Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2e3ffb5f7f...64.exe

windows7-x64

10

2e3ffb5f7f...64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    20/08/2023, 16:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2e3ffb5f7fbeb7a61469de81dc14d064.exe

  • Size

    2.7MB

  • MD5

    2e3ffb5f7fbeb7a61469de81dc14d064

  • SHA1

    9d153b840d6c9b2df768252086db867a8d910adc

  • SHA256

    247fb8446c5648499cbcba01cda9e97ce5daad8398343dc239f234465fc8a1e3

  • SHA512

    4c4dc0160eddb055a9455f5a9f8efce41551d7f148fbdac9262b92d01a3a24a487b961130fde374ce7040ca1adc270c7d119205766caceb21e3b8eeb1833c9c3

  • SSDEEP

    49152:UbA30UK6G4e3r8dh03amztNBDLTAOGqrXkAS+iIHLlDbDCXj63:Ub4/G94dmKmt/MoQASwbDec

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 17 IoCs
    persistence
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 11 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 34 IoCs
    persistence
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e3ffb5f7fbeb7a61469de81dc14d064.exe
    "C:\Users\Admin\AppData\Local\Temp\2e3ffb5f7fbeb7a61469de81dc14d064.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ComponentWebSvc\dnFW74Kzw603.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2520
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\ComponentWebSvc\4ZTbrMkez5.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2816
        • C:\ComponentWebSvc\Componentruntime.exe
          "C:\ComponentWebSvc\Componentruntime.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3032
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TgOHkLI5vF.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2924
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2968
              • C:\ComponentWebSvc\explorer.exe
                "C:\ComponentWebSvc\explorer.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:2520
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ComponentWebSvc\file.vbs"
        2⤵
          PID:876
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\twain_32\services.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1056
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\twain_32\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1472
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\twain_32\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2800
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\ComponentWebSvc\explorer.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2152
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\ComponentWebSvc\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1328
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\ComponentWebSvc\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2028
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2188
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2052
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1396
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\smss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2700
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2944
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2984
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Services\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:812
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2080
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\Services\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2976
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\Downloaded Program Files\audiodg.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2180
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\audiodg.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2008
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\audiodg.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1772
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1908
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1732
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\ReadyBoot\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2376
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\ComponentWebSvc\services.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1980
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\ComponentWebSvc\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2096
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\ComponentWebSvc\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:588
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\ServiceProfiles\LocalService\Saved Games\lsm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2488
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Saved Games\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:680
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\ServiceProfiles\LocalService\Saved Games\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:312
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2084
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1208
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1088
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\en-US\sppsvc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:956
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\en-US\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1708
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\en-US\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2664
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\smss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:524
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2400
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1740
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\audiodg.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2996
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\audiodg.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2532
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\audiodg.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2424
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1912
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:776
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2044
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\lsass.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1316
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\TAPI\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2560
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2672
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1592
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\L2Schemas\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1728
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2648
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2804
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1996
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3020

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ComponentWebSvc\4ZTbrMkez5.bat
        Filesize

        41B

        MD5

        f2a92cda1e56df588a3d30bc691e2f90

        SHA1

        a7365408d901d997fb85f675e72d24365a2d5a5d

        SHA256

        700925fccc92f0993b3f5226794279d70702c983249a1a27b49bdbdf9565c22e

        SHA512

        ae68e657e28650a1b59926d381f08e9e4c62a673ed445c4d4d4a4a85970f6e61d6b5b250980c62e9a12d2475c3f23d5532db2c6d98f672d0196df67b8525626c

        Download Submit

      • C:\ComponentWebSvc\Componentruntime.exe
        Filesize

        2.4MB

        MD5

        c96ab99f9e455ca8998df8b93a0d0ec2

        SHA1

        3be467577bf802731e0900f3e32fbb2747a23b84

        SHA256

        8486f68dd9c504e332a32bbd92b474cb2b9593dce6f7484a922ae7b9500d828c

        SHA512

        d4cd5ff82e14dbda8692e760fc5d768951d3bc4f7892b9633046f6a0d881de9f143901563fc7b9fe164990151c121898191fe749c9e8250366a45b9606318885

        Download Submit

      • C:\ComponentWebSvc\Componentruntime.exe
        Filesize

        2.4MB

        MD5

        c96ab99f9e455ca8998df8b93a0d0ec2

        SHA1

        3be467577bf802731e0900f3e32fbb2747a23b84

        SHA256

        8486f68dd9c504e332a32bbd92b474cb2b9593dce6f7484a922ae7b9500d828c

        SHA512

        d4cd5ff82e14dbda8692e760fc5d768951d3bc4f7892b9633046f6a0d881de9f143901563fc7b9fe164990151c121898191fe749c9e8250366a45b9606318885

        Download Submit

      • C:\ComponentWebSvc\dnFW74Kzw603.vbe
        Filesize

        202B

        MD5

        d24d8ce4b1ef38e575a7926863890612

        SHA1

        158cc0e501359b687e85550d408f08491f7559d2

        SHA256

        66dc9d6eadaff46e3bdb9aa46b5352e4b981526dc0bbde3ccc2668e3b9a5944a

        SHA512

        d191727338eb23f698257062679985e945866e03eb882745114ee56d8a48d1004b4ad785d180a06c604955e6d2b997bcf121569c9a195c3f6431c75e9871353b

        Download Submit

      • C:\ComponentWebSvc\explorer.exe
        Filesize

        2.4MB

        MD5

        c96ab99f9e455ca8998df8b93a0d0ec2

        SHA1

        3be467577bf802731e0900f3e32fbb2747a23b84

        SHA256

        8486f68dd9c504e332a32bbd92b474cb2b9593dce6f7484a922ae7b9500d828c

        SHA512

        d4cd5ff82e14dbda8692e760fc5d768951d3bc4f7892b9633046f6a0d881de9f143901563fc7b9fe164990151c121898191fe749c9e8250366a45b9606318885

        Download Submit

      • C:\ComponentWebSvc\explorer.exe
        Filesize

        2.4MB

        MD5

        c96ab99f9e455ca8998df8b93a0d0ec2

        SHA1

        3be467577bf802731e0900f3e32fbb2747a23b84

        SHA256

        8486f68dd9c504e332a32bbd92b474cb2b9593dce6f7484a922ae7b9500d828c

        SHA512

        d4cd5ff82e14dbda8692e760fc5d768951d3bc4f7892b9633046f6a0d881de9f143901563fc7b9fe164990151c121898191fe749c9e8250366a45b9606318885

        Download Submit

      • C:\ComponentWebSvc\file.vbs
        Filesize

        34B

        MD5

        677cc4360477c72cb0ce00406a949c61

        SHA1

        b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

        SHA256

        f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

        SHA512

        7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

        Download Submit

      • C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe
        Filesize

        2.4MB

        MD5

        c96ab99f9e455ca8998df8b93a0d0ec2

        SHA1

        3be467577bf802731e0900f3e32fbb2747a23b84

        SHA256

        8486f68dd9c504e332a32bbd92b474cb2b9593dce6f7484a922ae7b9500d828c

        SHA512

        d4cd5ff82e14dbda8692e760fc5d768951d3bc4f7892b9633046f6a0d881de9f143901563fc7b9fe164990151c121898191fe749c9e8250366a45b9606318885

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\TgOHkLI5vF.bat
        Filesize

        196B

        MD5

        a8986f96fe0c3414a14402c18635bf20

        SHA1

        c683473f2e1181693eeb1a1e328d92fc612dd1e8

        SHA256

        43bd5d4fe85d284f311f88c6de1e6a5460acbe287d91983a01ce05f52787e9be

        SHA512

        a821f31fd90f321dc1315db41ff3abc6b1d6c5dad8da72b69a6e2c7222fef772e3f8a2bb4f6e140f8f97901b62fc268f656fd836a28b7d2748127df898a696ff

        Download Submit

      • \ComponentWebSvc\Componentruntime.exe
        Filesize

        2.4MB

        MD5

        c96ab99f9e455ca8998df8b93a0d0ec2

        SHA1

        3be467577bf802731e0900f3e32fbb2747a23b84

        SHA256

        8486f68dd9c504e332a32bbd92b474cb2b9593dce6f7484a922ae7b9500d828c

        SHA512

        d4cd5ff82e14dbda8692e760fc5d768951d3bc4f7892b9633046f6a0d881de9f143901563fc7b9fe164990151c121898191fe749c9e8250366a45b9606318885

        Download Submit

      • \ComponentWebSvc\Componentruntime.exe
        Filesize

        2.4MB

        MD5

        c96ab99f9e455ca8998df8b93a0d0ec2

        SHA1

        3be467577bf802731e0900f3e32fbb2747a23b84

        SHA256

        8486f68dd9c504e332a32bbd92b474cb2b9593dce6f7484a922ae7b9500d828c

        SHA512

        d4cd5ff82e14dbda8692e760fc5d768951d3bc4f7892b9633046f6a0d881de9f143901563fc7b9fe164990151c121898191fe749c9e8250366a45b9606318885

        Download Submit

      • memory/2520-135-0x000000001B0C0000-0x000000001B140000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2520-134-0x000007FEF4760000-0x000007FEF514C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2520-133-0x0000000000A40000-0x0000000000A52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2520-132-0x000000001B0C0000-0x000000001B140000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2520-131-0x000007FEF4760000-0x000007FEF514C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2520-130-0x0000000000BD0000-0x0000000000E3C000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/3032-73-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/3032-83-0x00000000022F0000-0x00000000022F8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3032-84-0x00000000022E0000-0x00000000022EE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3032-85-0x0000000002300000-0x0000000002308000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3032-86-0x0000000002310000-0x0000000002318000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3032-87-0x0000000002320000-0x000000000232A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3032-82-0x0000000000A00000-0x0000000000A0C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3032-81-0x00000000009F0000-0x00000000009FC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3032-127-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/3032-80-0x0000000000690000-0x00000000006A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3032-79-0x0000000000680000-0x0000000000688000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3032-78-0x0000000002290000-0x00000000022E6000-memory.dmp

        Filesize

        344KB

        Download

      • memory/3032-77-0x0000000000660000-0x0000000000676000-memory.dmp

        Filesize

        88KB

        Download

      • memory/3032-76-0x0000000000450000-0x000000000045E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3032-75-0x00000000002C0000-0x00000000002CE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3032-74-0x000000001B110000-0x000000001B190000-memory.dmp

        Filesize

        512KB

        Download

      • memory/3032-72-0x0000000000A10000-0x0000000000C7C000-memory.dmp

        Filesize

        2.4MB

        Download