160	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	89
PID 3160 wrote to memory of 5028	3160	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	89
PID 3160 wrote to memory of 3760	3160	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	90
PID 3160 wrote to memory of 3760	3160	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	90
PID 3160 wrote to memory of 4540	3160	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	91
PID 3160 wrote to memory of 4540	3160	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	91
PID 3160 wrote to memory of 2316	3160	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	95
PID 3160 wrote to memory of 2316	3160	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe	95
PID 2316 wrote to memory of 4932	2316	csrss.exe	96
PID 2316 wrote to memory of 4932	2316	csrss.exe	96
PID 2316 wrote to memory of 1900	2316	csrss.exe	97
PID 2316 wrote to memory of 1900	2316	csrss.exe	97

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe
"C:\Users\Admin\AppData\Local\Temp\54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4540
- C:\Users\Admin\csrss.exe
  "C:\Users\Admin\csrss.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2316
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f896aa32-8819-4bd0-9582-15787a7728c2.vbs"
    3⤵
    PID:4932
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40052692-b50f-4c23-ba89-bf2a19d41404.vbs"
    3⤵
    PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Windows\Offline Web Pages\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Windows\Offline Web Pages\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\40052692-b50f-4c23-ba89-bf2a19d41404.vbs

Filesize
476B

MD5
1709bf572c09f126b0c4655f8d651f65

SHA1
911306ef18de81f7b4f9118401ec54d953d1ed2e

SHA256
3ab8168db278398bd03da0901aa8b7efbf7078d2379d5150b0f728d015f0e289

SHA512
b795c8ba42e441f016b4f98dbc591e465ea9ae99260752324358b0a21b97c77a02358d7566a5a4835e6f7b560e9051c8104282ed869fe4d302b473f0e14cc8ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ohrc4vbb.rge.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f896aa32-8819-4bd0-9582-15787a7728c2.vbs

Filesize
700B

MD5
9a633c00f22c4b306a88d88a1dd38092

SHA1
5362905af5d2e9b85ac45296443d3586d1aeb150

SHA256
c6c17cf927378f4fe59946542cc911909b1c393085b7a1c81009a234f2f3676a

SHA512
723cd32b2c3ed5fa771c53a92f6cb462c3b68457814e400f449953f5c912d48cbdde420b9ee23dbb4ede34cdba09d55ea901227b3a269d6caa81a916dac97223

Download Submit
C:\Users\Admin\csrss.exe

Filesize
1.8MB

MD5
7ef44e6c54801a42dc9cff0bf0459036

SHA1
45322aee2375b98a8b443e08d5e9f58ac10e9e2d

SHA256
54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab

SHA512
dfdd479a802f308cc1b49886020cf420127dd87be5642d27452c3ee08198b1efbfca8358e62ed91141ed778ce3cef7ff154e0114eae27220ce81d6cd1acb5250

Download Submit
C:\Windows\Offline Web Pages\SearchApp.exe

Filesize
1.8MB

MD5
d12cafac06ebb67ff4dab2d8c00128af

SHA1
a78b69ca0f3cf57014392b7a028777bd31d89fac

SHA256
2ffce989e23a8e554e8408167122ac6441256d50656fd26ae405b64abc31caf7

SHA512
4f0b3e344b6e497476530f1ac1fcadb2303557cb82c032b3c2409804e66836a2e552d3b33908360b51d1c68e28896f83344f44162b54ef19952c56fbed50f7ea

Download Submit
memory/2316-287-0x000000001DB40000-0x000000001DB50000-memory.dmp

Filesize
64KB

Download
memory/3160-8-0x00000000027B0000-0x00000000027B8000-memory.dmp

Filesize
32KB

Download
memory/3160-16-0x000000001BA80000-0x000000001BA8C000-memory.dmp

Filesize
48KB

Download
memory/3160-11-0x00000000028F0000-0x00000000028FC000-memory.dmp

Filesize
48KB

Download
memory/3160-12-0x000000001B2E0000-0x000000001B2EC000-memory.dmp

Filesize
48KB

Download
memory/3160-13-0x000000001B2F0000-0x000000001B2FC000-memory.dmp

Filesize
48KB

Download
memory/3160-14-0x000000001B960000-0x000000001B96C000-memory.dmp

Filesize
48KB

Download
memory/3160-15-0x000000001BA70000-0x000000001BA78000-memory.dmp

Filesize
32KB

Download
memory/3160-20-0x000000001BC00000-0x000000001BC0C000-memory.dmp

Filesize
48KB

Download
memory/3160-21-0x000000001BC10000-0x000000001BC1C000-memory.dmp

Filesize
48KB

Download
memory/3160-19-0x000000001BBF0000-0x000000001BBF8000-memory.dmp

Filesize
32KB

Download
memory/3160-22-0x00007FFD22060000-0x00007FFD22B21000-memory.dmp

Filesize
10.8MB

Download
memory/3160-18-0x000000001BBA0000-0x000000001BBAE000-memory.dmp

Filesize
56KB

Download
memory/3160-17-0x000000001BA90000-0x000000001BA9A000-memory.dmp

Filesize
40KB

Download
memory/3160-10-0x00000000027D0000-0x00000000027DC000-memory.dmp

Filesize
48KB

Download
memory/3160-25-0x00007FFD22060000-0x00007FFD22B21000-memory.dmp

Filesize
10.8MB

Download
memory/3160-7-0x0000000002790000-0x00000000027A6000-memory.dmp

Filesize
88KB

Download
memory/3160-0-0x00007FFD22063000-0x00007FFD22065000-memory.dmp

Filesize
8KB

Download
memory/3160-9-0x00000000027C0000-0x00000000027CA000-memory.dmp

Filesize
40KB

Download
memory/3160-1-0x0000000000480000-0x000000000064C000-memory.dmp

Filesize
1.8MB

Download
memory/3160-5-0x0000000000E60000-0x0000000000E68000-memory.dmp

Filesize
32KB

Download
memory/3160-6-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/3160-4-0x000000001B910000-0x000000001B960000-memory.dmp

Filesize
320KB

Download
memory/3160-277-0x00007FFD22060000-0x00007FFD22B21000-memory.dmp

Filesize
10.8MB

Download
memory/3160-3-0x0000000002760000-0x000000000277C000-memory.dmp

Filesize
112KB

Download
memory/3160-2-0x00007FFD22060000-0x00007FFD22B21000-memory.dmp

Filesize
10.8MB

Download
memory/3760-222-0x000002256C650000-0x000002256C672000-memory.dmp

Filesize
136KB

Download