Overview

overview

10

Static

static

10

c39e5e5773...fb.exe

windows7-x64

7

c39e5e5773...fb.exe

windows10-2004-x64

7

c3a61d282c...2f.exe

windows7-x64

7

c3a61d282c...2f.exe

windows10-2004-x64

7

c3aaa8d067...d1.exe

windows7-x64

10

c3aaa8d067...d1.exe

windows10-2004-x64

10

c40612db16...6d.exe

windows7-x64

10

c40612db16...6d.exe

windows10-2004-x64

10

c45000d072...99.exe

windows7-x64

10

c45000d072...99.exe

windows10-2004-x64

10

c4639b8ab9...97.exe

windows7-x64

10

c4639b8ab9...97.exe

windows10-2004-x64

10

c47cd91636...6d.exe

windows7-x64

1

c47cd91636...6d.exe

windows10-2004-x64

1

c486ed6acb...df.exe

windows7-x64

7

c486ed6acb...df.exe

windows10-2004-x64

7

c4b4c8152f...dc.exe

windows7-x64

10

c4b4c8152f...dc.exe

windows10-2004-x64

10

c4c197e502...e0.exe

windows7-x64

10

c4c197e502...e0.exe

windows10-2004-x64

10

c4ca622404...18.exe

windows7-x64

10

c4ca622404...18.exe

windows10-2004-x64

10

c50b533887...50.exe

windows7-x64

10

c50b533887...50.exe

windows10-2004-x64

10

c50b94cf52...6f.exe

windows7-x64

10

c50b94cf52...6f.exe

windows10-2004-x64

10

c520bfebf2...a2.exe

windows7-x64

8

c520bfebf2...a2.exe

windows10-2004-x64

10

c53059381a...48.exe

windows7-x64

10

c53059381a...48.exe

windows10-2004-x64

10

c59549cfc2...b8.exe

windows7-x64

1

c59549cfc2...b8.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    57s
  • max time network
    63s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 19:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe

  • Size

    1.6MB

  • MD5

    5355cb64d0008d7ed7267cebea8f9bc4

  • SHA1

    4f8fc970efa45c2f547e8583b49eb543b778f001

  • SHA256

    c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f

  • SHA512

    cd662e6d9f215b18867056fe70d9b04b2eaf7090577546d038218dfe8716379654cb6e5f1c6ca3672e8bd1844d5e7810486164cf8fe99054305a89eb51b4bac6

  • SSDEEP

    24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score
10/10
dcratexecutioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 8 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 8 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
    "C:\Users\Admin\AppData\Local\Temp\c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2744
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2120
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4d7dcf6448637544ea7e961be1ad\lsass.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5684
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:540
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bn9GlWlL3z.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:548
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:744
        • C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe
          "C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2156
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f758f0b-926b-4653-b59e-c48d80fb2b72.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4084
            • C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe
              C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe
              5⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4236
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78a732af-6137-4569-a47d-970b0b9f6d32.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:3304
                • C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe
                  C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe
                  7⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:5392
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71b59fc2-42c2-45ad-aeee-6942f7e19afd.vbs"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2560
                    • C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe
                      C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe
                      9⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:5608
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2a9a8b8-539e-498e-a015-868b82d65299.vbs"
                        10⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4820
                        • C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe
                          C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe
                          11⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:4028
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc58f238-a599-46c0-83a3-5039479f5be4.vbs"
                            12⤵
                            • Suspicious use of WriteProcessMemory
                            PID:3468
                            • C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe
                              C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe
                              13⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:1708
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52dfa592-1fa6-4137-a48c-b401cbe24fcf.vbs"
                                14⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2864
                                • C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe
                                  C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe
                                  15⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:772
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d3b772c-35c7-43f3-8210-01ecbc2c4096.vbs"
                                    16⤵
                                      PID:3004
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9db0c7b5-6d0d-445c-9758-d9b06c93ed04.vbs"
                                      16⤵
                                        PID:2412
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d277c68-3baf-467d-9da3-ea119bc2ead3.vbs"
                                    14⤵
                                      PID:5132
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1a505e9-315a-4498-a840-bc76d1713e42.vbs"
                                  12⤵
                                    PID:5336
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\087dccb4-309a-4be8-a7b9-5abab6b676b9.vbs"
                                10⤵
                                  PID:4656
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d53e84de-acdc-4ae8-a8aa-8a1ede42c6e8.vbs"
                              8⤵
                                PID:1088
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f894063f-c48a-42d5-95a5-2cfcc7092d03.vbs"
                            6⤵
                              PID:5796
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\403c1dd5-8291-4c7c-9615-fec1187067ae.vbs"
                          4⤵
                            PID:400
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\4d7dcf6448637544ea7e961be1ad\lsass.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:5960
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\lsass.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3424
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\4d7dcf6448637544ea7e961be1ad\lsass.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4108
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:5628
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4560
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3904

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\4d7dcf6448637544ea7e961be1ad\lsass.exe
                      Filesize

                      1.6MB

                      MD5

                      5355cb64d0008d7ed7267cebea8f9bc4

                      SHA1

                      4f8fc970efa45c2f547e8583b49eb543b778f001

                      SHA256

                      c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f

                      SHA512

                      cd662e6d9f215b18867056fe70d9b04b2eaf7090577546d038218dfe8716379654cb6e5f1c6ca3672e8bd1844d5e7810486164cf8fe99054305a89eb51b4bac6

                      Download Submit

                    • C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe
                      Filesize

                      1.6MB

                      MD5

                      a54d303f6940e00427fda31a002b4496

                      SHA1

                      c2c405135c2b4f7e4b7822e2bdd8399b45019b01

                      SHA256

                      c44706ffd98e77eb8a959eb3631ae831e145046bbd6ca5ede98b8fe907b367c6

                      SHA512

                      5687eb5fb1ddc7650f7c34c15883ccde587efff616a1800eb0c48314ad530a2ae31222f238cd4083bb53c67fe4913c41a9f13172f54be0ebb42410f2f2633a01

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log
                      Filesize

                      1KB

                      MD5

                      3690a1c3b695227a38625dcf27bd6dac

                      SHA1

                      c2ed91e98b120681182904fa2c7cd504e5c4b2f5

                      SHA256

                      2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

                      SHA512

                      15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                      Filesize

                      2KB

                      MD5

                      d85ba6ff808d9e5444a4b369f5bc2730

                      SHA1

                      31aa9d96590fff6981b315e0b391b575e4c0804a

                      SHA256

                      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                      SHA512

                      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      51fc9f46ed7a5fbec980d47049731eac

                      SHA1

                      1811612998c800bb4563742c4760b2ab3a5e2677

                      SHA256

                      16c05848744983bd75fe403c1aa3aded96c6baf10b77fe95d9f4b52d8422daac

                      SHA512

                      e55ea8fe57f30d236b3ba8cd327e53dac090bb71ef7899b536a4acccd997a6aa232d9b80e0995a536975aeb13cfe29eda27b630393683e3825660224d96b8a15

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      454c5c4b128d34aee2eb765f2a9c0aa9

                      SHA1

                      4b6e92db79d964f604fd6b261b3b19ede2aea8a5

                      SHA256

                      e1e65d1697b9ac59805f677cbc8eec623a899b75b1389354f0948ad3c1513772

                      SHA512

                      17b4e146ef4f8862d06ac975204cca9ef9b077420256df92d94409715b18efb4dc63879154c1c234317a169ac63024ed43b5cb52473882dc46c588af089f25d6

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\1f758f0b-926b-4653-b59e-c48d80fb2b72.vbs
                      Filesize

                      721B

                      MD5

                      fd5b35cd2c8bd2e85e742b6bf09ece11

                      SHA1

                      347f83d683f1bc7472922e8828ac28863e9b5d41

                      SHA256

                      3a8c8aa4759ab2fb431c9626e2bb4df6f872532d970e37828974b781acddceb9

                      SHA512

                      15e05fd7221bd2bbd1a7e9320643ff048081b9464d1f249fdbf2fea496a5c182bcb9c63f3cfb02efed9bcb0e3a1b2af0787bd68c34350aaef7f7250fd283fc6d

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\3d3b772c-35c7-43f3-8210-01ecbc2c4096.vbs
                      Filesize

                      720B

                      MD5

                      fb3af12eddc05631f57421b53eafcdd0

                      SHA1

                      9c53effd1a59fa2b8237c3e4658c1c1ae0c5aa34

                      SHA256

                      647abbb592fc667249a9860f78b11ef8f27845120a76b62fa9fa84fda538ac0c

                      SHA512

                      885b8914ec9073fb6e9f4b4620fcbc08b8058c7bbfe23774c02f66ade0430fbf680c4280608b27472743f790983099feaa3eb86911b2c000de85d58138e1d1f8

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\403c1dd5-8291-4c7c-9615-fec1187067ae.vbs
                      Filesize

                      497B

                      MD5

                      5cb396b20428c22fa82c39126c7b7f1c

                      SHA1

                      d07d08f0beeb2d226a3d00a9f8932900a1a9b0e7

                      SHA256

                      c71199e97ab29f9b7a547db32f93c0c51dd767e15d6d3dfee9ac19d82831f95b

                      SHA512

                      e8ecb9eed76ed0d2b6b5987db7aaee32af696b38cb6b3d750c4b2a877829c35d7da9b97dc46ab0416bc5b9517677f60e89d42e6dfdf6d9aab1a15693031f6f51

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\52dfa592-1fa6-4137-a48c-b401cbe24fcf.vbs
                      Filesize

                      721B

                      MD5

                      81bba9d6dc929a9837b9ca6a2a9ba0dd

                      SHA1

                      19e08f8502c695251a3bbc4942b52d2de6852973

                      SHA256

                      c95f8bafba32474e51eb2edaf864d6bd13b25b5ea1a97f242082ee6258f29d38

                      SHA512

                      5177da28d4cba2141cc3b5569a74a509d0ccf2faa6c06b8f841391e15232b7b57adc7bec4a190922ff03d0e5e16687be1c91b3f5caaae28d0aa53e32278ff8bf

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\71b59fc2-42c2-45ad-aeee-6942f7e19afd.vbs
                      Filesize

                      721B

                      MD5

                      a2ca04daccaea3487c0ac7c095cb0bd6

                      SHA1

                      f1542851eb8e6dd687cac412974fc8255b194fd5

                      SHA256

                      26dc7594595c1807fe409151063a392ae791f8650c2de823bee8e0428effd149

                      SHA512

                      ee6cbae52c80052b680d90c4bc082b9a0f1edee7c771cfecb3cc62d331072de28fbe2a2e651856625504b5b30c2bd023f02cdcbb724416a9d7b205f3c48b9370

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\78a732af-6137-4569-a47d-970b0b9f6d32.vbs
                      Filesize

                      721B

                      MD5

                      070c1117d541cb2c223351c1c7e6b050

                      SHA1

                      7e8f56a12d22f61aee6b6d30b83b3358eaefda92

                      SHA256

                      750cc36b68b02a59e37de04215e0a0dc8855d78a1f3da426852f659a7418395c

                      SHA512

                      373877b458a3e2d6f874acd657411b2a9b7585536b7796a1d477656316aca61094db2b3cbce8d5f1e8b742f0a58138d416393ba6f69e6c4a7bf96b46e1547b68

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jktolioi.5wj.ps1
                      Filesize

                      60B

                      MD5

                      d17fe0a3f47be24a6453e9ef58c94641

                      SHA1

                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                      SHA256

                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                      SHA512

                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\bc58f238-a599-46c0-83a3-5039479f5be4.vbs
                      Filesize

                      721B

                      MD5

                      79a2e71f16a22c4a8e4ff51754aa2bc6

                      SHA1

                      f9f1eff298d813e858ec4e295fe46f1897d7a3d8

                      SHA256

                      a39288ca8643f127f6d140f52ce6bec6dc730fd742b625bc3e6085b45b08d79e

                      SHA512

                      359ad85fce741febc3ddf4c239f9f5b0cfcd353412a69e220c12d190a7b3cb42a6d4a2a6e6c28cd7c4ba589be77df9552e73d618db3a34ac317ada2c9b2a0f79

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\bn9GlWlL3z.bat
                      Filesize

                      210B

                      MD5

                      22755ba5cb7d59600249fdb348050143

                      SHA1

                      eb1e20a1c3ebda4461d3a3d217fd53f974a7c3dc

                      SHA256

                      c159a2ab1b3fcd09c5b12b32aa9f3d69215b2e4f746b4e39a90792b572a23abb

                      SHA512

                      b6e1695efe5748b562b769eba606246f9f830101cc685fe911cef283aeb7ab45901c17862cc02ace286fcbfa3bd46df971ee64566032f6deca1fbd74dac7e79b

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\f2a9a8b8-539e-498e-a015-868b82d65299.vbs
                      Filesize

                      721B

                      MD5

                      6cdb2d607589748840c65eb68f144df8

                      SHA1

                      ffebd49280f9c4a55651f06d84d4ed043b37a831

                      SHA256

                      30b4b54c0d7e85c7866917d7dc777bd67fd6b02ae8dadb06976c93b1ab2b715e

                      SHA512

                      eb096409028e4d68dea18860d5601dbc9de11a290c338a2eafe81d5c3cd05b6a00fda463a29bae1ee40436dd07acb9bc7981a0d453003ac21e6ad54d3b68ca04

                      Download Submit

                    • memory/2120-63-0x00000120F0390000-0x00000120F03B2000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2156-96-0x0000000000560000-0x0000000000702000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2744-15-0x000000001BA40000-0x000000001BA48000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/2744-17-0x000000001BA60000-0x000000001BA6C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/2744-7-0x000000001B920000-0x000000001B928000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/2744-0-0x00007FFAC8743000-0x00007FFAC8745000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/2744-12-0x000000001BA10000-0x000000001BA1A000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/2744-84-0x00007FFAC8740000-0x00007FFAC9201000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/2744-13-0x000000001BA20000-0x000000001BA2E000-memory.dmp

                      Filesize

                      56KB

                      Download

                    • memory/2744-14-0x000000001BA30000-0x000000001BA38000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/2744-6-0x000000001B900000-0x000000001B916000-memory.dmp

                      Filesize

                      88KB

                      Download

                    • memory/2744-4-0x000000001B940000-0x000000001B990000-memory.dmp

                      Filesize

                      320KB

                      Download

                    • memory/2744-9-0x000000001B930000-0x000000001B938000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/2744-16-0x000000001BA50000-0x000000001BA5A000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/2744-11-0x000000001BA00000-0x000000001BA0C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/2744-10-0x000000001BAA0000-0x000000001BAAC000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/2744-8-0x000000001BA90000-0x000000001BAA0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/2744-5-0x000000001B8F0000-0x000000001B900000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/2744-3-0x0000000002740000-0x000000000275C000-memory.dmp

                      Filesize

                      112KB

                      Download

                    • memory/2744-2-0x00007FFAC8740000-0x00007FFAC9201000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/2744-1-0x0000000000520000-0x00000000006C2000-memory.dmp

                      Filesize

                      1.6MB

                      Download