Overview

overview

10

Static

static

3

2025-04-04...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    104s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2025, 06:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-04_f7b4c0fad8ea1c80f5384bb45ad18b64_black-basta_cova_luca-stealer.exe

  • Size

    2.1MB

  • MD5

    f7b4c0fad8ea1c80f5384bb45ad18b64

  • SHA1

    c68097749d0fced63ab1c22e4328e02b54df37ee

  • SHA256

    c809df9e2d9115ddeb5e4f6c82ca7ee85753b78cd2396dbda6f951ef1b2e81af

  • SHA512

    03ca9474fb9d03e920a0c755c3c2d8461d0446f10da7d72f15058b54ef063541004c821a0d46730c768e8d1e9823ec8710764e06bd5c441271e2da26ae9b46b9

  • SSDEEP

    24576:2TbBv5rUyXVBlZLSBKYazsX35mwgHMB6uscrW/P0scp7WqNFcUpFwiCxRNuwujkJ:IBJBq5DS1cs+cUpFejgioKgOLaLVZm

Score
10/10
dcratdiscoveryinfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 14 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-04_f7b4c0fad8ea1c80f5384bb45ad18b64_black-basta_cova_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-04_f7b4c0fad8ea1c80f5384bb45ad18b64_black-basta_cova_luca-stealer.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4364
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\PortFontBrokerPerf\Y4EiKOdPrb8Z.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1208
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\PortFontBrokerPerf\Rtn7cpFGR9lldPKi6lSKrpTABHrWJw3F.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4704
        • C:\PortFontBrokerPerf\BlockSavesMonitorDll.exe
          "C:\PortFontBrokerPerf/BlockSavesMonitorDll.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3992
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ubrnpxxc\ubrnpxxc.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:3240
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB239.tmp" "c:\Windows\System32\CSC831ECE413C824170B51C71C4C4652E43.TMP"
              6⤵
                PID:2024
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VTXjTBviRY.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4660
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:2572
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2624
                • C:\Program Files\VideoLAN\VLC\plugins\keystore\MoUsoCoreWorker.exe
                  "C:\Program Files\VideoLAN\VLC\plugins\keystore\MoUsoCoreWorker.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4496
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2496
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4268
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1852
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4016
        • C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe
          "C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe"
          2⤵
          • Executes dropped EXE
          PID:2076
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:3128
        • C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe
          "C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4428
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3540
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3652
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1696
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Recovery\WindowsRE\dllhost.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4144
        • C:\Recovery\WindowsRE\dllhost.exe
          C:\Recovery\WindowsRE\dllhost.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2740
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Recovery\WindowsRE\dllhost.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1584
        • C:\Recovery\WindowsRE\dllhost.exe
          C:\Recovery\WindowsRE\dllhost.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4384
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\ModemLogs\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4396
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\ModemLogs\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1888
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\ModemLogs\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1692
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Windows\ModemLogs\Idle.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4584
        • C:\Windows\ModemLogs\Idle.exe
          C:\Windows\ModemLogs\Idle.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:5044
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Windows\ModemLogs\Idle.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1480
        • C:\Windows\ModemLogs\Idle.exe
          C:\Windows\ModemLogs\Idle.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4276
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:916
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\TAPI\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1752
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3744
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Windows\TAPI\wininit.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1100
        • C:\Windows\TAPI\wininit.exe
          C:\Windows\TAPI\wininit.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:960
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Windows\TAPI\wininit.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4260
        • C:\Windows\TAPI\wininit.exe
          C:\Windows\TAPI\wininit.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4468
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\plugins\keystore\MoUsoCoreWorker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:32
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\keystore\MoUsoCoreWorker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4904
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\plugins\keystore\MoUsoCoreWorker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3900
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Program Files\VideoLAN\VLC\plugins\keystore\MoUsoCoreWorker.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2140
        • C:\Program Files\VideoLAN\VLC\plugins\keystore\MoUsoCoreWorker.exe
          "C:\Program Files\VideoLAN\VLC\plugins\keystore\MoUsoCoreWorker.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4404
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Program Files\VideoLAN\VLC\plugins\keystore\MoUsoCoreWorker.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4516
        • C:\Program Files\VideoLAN\VLC\plugins\keystore\MoUsoCoreWorker.exe
          "C:\Program Files\VideoLAN\VLC\plugins\keystore\MoUsoCoreWorker.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1776
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "BlockSavesMonitorDllB" /sc MINUTE /mo 14 /tr "'C:\PortFontBrokerPerf\BlockSavesMonitorDll.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4852
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "BlockSavesMonitorDll" /sc ONLOGON /tr "'C:\PortFontBrokerPerf\BlockSavesMonitorDll.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4268
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "BlockSavesMonitorDllB" /sc MINUTE /mo 8 /tr "'C:\PortFontBrokerPerf\BlockSavesMonitorDll.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2576
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\PortFontBrokerPerf\BlockSavesMonitorDll.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1944
        • C:\PortFontBrokerPerf\BlockSavesMonitorDll.exe
          C:\PortFontBrokerPerf\BlockSavesMonitorDll.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1752
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\PortFontBrokerPerf\BlockSavesMonitorDll.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:3576
        • C:\PortFontBrokerPerf\BlockSavesMonitorDll.exe
          C:\PortFontBrokerPerf\BlockSavesMonitorDll.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:704

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      2
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\PortFontBrokerPerf\BlockSavesMonitorDll.exe
        Filesize

        1.8MB

        MD5

        f40a7dce8cf4fd30130b0c66820dd038

        SHA1

        e6c85384db6fb3e9beb37979763de78977c772ef

        SHA256

        ed8be6cca60868cc3902b49d1920cb8668a1a3c3f99a4bf55ee8c091e45c074f

        SHA512

        e0000cfdebbd83edcc0dd0daa8f813f0848d4c0a7e7b2624d0358439921e92fbb69921fd8934b203a0fb4119445d9c04b60f4d37760a92babff8e95fc9c2dbdc

        Download Submit

      • C:\PortFontBrokerPerf\Rtn7cpFGR9lldPKi6lSKrpTABHrWJw3F.bat
        Filesize

        104B

        MD5

        94fb8c242f1a075c7019b39500983b1a

        SHA1

        10781254369495e918bf0923ac2b567185c1337b

        SHA256

        fca2097f81ff4ab35ec60d7dfc82c3f672f6dd181f21c414567a53b950382106

        SHA512

        0e7863c5f038e0d68ddcca088b6dbaeca60cfb97fda916a530af774c37f0727f008a229815a0f940a156fba7c5cb3d89afb70c4d3e37d1077090b770d475893c

        Download Submit

      • C:\PortFontBrokerPerf\Y4EiKOdPrb8Z.vbe
        Filesize

        229B

        MD5

        17687d6af43eed1b71b06021c50da290

        SHA1

        c5b4f3de7003745ead126f88c02cac3bd4d25d5b

        SHA256

        05ce8f3660c24152cc12d63d3f14e36d893279ef2797bcfde76b8cc91474bc00

        SHA512

        209d79c140ea933763fde399267b6c1a128ca352cae282bdeaa38dd24ec72d023de35cc88c2e5cdbd2bf4583cfb900ae7fbce3429b2a5fce1ecee5e6b366673b

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BlockSavesMonitorDll.exe.log
        Filesize

        1KB

        MD5

        af6acd95d59de87c04642509c30e81c1

        SHA1

        f9549ae93fdb0a5861a79a08f60aa81c4b32377b

        SHA256

        7521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6

        SHA512

        93ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log
        Filesize

        847B

        MD5

        66a0a4aa01208ed3d53a5e131a8d030a

        SHA1

        ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1

        SHA256

        f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8

        SHA512

        626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RESB239.tmp
        Filesize

        1KB

        MD5

        e8af7f23a6e91159c8d9213f224b3dc0

        SHA1

        f95e2f480cec497445488a92edd0e05ba87f740d

        SHA256

        fa62729c3b76e635d8e27d653e7ab476ca38a0d4d0de7267eaf24e8dc252e2a1

        SHA512

        2b71cb5a84fca52cc4391ce452a8bdc6f8fc0239397f6434ca3b1ce38389adb453c59d244c915cff721b79268cc711b9c2e82a82c0ed4fab6344c480da214426

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\VTXjTBviRY.bat
        Filesize

        194B

        MD5

        84b6606aa83b8833cbf5d27f778c7b77

        SHA1

        71100b4b35bd577129de01c5224b736681132838

        SHA256

        2d5b0fe0e5c9a4450f37b194e7784e3aa5e2f7c1431dadf5cac6fba7a45909d1

        SHA512

        e406d45a98dc074ae5438cf22fc1357ec249e70b3687dd7e707d9ef28e1cd429b84071a3043404097059b3280e1458f80385bea2fe6c05b4b62b58a2e8b4090f

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\ubrnpxxc\ubrnpxxc.0.cs
        Filesize

        397B

        MD5

        5d2c8b508f07cfc204812244bdd6b075

        SHA1

        2cd21b6a4223fbf66870611eaa97c97089f3c4c0

        SHA256

        14bc9b97c7f66364fd4c0578ae26b4145f5bfd36f40294ef4a51e252ab8874e1

        SHA512

        573d6396c6e0d4652059bf0e6c9c5b050bc0312f23b5139f93d01c92100a5b1f979a68b1a8a47610ba75f22e7a96e93f8cbff7d6893625c098fe4f6b71c4bd19

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\ubrnpxxc\ubrnpxxc.cmdline
        Filesize

        235B

        MD5

        f44707bf5f2aea1078bface7b1ff7f28

        SHA1

        4c652520c36c67f0d4abd3b621d90fdfd8e31ea1

        SHA256

        022548697298fc3e7cac0f168087936a31b47fdd5bfffd1143a7853eb60fcb68

        SHA512

        2e27bbbc4ee20e8599734c23898eddcd12c6047a05278af7a3d0e5f21e4f2cc36e0c0a7e80101c001d228737207607672de9b4c447f579fe8fae41a6cbad728f

        Download Submit

      • \??\c:\Windows\System32\CSC831ECE413C824170B51C71C4C4652E43.TMP
        Filesize

        1KB

        MD5

        cd2efcd6c0b3d3d6c3d5281c5c799cf5

        SHA1

        55c2ac600949d1e084361235650020372fe2dd54

        SHA256

        c01e7aca172406a5d6b91a25eb008e23b8664ea7e6f78babe38deb6c92f65d4d

        SHA512

        31c683f66a01fc3fcb4a3159bbbd63ca8122bf505d6fac6f838ed9910c77644d4ef5964cf35987fdc31692d18082ba03eac22d1d10dc572de394471d71d11961

        Download Submit

      • memory/3992-13-0x0000000000400000-0x00000000005DA000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/3992-22-0x000000001B0E0000-0x000000001B0EC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3992-20-0x000000001B120000-0x000000001B138000-memory.dmp

        Filesize

        96KB

        Download

      • memory/3992-18-0x000000001B2C0000-0x000000001B310000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3992-17-0x000000001B100000-0x000000001B11C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/3992-15-0x000000001B0D0000-0x000000001B0DE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3992-12-0x00007FFC05783000-0x00007FFC05785000-memory.dmp

        Filesize

        8KB

        Download