dcrat | cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b

Analysis

max time kernel
9s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6689bd9a5c795eedc631e5fbb850b7ff.exe
Size

1.5MB
MD5

6689bd9a5c795eedc631e5fbb850b7ff
SHA1

b63d8e25d4eb9abea3ed0f7867f70db2ab18cba2
SHA256

cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b
SHA512

ff51ccd8918344bb0439a4d9e39394383bff2196496d778db9a3d2862479e55f1bf59c7d467ff055c721231cb592c3c7ded63c5af28a3f9552dc6421dd1151bf
SSDEEP

24576:K17t7ROjwJqMAVS2hEijP79eAPkavlCCyYcBoZ11q8UuZPt5PsuWg:KBt7R0wJ4L5Uw5lCCyG31oIPmg

Score

10^/10

dcrat execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\WmiPrvSE.exe\""	6689bd9a5c795eedc631e5fbb850b7ff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Desktop\\6689bd9a5c795eedc631e5fbb850b7ff.exe\""	6689bd9a5c795eedc631e5fbb850b7ff.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1864	powershell.exe
2676	powershell.exe
4524	powershell.exe
4508	powershell.exe
4436	powershell.exe
4312	powershell.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\WmiPrvSE.exe\""	6689bd9a5c795eedc631e5fbb850b7ff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\6689bd9a5c795eedc631e5fbb850b7ff = "\"C:\\Users\\Default\\Desktop\\6689bd9a5c795eedc631e5fbb850b7ff.exe\""	6689bd9a5c795eedc631e5fbb850b7ff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6689bd9a5c795eedc631e5fbb850b7ff = "\"C:\\Users\\Default\\Desktop\\6689bd9a5c795eedc631e5fbb850b7ff.exe\""	6689bd9a5c795eedc631e5fbb850b7ff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\WmiPrvSE.exe\""	6689bd9a5c795eedc631e5fbb850b7ff.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC6569787EF2034DD38C324F2449B1B5F9.TMP	csc.exe
File created	\??\c:\Windows\System32\9w3j6e.exe	csc.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe	6689bd9a5c795eedc631e5fbb850b7ff.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe	6689bd9a5c795eedc631e5fbb850b7ff.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\42af1c969fbb7b	6689bd9a5c795eedc631e5fbb850b7ff.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\WmiPrvSE.exe	6689bd9a5c795eedc631e5fbb850b7ff.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\24dbde2999530e	6689bd9a5c795eedc631e5fbb850b7ff.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\sppsvc.exe	6689bd9a5c795eedc631e5fbb850b7ff.exe
File created	C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\0a1fd5f707cd16	6689bd9a5c795eedc631e5fbb850b7ff.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3520	schtasks.exe
2540	schtasks.exe
2864	schtasks.exe
4852	schtasks.exe
4032	schtasks.exe
4156	schtasks.exe
4080	schtasks.exe
1924	schtasks.exe
4572	schtasks.exe
4672	schtasks.exe
4536	schtasks.exe
3340	schtasks.exe
5036	schtasks.exe
4480	schtasks.exe
4428	schtasks.exe
2460	schtasks.exe
4060	schtasks.exe
2776	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe
2876	6689bd9a5c795eedc631e5fbb850b7ff.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	6689bd9a5c795eedc631e5fbb850b7ff.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 4204	2876	6689bd9a5c795eedc631e5fbb850b7ff.exe	34
PID 2876 wrote to memory of 4204	2876	6689bd9a5c795eedc631e5fbb850b7ff.exe	34
PID 2876 wrote to memory of 4204	2876	6689bd9a5c795eedc631e5fbb850b7ff.exe	34
PID 4204 wrote to memory of 4336	4204	csc.exe	36
PID 4204 wrote to memory of 4336	4204	csc.exe	36
PID 4204 wrote to memory of 4336	4204	csc.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6689bd9a5c795eedc631e5fbb850b7ff.exe
"C:\Users\Admin\AppData\Local\Temp\6689bd9a5c795eedc631e5fbb850b7ff.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lpki4yvn\lpki4yvn.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8305.tmp" "c:\Windows\System32\CSC6569787EF2034DD38C324F2449B1B5F9.TMP"
    3⤵
    PID:4336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\es-ES\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\6689bd9a5c795eedc631e5fbb850b7ff.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6689bd9a5c795eedc631e5fbb850b7ff.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mn760smzdC.bat"
  2⤵
  PID:1736
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2448
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1944
- - C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\sppsvc.exe
    "C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\sppsvc.exe"
    3⤵
    PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\WmiPrvSE.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6689bd9a5c795eedc631e5fbb850b7ff6" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Desktop\6689bd9a5c795eedc631e5fbb850b7ff.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6689bd9a5c795eedc631e5fbb850b7ff" /sc ONLOGON /tr "'C:\Users\Default\Desktop\6689bd9a5c795eedc631e5fbb850b7ff.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6689bd9a5c795eedc631e5fbb850b7ff6" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Desktop\6689bd9a5c795eedc631e5fbb850b7ff.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\sppsvc.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6689bd9a5c795eedc631e5fbb850b7ff6" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\6689bd9a5c795eedc631e5fbb850b7ff.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6689bd9a5c795eedc631e5fbb850b7ff" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\6689bd9a5c795eedc631e5fbb850b7ff.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6689bd9a5c795eedc631e5fbb850b7ff6" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\6689bd9a5c795eedc631e5fbb850b7ff.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\es-ES\WmiPrvSE.exe

Filesize
1.5MB

MD5
6689bd9a5c795eedc631e5fbb850b7ff

SHA1
b63d8e25d4eb9abea3ed0f7867f70db2ab18cba2

SHA256
cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b

SHA512
ff51ccd8918344bb0439a4d9e39394383bff2196496d778db9a3d2862479e55f1bf59c7d467ff055c721231cb592c3c7ded63c5af28a3f9552dc6421dd1151bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8305.tmp

Filesize
1KB

MD5
e45a73ea09d1421340e3614f1411b84f

SHA1
d0ce9e5039215a70193ca9d25b16a34eadf704ea

SHA256
3d692ca271b4eaf4281b7b46d19361da64bb807975bb32d72c8d66c11ef91f76

SHA512
14acdc9685fae0935e6b8d2d9ba3823d73ff1ac90ea02a0fd32b74d83d2a9f9b02520691fa488e9c42b6efec751cbdb664ea57a53d62ea969b8aaabc061387ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\mn760smzdC.bat

Filesize
246B

MD5
2a7584a5dbbe02abb7540b28d12846f8

SHA1
360fdfcdccb083de27bb34ec55904735e505d6e7

SHA256
360bdb181880e08e2b8d3a56b85ff14d3741afef1c215e4cff86f3810aff4e96

SHA512
a946fac1be1b2659a1df2a2553a4a3a84609e2ec0d03544d06ea0156c141dfc5abd8f77848c36958d18833436c190020ba93338d24bb57c2151c25a3cb305284

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5075930594aa2e284a9062d1f38bbf30

SHA1
41001541ea46708830560d01041f43360aaee0a5

SHA256
244424af95154ee08e4cf6bf25ecaa511443be9b97249a48b6e107f884a94261

SHA512
244d16025fc15632008f595ab18a9c7c55f80fe2dcf07c975295c7e18dc07b8d168b36b0cb0f2565c81740e3ed0a304a6f4cf65d883bac98d6a0cb9e0a642799

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lpki4yvn\lpki4yvn.0.cs

Filesize
390B

MD5
050b09987051e8492deed96d04e16ff2

SHA1
0e8328abfd397bbecf7aaddf7d3616e64245f16f

SHA256
c44f55a71f37805b96ba64e4dd34225767f7cd27626defbb327d90aef744011f

SHA512
16c01c2ad0e13b45dae093e5ad0b55d1f9870a61e4413cfb444dd23dd70c391163d0375e035cda5f15ca0f37e2e4a134cb8085def46f31fc0c8a39963f583f1e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lpki4yvn\lpki4yvn.cmdline

Filesize
235B

MD5
592eaae274f9146671cf0b804c8ac1d4

SHA1
c5eb30b712dfc87924da12915aa096bf4efa5d35

SHA256
f847adbaf86aeb6c68ebf2cc186c12aa7bc29f5723977f8e5c3e667b16a4ef2f

SHA512
01c47c13401fcbaf96844bfd421714891e716992ea316651096ba99219e63882d9e745792e53ff133363172068e50a465290931d087f785153bcf9deb6b41f40

Download Submit
\??\c:\Windows\System32\CSC6569787EF2034DD38C324F2449B1B5F9.TMP

Filesize
1KB

MD5
70046c6c63d509bb29450ef32b59dda3

SHA1
26802b73997ee22a7cd3d07ae77016969603cf00

SHA256
dd0e7409cd9412eafdd8f881d6094fb539ad19c7a54d76043de655a00f80f5d0

SHA512
d7b8d4ed84b8e1f5e416c378872bb7bc6d884341f0aa76f2c3b664f1ad0324a2d749c51718f3940d61663d152c35ba241ce0def03a002c6423a4d0957866c96f

Download Submit
memory/1864-3635-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/1864-3636-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/2876-54-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-46-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-36-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-8-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-64-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-62-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-10-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-60-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-58-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-30-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-12-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-14-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-26-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-16-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-4-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-18-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-20-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-22-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-244-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2876-66-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-56-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-28-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-52-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-50-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-48-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-6-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-44-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-42-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-40-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-38-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-34-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-32-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-24-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-3560-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2876-3561-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2876-3562-0x000007FEF5E33000-0x000007FEF5E34000-memory.dmp

Filesize
4KB

Download
memory/2876-3566-0x00000000004B0000-0x00000000004CC000-memory.dmp

Filesize
112KB

Download
memory/2876-3571-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/2876-3572-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2876-3585-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2876-3586-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2876-3587-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2876-3634-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2876-3-0x000000001AF30000-0x000000001B104000-memory.dmp

Filesize
1.8MB

Download
memory/2876-2-0x000000001AF30000-0x000000001B10A000-memory.dmp

Filesize
1.9MB

Download
memory/2876-1-0x0000000001390000-0x0000000001398000-memory.dmp

Filesize
32KB

Download
memory/2876-0-0x000007FEF5E33000-0x000007FEF5E34000-memory.dmp

Filesize
4KB

Download
memory/2876-3574-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2876-3569-0x00000000004D0000-0x00000000004E8000-memory.dmp

Filesize
96KB

Download
memory/2876-3567-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2876-3564-0x0000000000480000-0x000000000048E000-memory.dmp

Filesize
56KB

Download
memory/4836-3639-0x00000000000B0000-0x00000000000B8000-memory.dmp

Filesize
32KB

Download