Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

CLibrary.dll

windows10-2004-x64

1

injector.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    58s
  • max time network
    68s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/04/2023, 23:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    injector.exe

  • Size

    1.7MB

  • MD5

    8cc41b512b7fdf051bff007c253e4043

  • SHA1

    0b63191f4f416c41be915a08e2e045e9ba1ce1a0

  • SHA256

    9dcfcb7b9dd25f740986fe03702928371903d279dbab6b5d8c7cb7a574f0caca

  • SHA512

    3d773346ba5e7a1782934121e66b47d1865c1b82a8260ad2195c28865fb80dbaa325d6483a28c99e7e510a3d0dd4f835742626acea44042e3155d41f71bd93e9

  • SSDEEP

    24576:P2G/nvxW3W+0ZddL1uN+9vYzK1pTVklXQ3JcGJdyuC6gFLMRUSIxNhoAJHIqL/hg:PbA3ebJ1uo8IcayuqSIdo0eL1

Score
10/10
dcratevasioninfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 14 IoCs
    persistence
  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 28 IoCs
    persistence
  • Drops file in Program Files directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 4 IoCs
  • Modifies registry key 1 TTPs 3 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\injector.exe
    "C:\Users\Admin\AppData\Local\Temp\injector.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2612
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ContainerBrowserdriverSaves\zMf6Snc2vba9Cw6hRBS8.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\ContainerBrowserdriverSaves\6OeWR1FXcvG2y.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4340
        • C:\ContainerBrowserdriverSaves\FontSavessvc.exe
          "C:\ContainerBrowserdriverSaves\FontSavessvc.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:700
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5bQirf86Ys.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3548
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:4816
              • C:\Recovery\WindowsRE\services.exe
                "C:\Recovery\WindowsRE\services.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3232
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            4⤵
            • Modifies registry key
            PID:2836
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\it-IT\unsecapp.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3904
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3844
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\it-IT\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2704
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Default\SendTo\dwm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3892
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\SendTo\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3856
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default\SendTo\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4996
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\ContainerBrowserdriverSaves\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2676
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\ContainerBrowserdriverSaves\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1612
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\ContainerBrowserdriverSaves\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4876
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:560
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1208
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4812
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\backgroundTaskHost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2280
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\backgroundTaskHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4868
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\backgroundTaskHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3208
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\odt\conhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2688
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5084
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4380
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\en-US\backgroundTaskHost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2532
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1928
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3496
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5004
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2708
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4700
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\conhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5068
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Videos\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3320
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4724
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Adobe\Setup\Registry.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4988
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\Registry.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2564
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Adobe\Setup\Registry.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4712
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4104
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1036
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4000
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3064
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5024
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2004
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\System.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2188
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3788
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1332
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Start Menu\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3192
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3372
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1512
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4860
      • C:\Users\Admin\AppData\Local\Temp\injector.exe
        "C:\Users\Admin\AppData\Local\Temp\injector.exe"
        1⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5084
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\ContainerBrowserdriverSaves\zMf6Snc2vba9Cw6hRBS8.vbe"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:2708
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\ContainerBrowserdriverSaves\6OeWR1FXcvG2y.bat" "
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1916
            • C:\ContainerBrowserdriverSaves\FontSavessvc.exe
              "C:\ContainerBrowserdriverSaves\FontSavessvc.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:4708
            • C:\Windows\SysWOW64\reg.exe
              reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
              4⤵
              • Modifies registry key
              PID:4532
      • C:\Users\Admin\AppData\Local\Temp\injector.exe
        "C:\Users\Admin\AppData\Local\Temp\injector.exe"
        1⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4556
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\ContainerBrowserdriverSaves\zMf6Snc2vba9Cw6hRBS8.vbe"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:2252
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\ContainerBrowserdriverSaves\6OeWR1FXcvG2y.bat" "
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:456
            • C:\ContainerBrowserdriverSaves\FontSavessvc.exe
              "C:\ContainerBrowserdriverSaves\FontSavessvc.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1332
            • C:\Windows\SysWOW64\reg.exe
              reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
              4⤵
              • Modifies registry key
              PID:5044
      • C:\Windows\System32\NOTEPAD.EXE
        "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\5bQirf86Ys.bat
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:4204

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ContainerBrowserdriverSaves\6OeWR1FXcvG2y.bat
        Filesize

        161B

        MD5

        a0e39917ec26b1a741d886d6f2824323

        SHA1

        07f6e5479f17a1af7631f1d2f221b47879612411

        SHA256

        c54a9cc5dcc2f0c2e0e924eb6b86f115d3dda36209d8828dc6e76cbb248030a5

        SHA512

        4d1ddfbe497d17cc29f810f0b45dda822a1caefd2300698d9e99c729d5726070c52820a7ca3fc97e28312d7571fb79c2ce805c25130c1cb49cc7a257616cfc7b

        Download Submit

      • C:\ContainerBrowserdriverSaves\FontSavessvc.exe
        Filesize

        1.4MB

        MD5

        ec21d29695a307898cece2a430fabe11

        SHA1

        f602caed944dd33a7e9ad432f359bbc5604bf905

        SHA256

        b7feb0e84fd1f65c459c5de912bdfacd2cea2187fec75d376a35a235f7439117

        SHA512

        ad1ac7d1aa58b7950b36f7f84a587cc80fc969f6c10364aed6841913f4b9fee93e2f500a69ab33b6a6d0ba6f59a5e013d3cd757a7be710c891f8261d1da00652

        Download Submit

      • C:\ContainerBrowserdriverSaves\FontSavessvc.exe
        Filesize

        1.4MB

        MD5

        ec21d29695a307898cece2a430fabe11

        SHA1

        f602caed944dd33a7e9ad432f359bbc5604bf905

        SHA256

        b7feb0e84fd1f65c459c5de912bdfacd2cea2187fec75d376a35a235f7439117

        SHA512

        ad1ac7d1aa58b7950b36f7f84a587cc80fc969f6c10364aed6841913f4b9fee93e2f500a69ab33b6a6d0ba6f59a5e013d3cd757a7be710c891f8261d1da00652

        Download Submit

      • C:\ContainerBrowserdriverSaves\FontSavessvc.exe
        Filesize

        1.4MB

        MD5

        ec21d29695a307898cece2a430fabe11

        SHA1

        f602caed944dd33a7e9ad432f359bbc5604bf905

        SHA256

        b7feb0e84fd1f65c459c5de912bdfacd2cea2187fec75d376a35a235f7439117

        SHA512

        ad1ac7d1aa58b7950b36f7f84a587cc80fc969f6c10364aed6841913f4b9fee93e2f500a69ab33b6a6d0ba6f59a5e013d3cd757a7be710c891f8261d1da00652

        Download Submit

      • C:\ContainerBrowserdriverSaves\FontSavessvc.exe
        Filesize

        1.4MB

        MD5

        ec21d29695a307898cece2a430fabe11

        SHA1

        f602caed944dd33a7e9ad432f359bbc5604bf905

        SHA256

        b7feb0e84fd1f65c459c5de912bdfacd2cea2187fec75d376a35a235f7439117

        SHA512

        ad1ac7d1aa58b7950b36f7f84a587cc80fc969f6c10364aed6841913f4b9fee93e2f500a69ab33b6a6d0ba6f59a5e013d3cd757a7be710c891f8261d1da00652

        Download Submit

      • C:\ContainerBrowserdriverSaves\zMf6Snc2vba9Cw6hRBS8.vbe
        Filesize

        217B

        MD5

        7467f224c084ddefe3942d6c8da511a0

        SHA1

        093de51ae525fdaaac1022b323924b8def49237d

        SHA256

        09182276f0fcae0ac63018850413010fb13a256a49ba1d9726c9badef5db5834

        SHA512

        6ba3d0ec81c4fb80d13fa481dd427673ef7eee747abf1b344d774c956c6ccbb75eddf01cf2b1900b06297fefd2fcdd9ff7015c5fbf3c78688e5aacfa83d2cefc

        Download Submit

      • C:\Recovery\WindowsRE\services.exe
        Filesize

        1.4MB

        MD5

        ec21d29695a307898cece2a430fabe11

        SHA1

        f602caed944dd33a7e9ad432f359bbc5604bf905

        SHA256

        b7feb0e84fd1f65c459c5de912bdfacd2cea2187fec75d376a35a235f7439117

        SHA512

        ad1ac7d1aa58b7950b36f7f84a587cc80fc969f6c10364aed6841913f4b9fee93e2f500a69ab33b6a6d0ba6f59a5e013d3cd757a7be710c891f8261d1da00652

        Download Submit

      • C:\Recovery\WindowsRE\services.exe
        Filesize

        1.4MB

        MD5

        ec21d29695a307898cece2a430fabe11

        SHA1

        f602caed944dd33a7e9ad432f359bbc5604bf905

        SHA256

        b7feb0e84fd1f65c459c5de912bdfacd2cea2187fec75d376a35a235f7439117

        SHA512

        ad1ac7d1aa58b7950b36f7f84a587cc80fc969f6c10364aed6841913f4b9fee93e2f500a69ab33b6a6d0ba6f59a5e013d3cd757a7be710c891f8261d1da00652

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FontSavessvc.exe.log
        Filesize

        1KB

        MD5

        bbb951a34b516b66451218a3ec3b0ae1

        SHA1

        7393835a2476ae655916e0a9687eeaba3ee876e9

        SHA256

        eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

        SHA512

        63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\5bQirf86Ys.bat
        Filesize

        199B

        MD5

        8c97eb3c477b1a6af8547ab1213d3a5d

        SHA1

        fa48d5d97d570961e99fca1c0d682d4e036353ff

        SHA256

        7862e8e2869bbee57b9bf496805f13009fa2a7d098bd8536773df2143e7d24aa

        SHA512

        b64b8fc682a5baa4604e8aca56396bbf7966dd39030f80750133d5ea81995c2f3306fd4e30b57c04de2164c41b606f41eef73b6f41d8deffeb5ff6fb8ec83572

        Download Submit

      • C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\dwm.exe
        Filesize

        1.4MB

        MD5

        ec21d29695a307898cece2a430fabe11

        SHA1

        f602caed944dd33a7e9ad432f359bbc5604bf905

        SHA256

        b7feb0e84fd1f65c459c5de912bdfacd2cea2187fec75d376a35a235f7439117

        SHA512

        ad1ac7d1aa58b7950b36f7f84a587cc80fc969f6c10364aed6841913f4b9fee93e2f500a69ab33b6a6d0ba6f59a5e013d3cd757a7be710c891f8261d1da00652

        Download Submit

      • memory/700-145-0x00000000007A0000-0x000000000090A000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/700-148-0x000000001D2D0000-0x000000001D7F8000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/700-147-0x000000001B590000-0x000000001B5E0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/700-146-0x00000000010C0000-0x00000000010D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1332-227-0x000000001BAE0000-0x000000001BAF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3232-221-0x000000001F060000-0x000000001F209000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/4708-224-0x000000001B110000-0x000000001B120000-memory.dmp

        Filesize

        64KB

        Download