dcrat | 1723094c0826db0bdeb23310afd13d750d2083d23af16e5f9c04b813a4b97dc1

Analysis

max time kernel
141s
max time network
153s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250410-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250410-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
16/04/2025, 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

niha-main/mbyoitksfjkyij.exe
Size

546KB
MD5

2c4d06873fcee3b44881720f6160d8df
SHA1

c6b69f693180fe1b51747c2195127b3baa254db1
SHA256

90e8153867291a018f0622ae5eea663921a12b48ca92d12316823b24750db7ac
SHA512

767a3c24155cebea64879f879ff6e63cf8fa81c069d43efd75cb8c5e886764248c47175ca4de1de3d599ab0d6aa22ccde1ecf87f14d86979947517a865517072
SSDEEP

6144:ngPKe4uv5kZunvs0bZqBUOxGSEK0C2bsJJuWgvdPuwtJNL5+RXu9Y01bX4wgIKe7:ngTnFXChMvdPvJNLWuTJJMA+0FZ6

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\ApplicationHost.exe\""	mbyoitksfjkyij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\ApplicationHost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\niha-main\\mbyoitksfjkyij.exe\""	mbyoitksfjkyij.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5468	4376	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	4376	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	4376	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	4376	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	4376	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	4376	schtasks.exe	81

DCRat payload 2 IoCs

rat

resource	yara_rule
behavioral11/memory/3844-1-0x00000000007F0000-0x000000000087E000-memory.dmp	family_dcrat_v2
behavioral11/files/0x0009000000028161-32.dat	family_dcrat_v2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000\Control Panel\International\Geo\Nation	mbyoitksfjkyij.exe

Executes dropped EXE 2 IoCs

pid	Process
5896	ApplicationHost.exe
5360	ApplicationHost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ApplicationHost = "\"C:\\Users\\Admin\\AppData\\Local\\ApplicationHost.exe\""	mbyoitksfjkyij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mbyoitksfjkyij = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\niha-main\\mbyoitksfjkyij.exe\""	mbyoitksfjkyij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mbyoitksfjkyij = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\niha-main\\mbyoitksfjkyij.exe\""	mbyoitksfjkyij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ApplicationHost = "\"C:\\Users\\Admin\\AppData\\Local\\ApplicationHost.exe\""	mbyoitksfjkyij.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC68D63FAC1DA44436AF46BD8FAE1DCC0.TMP	csc.exe
File created	\??\c:\Windows\System32\9hktbf.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSCD3973A8F76064517B624B0B267FD2784.TMP	csc.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4888	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000_Classes\Local Settings	mbyoitksfjkyij.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4888	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1088	schtasks.exe
5468	schtasks.exe
1524	schtasks.exe
2972	schtasks.exe
3704	schtasks.exe
2132	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3844	mbyoitksfjkyij.exe
3844	mbyoitksfjkyij.exe
3844	mbyoitksfjkyij.exe
3844	mbyoitksfjkyij.exe
3844	mbyoitksfjkyij.exe
3844	mbyoitksfjkyij.exe
3844	mbyoitksfjkyij.exe
3844	mbyoitksfjkyij.exe
3844	mbyoitksfjkyij.exe
3844	mbyoitksfjkyij.exe
3844	mbyoitksfjkyij.exe
3844	mbyoitksfjkyij.exe
1160	mbyoitksfjkyij.exe
1160	mbyoitksfjkyij.exe
1160	mbyoitksfjkyij.exe
1160	mbyoitksfjkyij.exe
1160	mbyoitksfjkyij.exe
1160	mbyoitksfjkyij.exe
1160	mbyoitksfjkyij.exe
1160	mbyoitksfjkyij.exe
1160	mbyoitksfjkyij.exe
1160	mbyoitksfjkyij.exe
1160	mbyoitksfjkyij.exe
1160	mbyoitksfjkyij.exe
1160	mbyoitksfjkyij.exe
1160	mbyoitksfjkyij.exe
1160	mbyoitksfjkyij.exe
1160	mbyoitksfjkyij.exe
1160	mbyoitksfjkyij.exe
1160	mbyoitksfjkyij.exe
1160	mbyoitksfjkyij.exe
1160	mbyoitksfjkyij.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3844	mbyoitksfjkyij.exe
Token: SeDebugPrivilege	5360	ApplicationHost.exe
Token: SeDebugPrivilege	5896	ApplicationHost.exe
Token: SeDebugPrivilege	3284	mbyoitksfjkyij.exe
Token: SeDebugPrivilege	4728	mbyoitksfjkyij.exe
Token: SeDebugPrivilege	1160	mbyoitksfjkyij.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3844 wrote to memory of 2248	3844	mbyoitksfjkyij.exe	85
PID 3844 wrote to memory of 2248	3844	mbyoitksfjkyij.exe	85
PID 2248 wrote to memory of 5672	2248	csc.exe	87
PID 2248 wrote to memory of 5672	2248	csc.exe	87
PID 3844 wrote to memory of 2372	3844	mbyoitksfjkyij.exe	88
PID 3844 wrote to memory of 2372	3844	mbyoitksfjkyij.exe	88
PID 2372 wrote to memory of 2016	2372	csc.exe	90
PID 2372 wrote to memory of 2016	2372	csc.exe	90
PID 5776 wrote to memory of 5896	5776	cmd.exe	97
PID 5776 wrote to memory of 5896	5776	cmd.exe	97
PID 5676 wrote to memory of 5360	5676	cmd.exe	98
PID 5676 wrote to memory of 5360	5676	cmd.exe	98
PID 3844 wrote to memory of 3832	3844	mbyoitksfjkyij.exe	104
PID 3844 wrote to memory of 3832	3844	mbyoitksfjkyij.exe	104
PID 4744 wrote to memory of 3284	4744	cmd.exe	106
PID 4744 wrote to memory of 3284	4744	cmd.exe	106
PID 892 wrote to memory of 4728	892	cmd.exe	107
PID 892 wrote to memory of 4728	892	cmd.exe	107
PID 3832 wrote to memory of 4800	3832	cmd.exe	108
PID 3832 wrote to memory of 4800	3832	cmd.exe	108
PID 3832 wrote to memory of 4888	3832	cmd.exe	109
PID 3832 wrote to memory of 4888	3832	cmd.exe	109
PID 3832 wrote to memory of 1160	3832	cmd.exe	110
PID 3832 wrote to memory of 1160	3832	cmd.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\niha-main\mbyoitksfjkyij.exe
"C:\Users\Admin\AppData\Local\Temp\niha-main\mbyoitksfjkyij.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eiv2o4wx\eiv2o4wx.cmdline"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5FD3.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCD3973A8F76064517B624B0B267FD2784.TMP"
    3⤵
    PID:5672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5mp1zw1z\5mp1zw1z.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6060.tmp" "c:\Windows\System32\CSC68D63FAC1DA44436AF46BD8FAE1DCC0.TMP"
    3⤵
    PID:2016
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eZfdmy3o8n.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3832
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4800
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4888
- - C:\Users\Admin\AppData\Local\Temp\niha-main\mbyoitksfjkyij.exe
    "C:\Users\Admin\AppData\Local\Temp\niha-main\mbyoitksfjkyij.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationHostA" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\ApplicationHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationHost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\ApplicationHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationHostA" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\ApplicationHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\ApplicationHost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5776
- C:\Users\Admin\AppData\Local\ApplicationHost.exe
  C:\Users\Admin\AppData\Local\ApplicationHost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\ApplicationHost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5676
- C:\Users\Admin\AppData\Local\ApplicationHost.exe
  C:\Users\Admin\AppData\Local\ApplicationHost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mbyoitksfjkyijm" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\niha-main\mbyoitksfjkyij.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mbyoitksfjkyij" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\niha-main\mbyoitksfjkyij.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mbyoitksfjkyijm" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\niha-main\mbyoitksfjkyij.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\niha-main\mbyoitksfjkyij.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Users\Admin\AppData\Local\Temp\niha-main\mbyoitksfjkyij.exe
  C:\Users\Admin\AppData\Local\Temp\niha-main\mbyoitksfjkyij.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\niha-main\mbyoitksfjkyij.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:892
- C:\Users\Admin\AppData\Local\Temp\niha-main\mbyoitksfjkyij.exe
  C:\Users\Admin\AppData\Local\Temp\niha-main\mbyoitksfjkyij.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4728

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ApplicationHost.exe

Filesize
546KB

MD5
2c4d06873fcee3b44881720f6160d8df

SHA1
c6b69f693180fe1b51747c2195127b3baa254db1

SHA256
90e8153867291a018f0622ae5eea663921a12b48ca92d12316823b24750db7ac

SHA512
767a3c24155cebea64879f879ff6e63cf8fa81c069d43efd75cb8c5e886764248c47175ca4de1de3d599ab0d6aa22ccde1ecf87f14d86979947517a865517072

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ApplicationHost.exe.log

Filesize
1KB

MD5
b08c36ce99a5ed11891ef6fc6d8647e9

SHA1
db95af417857221948eb1882e60f98ab2914bf1d

SHA256
cc9248a177495f45ec70b86c34fc5746c56730af36ace98ac7eb365dbafda674

SHA512
07e62581eace395b0a9699d727761648103180c21155d84ea09140f9e1c9690705c419118545aa67a564334bbde32710225fe3aa92b0b4b4210cb91f0058b1ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\mbyoitksfjkyij.exe.log

Filesize
1KB

MD5
84ff2a7088d624982b5a712f408af320

SHA1
5ff3abf6d82937582463857f031be83c750edd00

SHA256
aeecfb427ee1a57448c80916300f7592c38e71121ace68498a9d0773c67a8f56

SHA512
3c1d32195b4d47c7de548a57448f62620ca9aa0664b2ec6d6e5221450e8761f699723531608a2fc6cea053513d10e57545dd80c64a29510f8b066d900fad3f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5FD3.tmp

Filesize
1KB

MD5
a97878135eb58f04aa4014481c1c92b3

SHA1
d6e826a3b0a612b84ce7f784900d56cc4ff1e21f

SHA256
e2a012aeb4d7ed91da695297be4d12784159d16282e7efa6f5e48a33d45ca25d

SHA512
7cd1b2ec745718b644e7c30d7aac82e99f3ff548dd3673dc778a143a9024f72bec05aff25c672529ad298632c8ac777ee851b31f8c6a6472ff315f8329af7580

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6060.tmp

Filesize
1KB

MD5
c747a14f35085eed8e219359add287ca

SHA1
84096a29fc1b86a7615b6cbb00fc5852e3e9a62c

SHA256
430114682277e064c0656513b518a3d9a27fa690481b1ef976e61d472353a1ce

SHA512
20968079eefad705b9bf20e8318817f1fd7dac3ad2353ab712e982fb649e050f07f1b0917c11d8740bcb4249e5f4346e2660f6efb6d0eb8fd8d1b8a3f5c3386f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eZfdmy3o8n.bat

Filesize
190B

MD5
af36ad3eeb2a292b780ef3b4b68267b5

SHA1
69e33cf1fdeefadb818e85ecb1c62f624e8ebbc5

SHA256
ca622e29adf4cea753398a09ffda13f8e8a9ecbf3502cfa86a73189b817956b2

SHA512
bb0b684322dec45fb8b0b6f62dc60d3b70ee9ff99b476823fc45ef7fc1194b37df6cf9d8aa1d588f8f00a6181138f016884ab0f8e97e252369ccf4bc040432e0

Download Submit
\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSCD3973A8F76064517B624B0B267FD2784.TMP

Filesize
1KB

MD5
b5189fb271be514bec128e0d0809c04e

SHA1
5dd625d27ed30fca234ec097ad66f6c13a7edcbe

SHA256
e1984ba1e3ff8b071f7a320a6f1f18e1d5f4f337d31dc30d5bdfb021df39060f

SHA512
f0fcb8f97279579beb59f58ea89527ee0d86a64c9de28300f14460bec6c32dda72f0e6466573b6654a1e992421d6fe81ae7cce50f27059f54cf9fdca6953602e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5mp1zw1z\5mp1zw1z.0.cs

Filesize
380B

MD5
591c9c95bf751a0feea97cd6782a9a47

SHA1
2ae3097a17c26ef5478056f5b16c59632c28309d

SHA256
32c9bc726b659fd13168175a74bd38616b749fc627ee8b9233875a58421a73be

SHA512
beed7bb3a08374e1e36db205a6cc14d9488cac2349b68bf16a54d0ac9bc1a7acb8cacf3cc68370eaf2c8179bf5e8711324134e4797e0922c371f91c6d82d8ef7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5mp1zw1z\5mp1zw1z.cmdline

Filesize
235B

MD5
701f26042c9f2f6b302c44ca9fdf43f8

SHA1
003399bb78da755d9b1c10d527dd0e5571d32416

SHA256
4115aff2024dc204077969467674f0a054a26187b772a885384c53d0ac0e15aa

SHA512
d09e486a156d942d00cb4bc4966ddb3b3b9f44f478b4d8de934278810c61c899497daa172b4f1238ccd3209531e11f9ed0ca6b698b68fa68cdbc8427fc5a3bce

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eiv2o4wx\eiv2o4wx.0.cs

Filesize
410B

MD5
68e963bf6b0219ffefe2bc8c34df0621

SHA1
af3fe5103128e63587231ce13df8bed264002573

SHA256
cf602c8954d56b5129ed13faff5da6f7e84ba0c684a54831113c8c533e44d57a

SHA512
086f3d6465075e17f634a202608c17110404bc89748704a1f7a4926de3148731930e7582b6f6a5d23f78e9dec0e3e9ac1e0d9c1931fd054e625896f2a9664836

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eiv2o4wx\eiv2o4wx.cmdline

Filesize
265B

MD5
39b45bf61ec47db89aa1088f79abce54

SHA1
3a5acbdd77c62b4a1d402a6f69674d0accd0290a

SHA256
31c2f8737dceca171652858ca512ee214e66e64bed7a31a7559ff54ce19880d7

SHA512
abc457fb79df297ffa708f977a5d99ee1b652e933b7550d2c30ca6a6a6fb1e66a76891932ffcb096ab05b1db7b05614949d6ffe01df7d09a6eea5e380dafdfc7

Download Submit
\??\c:\Windows\System32\CSC68D63FAC1DA44436AF46BD8FAE1DCC0.TMP

Filesize
1KB

MD5
efc46ebe9885921972beaca9b3962a66

SHA1
0618963c64928caddcf5c82bd251b4ec9e70817c

SHA256
27b7f9b0ed675eb5bea6355b070aa7b83e2ebfb7b5787c03989ea5ee25771109

SHA512
c0591ff9d59e3da77a083789e6c3383a7bad65b66c5a0c948cf71deb3f1a8fcc168a94cd20d64962c2923dbef8a33cfa06e6a0180b7874dc0d234b58c5e8da96

Download Submit
memory/1160-49-0x000000001C6E0000-0x000000001C887000-memory.dmp

Filesize
1.7MB

Download
memory/3844-0-0x00007FFA02153000-0x00007FFA02155000-memory.dmp

Filesize
8KB

Download
memory/3844-5-0x00007FFA02150000-0x00007FFA02C12000-memory.dmp

Filesize
10.8MB

Download
memory/3844-4-0x0000000000F30000-0x0000000000F3E000-memory.dmp

Filesize
56KB

Download
memory/3844-42-0x000000001BA30000-0x000000001BAD1000-memory.dmp

Filesize
644KB

Download
memory/3844-43-0x00007FFA02150000-0x00007FFA02C12000-memory.dmp

Filesize
10.8MB

Download
memory/3844-2-0x00007FFA02150000-0x00007FFA02C12000-memory.dmp

Filesize
10.8MB

Download
memory/3844-1-0x00000000007F0000-0x000000000087E000-memory.dmp

Filesize
568KB

Download