Overview

overview

10

Static

static

10

5bebcdba77...7N.exe

windows7-x64

10

5bebcdba77...7N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-12-2024 07:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe

  • Size

    1.7MB

  • MD5

    f59ecdbcab34fe5159a7d218e5a65f40

  • SHA1

    36b1e99369d6a2199fccddcb0c9a0f08f7ac9ef8

  • SHA256

    5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7

  • SHA512

    9ee5e476d561d0f8b4a3b94c9ee215411f19987c4dadbc76521cb6190a3d412f606d1eb3339c38fd83a1a50d95f7b916c8e7a5a14d0b1127d4276dfa29d76cc4

  • SSDEEP

    49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:+THUxUoh1IF9gl2

Score
10/10
dcratexecutioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 12 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe
    "C:\Users\Admin\AppData\Local\Temp\5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2196
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2172
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2152
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2388
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1392
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:772
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2676
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2456
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:964
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:712
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2124
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1828
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QKRcMIcdUS.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2404
        • C:\Program Files (x86)\Uninstall Information\dllhost.exe
          "C:\Program Files (x86)\Uninstall Information\dllhost.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:848
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f88de39-e95d-473f-9395-a1b8c1fb4f4f.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1544
            • C:\Program Files (x86)\Uninstall Information\dllhost.exe
              "C:\Program Files (x86)\Uninstall Information\dllhost.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:888
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0792f7bb-63bb-49fb-a347-f40868b34173.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1504
                • C:\Program Files (x86)\Uninstall Information\dllhost.exe
                  "C:\Program Files (x86)\Uninstall Information\dllhost.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2740
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8f73732-5ece-46fc-9220-9fb7690f3ba9.vbs"
                    8⤵
                      PID:2536
                      • C:\Program Files (x86)\Uninstall Information\dllhost.exe
                        "C:\Program Files (x86)\Uninstall Information\dllhost.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2440
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e64f863f-bbf7-4a7c-8da1-50a344773b3a.vbs"
                          10⤵
                            PID:2172
                            • C:\Program Files (x86)\Uninstall Information\dllhost.exe
                              "C:\Program Files (x86)\Uninstall Information\dllhost.exe"
                              11⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2828
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a93d10b2-36e7-49cd-a971-798cadb90ff8.vbs"
                                12⤵
                                  PID:2288
                                  • C:\Program Files (x86)\Uninstall Information\dllhost.exe
                                    "C:\Program Files (x86)\Uninstall Information\dllhost.exe"
                                    13⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2224
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6f101fc-e3e9-4c61-894c-6a9483356500.vbs"
                                      14⤵
                                        PID:896
                                        • C:\Program Files (x86)\Uninstall Information\dllhost.exe
                                          "C:\Program Files (x86)\Uninstall Information\dllhost.exe"
                                          15⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1932
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3874709e-be8d-40f0-aa5d-557fada20cd0.vbs"
                                            16⤵
                                              PID:2008
                                              • C:\Program Files (x86)\Uninstall Information\dllhost.exe
                                                "C:\Program Files (x86)\Uninstall Information\dllhost.exe"
                                                17⤵
                                                • Executes dropped EXE
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1384
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e4fd5e5-3ce1-45ff-bde3-8927dc36ea20.vbs"
                                                  18⤵
                                                    PID:2680
                                                    • C:\Program Files (x86)\Uninstall Information\dllhost.exe
                                                      "C:\Program Files (x86)\Uninstall Information\dllhost.exe"
                                                      19⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1648
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2f9636f-c2e7-471f-a375-da97577ee72b.vbs"
                                                        20⤵
                                                          PID:2364
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\078d574b-6ec5-45ec-a349-afac8d0837ea.vbs"
                                                          20⤵
                                                            PID:2980
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ace0bf3-a972-4c0f-952c-cbee612a1b63.vbs"
                                                        18⤵
                                                          PID:1460
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9010db26-dbe4-4c31-b6f9-41d1275a49da.vbs"
                                                      16⤵
                                                        PID:968
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\600c570d-8c82-400e-b3df-a71ba24763d3.vbs"
                                                    14⤵
                                                      PID:2320
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f957bb0-356d-4351-b5cf-8591e46580c7.vbs"
                                                  12⤵
                                                    PID:1952
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8860b5e0-155f-4720-b6e2-6ab3cfc44ae2.vbs"
                                                10⤵
                                                  PID:2684
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9749b8bd-bbb2-43b0-b27e-a5792cec1827.vbs"
                                              8⤵
                                                PID:1568
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\218d8d7f-7d18-4b13-8443-bbe376287870.vbs"
                                            6⤵
                                              PID:2544
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2f8ecb0-9b42-4821-ae0d-226852e0d104.vbs"
                                          4⤵
                                            PID:856
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\WmiPrvSE.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2772
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\WmiPrvSE.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2720
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\WmiPrvSE.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2840
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N5" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2692
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2760
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N5" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7N.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2988
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2824
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2592
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2648
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\ja-JP\sppsvc.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2628
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\ja-JP\sppsvc.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2208
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\ja-JP\sppsvc.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1632
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\dllhost.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2112
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1152
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2644

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
                                      Filesize

                                      1.7MB

                                      MD5

                                      b1aa4a544ec98c03a19115d1c5923e35

                                      SHA1

                                      ea947a8757753e54db1cc4e74aba206da0dddd0f

                                      SHA256

                                      921e861005ea05564d4491f1c62bc2d48db8fe0f1d62673a955fb781bbfec2e5

                                      SHA512

                                      65bd05092235f7a2789e0332ca05d6dfa6b06d878d14916b7ab6e8f7c88caf561c86f23a4b52a6d3ddc1af443ea4880a64266b5d588260ad5b789f0ebd4a54e4

                                      Download Submit

                                    • C:\Program Files (x86)\Uninstall Information\dllhost.exe
                                      Filesize

                                      1.7MB

                                      MD5

                                      f59ecdbcab34fe5159a7d218e5a65f40

                                      SHA1

                                      36b1e99369d6a2199fccddcb0c9a0f08f7ac9ef8

                                      SHA256

                                      5bebcdba779f07698db032b764c1fb214f3ee493a718aa78bcac6a5a7bb074f7

                                      SHA512

                                      9ee5e476d561d0f8b4a3b94c9ee215411f19987c4dadbc76521cb6190a3d412f606d1eb3339c38fd83a1a50d95f7b916c8e7a5a14d0b1127d4276dfa29d76cc4

                                      Download Submit

                                    • C:\Program Files\DVD Maker\ja-JP\sppsvc.exe
                                      Filesize

                                      1.7MB

                                      MD5

                                      0ec0507751be1856bba60c0b9150101e

                                      SHA1

                                      01efcc58d500f8ce8d1465deba6879b668c7d5e5

                                      SHA256

                                      9dc9caa880261d74a6451032ad418a1da20b3d81275174fce84583816d92d5f0

                                      SHA512

                                      50e9da3bece4f1e2413503e0ed7cb9c1680b5dd59a7b60e95692144867539b76a8f5224e4d7b7a72b9a4ce344bf15c64348fba35898626a273c745aa274d6e1f

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\0792f7bb-63bb-49fb-a347-f40868b34173.vbs
                                      Filesize

                                      731B

                                      MD5

                                      84d406d36387fc85099879c7ecc0bd17

                                      SHA1

                                      bc657307db323e8db3a43f644603b91ac673d699

                                      SHA256

                                      3d5d491d041cab2ef6281dc34c67532220d07cd553cdadfca4160ff9ef4b53fe

                                      SHA512

                                      52215bfe5a253f5f612585e5b5622d72056a92191ed84089a60e53d198600d912f619b5ede0bf7dd8564486afe1155e5632c26540863e59976fc4a7912493d16

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\3874709e-be8d-40f0-aa5d-557fada20cd0.vbs
                                      Filesize

                                      732B

                                      MD5

                                      80305399e7f5f6b4e28502f6c7d957f1

                                      SHA1

                                      3f0e0044343f755158737c50a85e5d76bbe6e6af

                                      SHA256

                                      c4a0c6d2ac082d76903cbc1f30f32b6900e8052dc50d0e8d0f1a2760b47b0950

                                      SHA512

                                      20312a6fee1af4ab3309e5b549e720ea86dcced10ad9f0544c36c50cfe754c2c11a1eccaee250fdd4861fa46fac145f47e0154bf2de996371ed6bbeddcb5920c

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\4e4fd5e5-3ce1-45ff-bde3-8927dc36ea20.vbs
                                      Filesize

                                      732B

                                      MD5

                                      387807f91f076cff98ace61196c29570

                                      SHA1

                                      725590cbedc981bbcde8bb1186ba1b4d35ee1342

                                      SHA256

                                      2128c8f850261d67b4b71da6fc20c98183580747ace848c9676b0c3b79a06181

                                      SHA512

                                      66188983e491eeb80de5a9c0c73c6dd09d89185f1562309b9cc72aaf628d80d816b0adc9cfc1111db6adb0841bf3efdc11bf8000b3db9af0da2bf387201053cc

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\6f88de39-e95d-473f-9395-a1b8c1fb4f4f.vbs
                                      Filesize

                                      731B

                                      MD5

                                      9d4be191a190415acbb4aec50580c6aa

                                      SHA1

                                      3c4a17979766da489cc850c879b7471e6f1648b3

                                      SHA256

                                      9ff9eea2992c494a316a357c30c194cae9520f2315aaf229105ed8c05543ef4d

                                      SHA512

                                      34c3d8ba8673d98beaeb501369b0e932528a691a554611dff322c6e92c9d40b877e43725290efdce74394a123a68444a13dde67f95d1c54d676d8cd5b529aecf

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\QKRcMIcdUS.bat
                                      Filesize

                                      221B

                                      MD5

                                      6f31a59e50247a301345913687913ca4

                                      SHA1

                                      4aeaebc8290321d48b5e8193562c12bfa0e4f11e

                                      SHA256

                                      b7b259eae4be14ac108abdef776a94a9f3cf1461c0f00b471beaed381a0db36c

                                      SHA512

                                      ef68f74eac0356d4303b6a7fb0c208126af492c197fde651315440b66f114f1ca9d85e7f559ad04037e0e69956d29d932e88a0b64dfa822bef31599804f562f1

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\a93d10b2-36e7-49cd-a971-798cadb90ff8.vbs
                                      Filesize

                                      732B

                                      MD5

                                      968330217d187cfa5ba633ed5dbc047b

                                      SHA1

                                      5acb7c26f7e9e9bcec3c7120a60d7e6e8cc5630d

                                      SHA256

                                      911bd7696eda0aafe56aa025beedd1ffb8bce07248eb62168ec19db7d3d676a0

                                      SHA512

                                      bb5319f0422b9a90180edcefe613f88688ba75d22867f94a363707ae0d50752a6b5acc778446db556414e670f7115a048d7c15ae57549d9bec311b5173fc0e6b

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\b2f8ecb0-9b42-4821-ae0d-226852e0d104.vbs
                                      Filesize

                                      508B

                                      MD5

                                      5ea113625b4754cee97e4ad2f3390679

                                      SHA1

                                      42b79b1093d47a245f5eb22f27e43374e4b77143

                                      SHA256

                                      169e445652f70c0c82ba9dc9e8acfdb96742565babaa2e3025351e83cc35cf54

                                      SHA512

                                      692cc3bda6579d1eb6f571a363f97b39dbec97ef108ad63582bd0ecbee84aa3120e8640b6e933c34783183f2cc27fb1adcad4f63d121a3513e1757d0b1d22d15

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\c8f73732-5ece-46fc-9220-9fb7690f3ba9.vbs
                                      Filesize

                                      732B

                                      MD5

                                      2f61e4a6449a4bbfb89b241e4b93927c

                                      SHA1

                                      e2ef8db836b280d7a002523a9b1100772f76a9fe

                                      SHA256

                                      89ddb5940865dbca9d9d45331071a4ed913167a6a7ec9e35d713020fc8fb5d9f

                                      SHA512

                                      bcffc8254d462c1fe674a68762d89873d5bc53dae832694b4615f7aea8022b9fc442e68e166b4a9f3ed9b1a3dad6d00e2aa8a235fcbf6425da027edd60efc7f7

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\d2f9636f-c2e7-471f-a375-da97577ee72b.vbs
                                      Filesize

                                      732B

                                      MD5

                                      be85f5389020f185c6c09693810e3a1f

                                      SHA1

                                      e259e7d047c0dadcf2e47dbe1269f73c7b6a523b

                                      SHA256

                                      69d9e7b0f1d18b9ea2f9684742f24b0641e38b54ae599238f6ecd172fab9f474

                                      SHA512

                                      a78df9918e7aae3147852085eadc4cb18596abddd01ce4ef869a2d7b90d73c62be73c88f92682bf0edd3c6274e132bdb180144ec0764ee75be922eeb249c0deb

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\d6f101fc-e3e9-4c61-894c-6a9483356500.vbs
                                      Filesize

                                      732B

                                      MD5

                                      5058677c6d8e2f62a1f15d3855172894

                                      SHA1

                                      d1a59aa233ee79976a14cd4b35ec659f598571b8

                                      SHA256

                                      b6f52979d99605a1643f44883852a1ee6f888701faf4cb757096f6f028fc6d6d

                                      SHA512

                                      29f8eb7ab71d4ded30d98677284d72799e8a78fdd96c0046ba43abbdea95b5df5edfc4a349eda3173b6b8355869599308fe2ef115ab4e1301faa99eda44132ac

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\e64f863f-bbf7-4a7c-8da1-50a344773b3a.vbs
                                      Filesize

                                      732B

                                      MD5

                                      5cf87f92a1a52af9e3c9f3337c11076e

                                      SHA1

                                      2f73d64890f9cecc29b5a35da6fde6a88772b9a3

                                      SHA256

                                      d830845045ecc24260070f0a052705a364ee6523276e9e387182f270b4ea7413

                                      SHA512

                                      29a5354dc0d3ddb03e16bfbaf7bfba6df50e907ef976928ba9210843ec41b7064c5264819d3893322b3b9f4fe7ee872fab352f26d28f6d0a397cb33b0f724604

                                      Download Submit

                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                                      Filesize

                                      7KB

                                      MD5

                                      dfe02b6462a3a253ca3f2b63f13cd99f

                                      SHA1

                                      66b0ed056021de354620b7fd6f118403c8005054

                                      SHA256

                                      31f9cd286a7fc15042b865999f804e4aecd15795d78754c4e86ffc04d2720258

                                      SHA512

                                      ee54c2730214e90e935c4f580be6990108665fc311818c4d4cc8f4470ebea7363e833b14615ffb9bdb9631f7319cbb1fa37b50fb45eed10bae002f200860720f

                                      Download Submit

                                    • memory/772-113-0x0000000002800000-0x0000000002808000-memory.dmp

                                      Filesize

                                      32KB

                                      Download

                                    • memory/772-112-0x000000001B800000-0x000000001BAE2000-memory.dmp

                                      Filesize

                                      2.9MB

                                      Download

                                    • memory/848-162-0x0000000001230000-0x00000000013F0000-memory.dmp

                                      Filesize

                                      1.8MB

                                      Download

                                    • memory/888-173-0x00000000000B0000-0x0000000000270000-memory.dmp

                                      Filesize

                                      1.8MB

                                      Download

                                    • memory/888-174-0x00000000021D0000-0x00000000021E2000-memory.dmp

                                      Filesize

                                      72KB

                                      Download

                                    • memory/1384-247-0x0000000000060000-0x0000000000220000-memory.dmp

                                      Filesize

                                      1.8MB

                                      Download

                                    • memory/1648-259-0x0000000000FA0000-0x0000000001160000-memory.dmp

                                      Filesize

                                      1.8MB

                                      Download

                                    • memory/1932-234-0x0000000001300000-0x00000000014C0000-memory.dmp

                                      Filesize

                                      1.8MB

                                      Download

                                    • memory/1932-235-0x0000000000B90000-0x0000000000BA2000-memory.dmp

                                      Filesize

                                      72KB

                                      Download

                                    • memory/2084-12-0x00000000006D0000-0x00000000006DC000-memory.dmp

                                      Filesize

                                      48KB

                                      Download

                                    • memory/2084-7-0x00000000001A0000-0x00000000001B0000-memory.dmp

                                      Filesize

                                      64KB

                                      Download

                                    • memory/2084-20-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

                                      Filesize

                                      9.9MB

                                      Download

                                    • memory/2084-17-0x0000000002330000-0x000000000233C000-memory.dmp

                                      Filesize

                                      48KB

                                      Download

                                    • memory/2084-13-0x00000000006E0000-0x00000000006EA000-memory.dmp

                                      Filesize

                                      40KB

                                      Download

                                    • memory/2084-16-0x0000000002320000-0x000000000232C000-memory.dmp

                                      Filesize

                                      48KB

                                      Download

                                    • memory/2084-15-0x0000000002180000-0x0000000002188000-memory.dmp

                                      Filesize

                                      32KB

                                      Download

                                    • memory/2084-14-0x00000000006F0000-0x00000000006FE000-memory.dmp

                                      Filesize

                                      56KB

                                      Download

                                    • memory/2084-1-0x0000000000270000-0x0000000000430000-memory.dmp

                                      Filesize

                                      1.8MB

                                      Download

                                    • memory/2084-2-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

                                      Filesize

                                      9.9MB

                                      Download

                                    • memory/2084-0-0x000007FEF5C13000-0x000007FEF5C14000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/2084-3-0x0000000000150000-0x000000000016C000-memory.dmp

                                      Filesize

                                      112KB

                                      Download

                                    • memory/2084-11-0x00000000006A0000-0x00000000006B2000-memory.dmp

                                      Filesize

                                      72KB

                                      Download

                                    • memory/2084-9-0x0000000000260000-0x0000000000268000-memory.dmp

                                      Filesize

                                      32KB

                                      Download

                                    • memory/2084-4-0x0000000000180000-0x0000000000188000-memory.dmp

                                      Filesize

                                      32KB

                                      Download

                                    • memory/2084-8-0x0000000000250000-0x000000000025C000-memory.dmp

                                      Filesize

                                      48KB

                                      Download

                                    • memory/2084-125-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

                                      Filesize

                                      9.9MB

                                      Download

                                    • memory/2084-6-0x0000000000230000-0x0000000000246000-memory.dmp

                                      Filesize

                                      88KB

                                      Download

                                    • memory/2084-5-0x0000000000190000-0x00000000001A0000-memory.dmp

                                      Filesize

                                      64KB

                                      Download

                                    • memory/2224-222-0x00000000000D0000-0x0000000000290000-memory.dmp

                                      Filesize

                                      1.8MB

                                      Download

                                    • memory/2440-199-0x0000000001070000-0x0000000001230000-memory.dmp

                                      Filesize

                                      1.8MB

                                      Download

                                    • memory/2740-187-0x0000000000550000-0x0000000000562000-memory.dmp

                                      Filesize

                                      72KB

                                      Download

                                    • memory/2740-186-0x0000000000D00000-0x0000000000EC0000-memory.dmp

                                      Filesize

                                      1.8MB

                                      Download