Overview

overview

10

Static

static

10

477abe4b25...51.exe

windows7-x64

10

477abe4b25...51.exe

windows10-2004-x64

10

47c6de91e1...b0.exe

windows7-x64

10

47c6de91e1...b0.exe

windows10-2004-x64

10

47ce70cdef...aa.exe

windows7-x64

10

47ce70cdef...aa.exe

windows10-2004-x64

7

4809a98c25...ee.exe

windows7-x64

1

4809a98c25...ee.exe

windows10-2004-x64

10

480bfd19cc...7e.exe

windows7-x64

10

480bfd19cc...7e.exe

windows10-2004-x64

10

4818942b62...ae.exe

windows7-x64

10

4818942b62...ae.exe

windows10-2004-x64

10

485ef3e4d3...15.exe

windows7-x64

10

485ef3e4d3...15.exe

windows10-2004-x64

10

486a44dd40...61.exe

windows7-x64

10

486a44dd40...61.exe

windows10-2004-x64

10

487afaa242...b4.exe

windows7-x64

3

487afaa242...b4.exe

windows10-2004-x64

3

488aec85d4...b2.exe

windows7-x64

8

488aec85d4...b2.exe

windows10-2004-x64

8

48dd84f7a2...da.exe

windows7-x64

10

48dd84f7a2...da.exe

windows10-2004-x64

10

4931b13a12...db.exe

windows7-x64

10

4931b13a12...db.exe

windows10-2004-x64

10

4963d3411f...95.exe

windows7-x64

3

4963d3411f...95.exe

windows10-2004-x64

3

4981b96b4a...e4.exe

windows7-x64

3

4981b96b4a...e4.exe

windows10-2004-x64

3

4996155e60...cb.exe

windows7-x64

10

4996155e60...cb.exe

windows10-2004-x64

10

49986bd925...30.exe

windows7-x64

10

49986bd925...30.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    485ef3e4d31b39e6107f797859f14415.exe

  • Size

    5.9MB

  • MD5

    485ef3e4d31b39e6107f797859f14415

  • SHA1

    3739bada3227bce92e083531766d21aa4c11159a

  • SHA256

    b37b01540833889b41c27875378edb8fefebb2b56423c57a3a003bb1a71e501b

  • SHA512

    d5708f1610ec1748d1866edf380b5bd34f2bced3b100654d0d8cd25651565a6ac3d92777b8959a36290a9020649570e7a64d44d6afd6d33cc6df0dee1a408145

  • SSDEEP

    98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4t:hyeU11Rvqmu8TWKnF6N/1wY

Score
10/10
dcratdefense_evasionexecutioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 9 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
    defense_evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    defense_evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • System policy modification 1 TTPs 12 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\485ef3e4d31b39e6107f797859f14415.exe
    "C:\Users\Admin\AppData\Local\Temp\485ef3e4d31b39e6107f797859f14415.exe"
    1⤵
    • UAC bypass
    • Drops file in Drivers directory
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3680
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5036
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5048
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/4d7dcf6448637544ea7e961be1ad/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5044
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/4fc20efa2b2ad5aa4b35f8fcca90f7df/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4928
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5004
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4820
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3240
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5308
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4164
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5580
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3564
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5920
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SbArq942hj.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4052
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:5220
        • C:\Program Files (x86)\Windows Photo Viewer\ja-JP\spoolsv.exe
          "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\spoolsv.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4876
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92c4eb53-977d-430d-88cb-09e0d6b26980.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:848
            • C:\Program Files (x86)\Windows Photo Viewer\ja-JP\spoolsv.exe
              "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\spoolsv.exe"
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1792
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21d815bb-a049-4a1a-b043-f4fdbcee0b3f.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:4208
                • C:\Program Files (x86)\Windows Photo Viewer\ja-JP\spoolsv.exe
                  "C:\Program Files (x86)\Windows Photo Viewer\ja-JP\spoolsv.exe"
                  7⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:5624
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd5c3d25-3eff-4f70-8aa0-53c1d3880535.vbs"
                    8⤵
                      PID:4964
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73749ecd-3451-4691-b791-ce446d7c00df.vbs"
                      8⤵
                        PID:5252
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c578cb0-3436-46ea-aaa8-94c89628f06f.vbs"
                    6⤵
                      PID:4288
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e969dafa-a873-4947-be47-e547c2d6fabe.vbs"
                  4⤵
                    PID:1592
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\smss.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4744
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\smss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:5676
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\smss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4868
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\spoolsv.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4940
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\spoolsv.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:5616
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\spoolsv.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4676
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Favorites\SearchApp.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2836
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\SearchApp.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2552
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Favorites\SearchApp.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4516

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              a43e653ffb5ab07940f4bdd9cc8fade4

              SHA1

              af43d04e3427f111b22dc891c5c7ee8a10ac4123

              SHA256

              c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

              SHA512

              62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log
              Filesize

              1KB

              MD5

              229da4b4256a6a948830de7ee5f9b298

              SHA1

              8118b8ddc115689ca9dc2fe8c244350333c5ba8b

              SHA256

              3d63b4a66e80ed97a8d74ea9dee7645942aafbd4abf1b31afed1027e5967fe11

              SHA512

              3a4ec8f720000a32bb1555b32db13236a73bb6e654e35b4de8bdb0fc0de535584bc08ebe25c7066324e86faa33e8f571a11cc4e5ef00be78e2993e228f615224

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              f26021db51b2ceb0c03baf5665a86386

              SHA1

              5487265d705c72daa8495c543f2182a64b373da3

              SHA256

              56a4d25798b8d3102fec5025892dd6ff79500aee72db311e82b1308f1783db6f

              SHA512

              e09f018d22c3dee7ff7dbd6d79182e5c94be1aba0ceaeef3652d254712fa8393dc81002e20de3749abd3420ce0ed23dee176fa50eeaf80d6ee09a9dae2a1a49f

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              47dc8ed1f00b2cf40d90efa529ee35cc

              SHA1

              851d6a181ebb44256367c73042ed4f774bce9bdd

              SHA256

              2a1fa5eb6fa8a3b821776f5db5d69d414ca120a4612e613ec6ad34d216b2223e

              SHA512

              3dc49732881a4c8d2edfd4619ea4d206cca74fabba7d00f2021a7e07dba47c436a10f2d591ca43930c674ffe6b5f528a9e10e543dd87edf97d3f2f078c23c928

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              e8e7675df15697eee65b731b90f33a5f

              SHA1

              8fe1308e032c5cb61b8ea50672fd650889cecdcd

              SHA256

              656a10810af26e008c2c5d4748b4a476b97b9fd5ef7837ae197feff6ec00b932

              SHA512

              fed3aa124a90998c734d36397f7fa6e26973bbeaa2c11b999ee05b0fb2378473b14765ca606f021c2f778613ce61f3a1c6836e955b7c6b192a7774973a945992

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              e69ced0a44ced088c3954d6ae03796e7

              SHA1

              ef4cac17b8643fb57424bb56907381a555a8cb92

              SHA256

              49ee2b78c2766e68fad51109337710f032e25649bcebebf14562edfbf2e98108

              SHA512

              15ebe961c61ee8efadd8370d856c936e5b605c3b847b8ddabb3cafb63c724d374a0a9567054852444de95794c7c8b3f9f12d05258104573c7546ff88023d7cd4

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              a16aff60eb3c3e35753a259b050c8a27

              SHA1

              85196d5dfb23d0c8b32b186325e2d58315a11287

              SHA256

              a057f85fa5358fac25f1337c1fbabeffb1ca1908b352208038293ec575dfc206

              SHA512

              13e6514cddaafba8f4fe3b08f6d6e118823ad454aac4efcb71a82438de50f97cd9570f44d594db27e4c534912a12ed066ea098b95505a6994f854f8349f2f5b0

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              c2e67766ebbf9a065d2d6698d1e76a22

              SHA1

              880bd6eb37a65027fd6b100beb69326469e62786

              SHA256

              2123e4031ccd3bb8f144c209b0d0b1fc37623a472caa18fa31b6ccf787001120

              SHA512

              d39497ddd1abb45733a35e4fa7a9958cc736addbd37e18820cc3149b704814e9db4d8146e6737fcb2e3c93c0e945d567d0995c7657e982c574886b29dfdd8a73

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              de63920702c5259ef84fc0aacf0a020d

              SHA1

              7687b7b4476191499658d09787f462bd9c2e9a21

              SHA256

              b03898791259ae687cdd06d91d21465ff582ce73ab589116acd6f1fba391b76d

              SHA512

              b4f964d45a23dc96ee3a93b3340ba16a170f71e7d838c561f650200897e7f33c5cae65eccc14d70df001ea71d7e0c078980df5e6bad5b6380d6246be133a2205

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\21d815bb-a049-4a1a-b043-f4fdbcee0b3f.vbs
              Filesize

              737B

              MD5

              0aca720d069105ba32c26be2244ffdce

              SHA1

              58472d044e4a8154173703df322082a9619023e3

              SHA256

              1a3bdaed79e9616688bb76ca082ce1447284251e048eb6fe2c617530bdb0d261

              SHA512

              25066a0477373ce4b5b85450e32729c3539ff2194bb8d85e6eb0d44b42abae908694908df758f337435e4c75c000d7841f673a44446071de7b1a778c303e94c0

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\92c4eb53-977d-430d-88cb-09e0d6b26980.vbs
              Filesize

              737B

              MD5

              2019a8e985b91e4dd3c5b3eeddd5b7f5

              SHA1

              37d5768b73beb772aa07c3d19d58efe3c04897e9

              SHA256

              72320700ab3472c864d98cc762e3c92abc26fbc11f57111ca3d5f2d395d2abc1

              SHA512

              2fe8de976590b514a2b4205911af2c6ce76a7156349f23be69be7069cb22fb8c25f6953cb030eb1b6c0170a6149876b2dbc46ea8a3170763a33f1f7344d459d9

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\RCX8629.tmp
              Filesize

              5.9MB

              MD5

              1658c5a59524e1983d69485507631ef9

              SHA1

              54e150347c25693166e993bed20f686a2f996fe5

              SHA256

              fdd15a618fc2891f3f790ddebbf7dab1d1a06363898154c07ed1094febfc4a54

              SHA512

              501ba37e517cd0ab83df832480b115b27039e5336ff2e1388df6fa07d9b82703679e6bfae68d81e7d9f65fc9c26e0622b9235cd9c9f1b5ca6247b418bfc36036

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\SbArq942hj.bat
              Filesize

              226B

              MD5

              c53ea2ce768a05ac83fc9b61e1392111

              SHA1

              915d44ad7b2b34f0b335e172525323f144f6789c

              SHA256

              b8fb9071b94ff870df669e51a453171b29391534fa17fdce12a9cfdc3e527a2a

              SHA512

              9ac409fe6ad05aeb0166fb35c0380aceb34f6deda1a95b8cf7137bce09949b883f3c7834f5dfd749f5432b148bbcd24fbd0566a87ad5760588ac530725742b76

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_thblkgpo.jnd.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\dd5c3d25-3eff-4f70-8aa0-53c1d3880535.vbs
              Filesize

              737B

              MD5

              b4152c933d85b959889e1a434849f773

              SHA1

              ad17638fa83184fb581b6fc96fef5d838b601f8d

              SHA256

              2a592b526a142525efc7c832fec9eaf22a04c359c81dc293e410a05c707b75ee

              SHA512

              3021c167bfd9911c51189d77bc4abc171311c5018b1b76c8836c3e81e73e49920a5aa3fa6894c8fb414b092bf4db089343f6b4667669d1209a0cbd1042a3ce34

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\e969dafa-a873-4947-be47-e547c2d6fabe.vbs
              Filesize

              513B

              MD5

              bc8bae0b347522f532970faf60e8a357

              SHA1

              eab0341067388ca2ef17dab76cce8b3a5036e915

              SHA256

              c796151fc5933970cd260f51ba55eff6de8f3ebb36755dcf880ede91d1e09bbd

              SHA512

              9f27a39f4025f35d2baa01194cedadfd3bb685f45f7e3e860e83ee3fae3537083e189a72ed11489ea56b1fd662cd13046f3db92fd9dee5cd29dbfa5a4d6de392

              Download Submit

            • memory/3680-14-0x0000000003BC0000-0x0000000003BCC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3680-33-0x000000001D060000-0x000000001D06A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3680-18-0x000000001CE70000-0x000000001CEC6000-memory.dmp

              Filesize

              344KB

              Download

            • memory/3680-19-0x0000000003BF0000-0x0000000003BFC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3680-20-0x000000001C6E0000-0x000000001C6E8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3680-21-0x000000001C6F0000-0x000000001C6FC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3680-22-0x000000001C700000-0x000000001C708000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3680-24-0x000000001CEC0000-0x000000001CED2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3680-25-0x000000001D420000-0x000000001D948000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/3680-27-0x000000001CF00000-0x000000001CF0C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3680-26-0x000000001CEF0000-0x000000001CEFC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3680-28-0x000000001CF10000-0x000000001CF18000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3680-29-0x000000001CF20000-0x000000001CF2C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3680-30-0x000000001CF30000-0x000000001CF3C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3680-31-0x000000001D040000-0x000000001D048000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3680-32-0x000000001D050000-0x000000001D05C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3680-35-0x000000001D180000-0x000000001D188000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3680-36-0x000000001D190000-0x000000001D19E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3680-34-0x000000001D170000-0x000000001D17E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3680-38-0x000000001D1B0000-0x000000001D1BC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3680-37-0x000000001D1A0000-0x000000001D1A8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3680-17-0x0000000003BE0000-0x0000000003BEA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3680-39-0x000000001D1C0000-0x000000001D1C8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3680-40-0x000000001D2D0000-0x000000001D2DA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3680-41-0x000000001D1D0000-0x000000001D1DC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3680-16-0x0000000003BD0000-0x0000000003BE0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3680-15-0x0000000003BB0000-0x0000000003BB8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3680-100-0x00007FFFF40B0000-0x00007FFFF4B71000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3680-1-0x0000000000FE0000-0x00000000018D8000-memory.dmp

              Filesize

              9.0MB

              Download

            • memory/3680-0-0x00007FFFF40B3000-0x00007FFFF40B5000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3680-13-0x0000000003BA0000-0x0000000003BB2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3680-12-0x00000000021B0000-0x00000000021B8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3680-11-0x00000000021D0000-0x00000000021E6000-memory.dmp

              Filesize

              88KB

              Download

            • memory/3680-10-0x00000000021A0000-0x00000000021B0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3680-9-0x0000000002190000-0x0000000002198000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3680-8-0x000000001CD20000-0x000000001CD70000-memory.dmp

              Filesize

              320KB

              Download

            • memory/3680-7-0x0000000002170000-0x000000000218C000-memory.dmp

              Filesize

              112KB

              Download

            • memory/3680-6-0x0000000002160000-0x0000000002168000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3680-5-0x0000000002100000-0x000000000210E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3680-4-0x00000000020F0000-0x00000000020FE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3680-3-0x00007FFFF40B0000-0x00007FFFF4B71000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3680-2-0x0000000001D80000-0x0000000001D81000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4916-107-0x0000019A2E530000-0x0000019A2E552000-memory.dmp

              Filesize

              136KB

              Download