Analysis

  • max time kernel
    129s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13-05-2024 18:53

General

  • Target

    149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe

  • Size

    1.7MB

  • MD5

    2654ed21f41ddf23c0bcad4b7fe550e1

  • SHA1

    55191e232ee3851a66f264cc3f163a5a14c84843

  • SHA256

    149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0

  • SHA512

    748d64575954c442b1a261a8b647b4dd9af93b42382bb227972c977818ed155bc93a8afc1e7e7edcf62da32877581fb9a42b87521bc849be45a27711639a0c2d

  • SSDEEP

    24576:w2G/nvxW3WieChFP0UI2K/L7OXxfeacboEkAGpkXqde7u0GUzzGQYpXTcviXSzDI:wbA3jYUI2JX68Ncu0fnS5yiXSzD

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Disables Task Manager via registry modification
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 11 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe
    "C:\Users\Admin\AppData\Local\Temp\149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:756
    • C:\Users\Admin\AppData\Local\Temp\dcrat3.exe
      "C:\Users\Admin\AppData\Local\Temp\dcrat3.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:296
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://java.com/download
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2324
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1712
    • C:\Users\Admin\AppData\Local\Temp\dcrat1.exe
      "C:\Users\Admin\AppData\Local\Temp\dcrat1.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\wozFTjVIuw5Ij.vbe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2876
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\6AixvTBYkcX8JRK4xN.bat" "
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2612
          • C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe
            "C:\\Windows\System32\Microsoft\Protect\S-1-5-18\User\dwm.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2436
            • C:\Users\Public\cmd.exe
              "C:\Users\Public\cmd.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:1352
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            5⤵
            • Modifies registry key
            PID:864
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\es-ES\audiodg.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2804
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\es-ES\audiodg.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2708
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\es-ES\audiodg.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2840
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\Characters\dwm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3008
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Media\Characters\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1896
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\Characters\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1312
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\Branding\Basebrd\en-US\dwm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2252
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\en-US\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2204
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Branding\Basebrd\en-US\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1988
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\AppPatch\Custom\Custom64\spoolsv.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1864
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\AppPatch\Custom\Custom64\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2008
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\AppPatch\Custom\Custom64\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2884
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\cmd.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2892
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\cmd.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:776
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\cmd.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1272
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Favorites\wininit.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1100
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:636
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Favorites\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1884
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:904
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2388
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2108

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

    Filesize

    914B

    MD5

    e4a68ac854ac5242460afd72481b2a44

    SHA1

    df3c24f9bfd666761b268073fe06d1cc8d4f82a4

    SHA256

    cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

    SHA512

    5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

    Filesize

    252B

    MD5

    b35657871d7de27ecb105af91eb4b71c

    SHA1

    4f446c27e7145d6c7633311f54f236b30b0afeb1

    SHA256

    9363e16a1df61ac83a247ce6c7b258a1a9098b627788179cfdba8475347b3481

    SHA512

    1c18a9075f7606864afe2530ece24760f69b83140ecbf641fa2e3304ffdf0ef98ce68992f56938b391b58f2ee56a7aaeb715c42f0bac053ce5286ebbba6500d4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    bb6da7866d532d3f1407021f419d315e

    SHA1

    d4438e8071155342f79b6e6f42409bc356b51c75

    SHA256

    aa16f973532c7134619fd418f9128f36cd8db7a486c6de981ca313a5d45e1cf6

    SHA512

    2335c7cd55f41e181bce4f13504f111553f420431df0a0366266b07dc960c77aa41c794f12c6730db71f00d838ae4d9a91b76a5b3714aa30f8987c2a3b5bfec4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    d6cbcbc16054eccc6805cb01d225ea96

    SHA1

    8df719466c0c1d68517a311638572d3bd0275699

    SHA256

    9580cdac9c9841679cad02091ce19f8e6ed33f8b70aae13fe338e3537a29c2e8

    SHA512

    9ef40a8a925fa6f44fb1e5734a99f34903051ff120005a6b19584ee64b02dc27e70ae2e87bc2f8f24dea524b0bc041339fbe62efef8b6a08b33b23c180938e5c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    bc67d38d32dfde6385424f8cacc0c964

    SHA1

    13b10d4948e91b6138372ae116b6a520ded02bdb

    SHA256

    125c3dd9cadbc81ec2e9cf9c2c62003ca1e5cb67f46c250e6cd1800de188e149

    SHA512

    c9b79d1d722f609917e556785aaf899c00e90788c48ff19846648a25094c97b940f46880c979cf0f25b6d7e3052eee65654a3d557d755c28cd866dcabb00ce71

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    e5d2e85a6e61f517ecb0d8672e68082c

    SHA1

    3b812d5ff00893cd57eb343d1430da45399ad719

    SHA256

    aae5d3f30916f9a17c633a225a0648eaf077757c97b00ee0ebfb6d32c5902dc2

    SHA512

    fc9803376798fcf7aab61c805aa9955d2741296c6ec34feb710f16a76d6ec786d2ceb6a6315fcad518be1a2873baf9af107b32b1d30939d347ed8e174fe2b52a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    776a240686e5849b697563b1fa848732

    SHA1

    202e4003878e7cafbc96ae777b648df20b3fe8d9

    SHA256

    b1dbd0324deeaed2f1d2a9022b88181575f43de22ca433462b3dcef64c8b1b70

    SHA512

    ec515e5dc9b490b0381728dabfebc1deec2031977884ae02e3b6550ca9a2d53b70cc92d73ba073de9927dc703c3a70e524ea5feb9d4da5874f693e7ed65b8acf

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    2eb8154bb6de2b942e8a0289385e930e

    SHA1

    fae3f2b80c2d5e02880b751bcd16ea422cec51e6

    SHA256

    697c0f0abcf3e1080361590008c60a184efca56367b2393d28eee5224f21ab3a

    SHA512

    36c58d9b797494d6b67b40a3a884c66e87affe6a9f90635f646d4e9ed50dc2465ecde38bcf16fa2ae45664fc269867905822405c5ceb561b006bc4230e715f71

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    e033310658a3096e8bd148a4662e3f7b

    SHA1

    4417c5503263676925eb8cdac529dc28470a0c03

    SHA256

    37b912addd2512f7c3dc1c8c86ab0bf1e685a17098623a83a61b04c96b3c0b66

    SHA512

    ac34f98d5fec9ffd43f567770c26bca4f5f5f782c22405aad564112ead408298fe553ba896e09368d56f9a75965d7e8416f3aabd898f3a7a543355bb4d8c4de2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    c1ef38411412eb0c6296ae668b6d238a

    SHA1

    4e780503ccfdbc65ad20d2df7bd46f4d7ce867a5

    SHA256

    8695b87e39e9316a0297f7b41adc6581b72e23c9acf03ead6a74c8c55ce54c18

    SHA512

    671ec349476a2c564d6427145fcfb606996017d040e1312ef8cbf8541f027815ddf17f1e3464da7f3237497b1558082a9c0d42077272e2ed0fcee06a5dbd3d03

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    35bdedda8988723d5a78bb375841cbd1

    SHA1

    0692cb53bab1c3653c84824d62d3da309a95b74f

    SHA256

    cec47bde33dd6461e974d6b110e38a00dab4c814b79090538b925dea84223ef2

    SHA512

    a5981436d0171adda53e5c398e810d2f027deb36bc7fbff019f17ed68e253dbff0a0d758c6c3dcc1983e066650b2cd9d00fa48b9dc6ec5795c033c597c7f54d1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    863eda2f5a0ef02428c13e5b11cdb02e

    SHA1

    873bb7af009ae6abb7b9bcb041b2ab5baea993d8

    SHA256

    e5d4d036e816589d24df03caae8e6ef456175eae5eb1e3e29d80dacdc1dd6217

    SHA512

    2a6d68c89249458fa7835ee84c74e4578a7e8ed73d6a23705fdbf051ff905aca0fefb425451d5cbff328480ca5bbff44b92a4a4efbf28525e5e9dfbacaa605ed

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    5aab7fc583487beb87e485bf1bd07566

    SHA1

    b7656621c21caf042fee89efbda17188b539c7e1

    SHA256

    fd831f8ff114172484da25a96e4fe0070a3bee65da4c43a83e075e157dbb4ec5

    SHA512

    fbe6e6d4b07af3358401b94a009b9630658d1632283c4241961c55e3ca7049ccf0abb4a688de775102860c58a75e485e831525a671b7431d4329e4dc74a5a9eb

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    515ef2dbf453a7546ab517d4b2d852da

    SHA1

    461c244ab777da80118667eb742edcfcd284aa4c

    SHA256

    43b196539042ce2ca03862148c17c0ea0d72386fd677371f4618a942dafa90e4

    SHA512

    ee9d4f6f2bc0635ca79821e8ad9b4eb6d583c9e61b135ac2b386815fe9f0d963d1239eaf53221b8b350ee3de5a13dfb7bb9da1b87670d0571389ac2184582ac0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    afeeaba1482973d9ad68c974d6e1965f

    SHA1

    cf4f22cdf309d8d119f4191815471526a828e466

    SHA256

    14a7ce9dab8c6744ab9cc7cae1f76da582dd561d1647b9a7c13344977d92e174

    SHA512

    86931811a19a72ebaab0efc50b03dce30a7553573f41b52b5dedd0cff752dec34ce83090d8eff036bf0a36386d9460e094873bfab0f95fc33fd4fb2d3e3a7573

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    ce4907448cd4d325442cd6533bb9457e

    SHA1

    7f54f4fe0755722802a0ffdd0f405a447db4bf71

    SHA256

    1af8d466f66a479ee070699d4f69460d5c3c066b3e422a5b092407bdab55eb96

    SHA512

    6931444ec46f8e7365b1cb86adc784eb6ecded6f2ba61b5d8c596df9c356efd77a115e9e7aa3641bd82459d5ee8892bed9306f560ab9b835d63a68eb1f6ed9ce

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    c5aee6e0070bd40eca33fef552f1f6c5

    SHA1

    29675601443754d1cc496ebeb71559c82a6e626b

    SHA256

    dc53361db6e9e29c99348224dcc5940b76ae0f32b39cc1b142e5e2c0bd01bbf6

    SHA512

    9b82a122376e9b3393d63494edec7467a17564b3d908f22e4f6d0b112cb2e6393ad89b3ca07614fcb98b574fb7f75fc0565eb333493c7871695ce8b9c5f4c968

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    1c4378490f431eb5254a534e68da50d5

    SHA1

    324d6ff5414dfa342e4d0b4778a43ef6c5f4b658

    SHA256

    adfc94142e8aa5ba81681393d71a269dc40e12a848baf51a2657d0ebb17827a8

    SHA512

    2e7efc782d9279d3d518806cfe8cd4df88b4c7bc8c384c8b65b06772602133e3817a60aeecbd8c1518152e1d20896614cbbe5c03c745405bd8309abef478518f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    242B

    MD5

    bb5dccd86c32a3407f0c270247c07ac4

    SHA1

    3f61f0cc2c0d6af0a46aae6215cb1aded286e577

    SHA256

    aa7899ff54b8dcc55cd2aba7a598ab965d9e035dde92f121e57492462579f49d

    SHA512

    2dfdc52f55de0a95397e01e1803c022be5922269f8e3d5cfa7f8515657a9b96eaf7a40297f8b7294dd0d6665ae7c0bdb03d1c321d5c2499ace4af9186178307f

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\3ZN4ZLFU\www.java[1].xml

    Filesize

    13B

    MD5

    c1ddea3ef6bbef3e7060a1a9ad89e4c5

    SHA1

    35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

    SHA256

    b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

    SHA512

    6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\3pl5scb\imagestore.dat

    Filesize

    1KB

    MD5

    0b8c5b7b7b47a93bbfb6c5143b894b16

    SHA1

    d461f7f718b8b67aec672701d9327abb159c508a

    SHA256

    148f7ad7f2a7ef13d713f6f63032b641e6f03a9faa96e3eaf2626c45ff2ae9df

    SHA512

    89843f82100d6c771ca0dccda71ae340baeb7f70c5749b77fe54c52bb8387bbc1b7c8744be49e65f146ca5e07edc9543963c46e4ec97c1a2da434ef31b5bd4f3

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\favicon[1].ico

    Filesize

    1KB

    MD5

    8e39f067cc4f41898ef342843171d58a

    SHA1

    ab19e81ce8ccb35b81bf2600d85c659e78e5c880

    SHA256

    872bad18b566b0833d6b496477daab46763cf8bdec342d34ac310c3ac045cefd

    SHA512

    47cd7f4ce8fcf0fc56b6ffe50450c8c5f71e3c379ecfcfd488d904d85ed90b4a8dafa335d0e9ca92e85b02b7111c9d75205d12073253eed681868e2a46c64890

  • C:\Users\Admin\AppData\Local\Temp\Cab626C.tmp

    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

  • C:\Users\Admin\AppData\Local\Temp\Tar627E.tmp

    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

  • C:\Users\Admin\AppData\Local\Temp\Tar637E.tmp

    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

  • C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\6AixvTBYkcX8JRK4xN.bat

    Filesize

    174B

    MD5

    d140d65ea96f1a8e52a20c00b8092225

    SHA1

    4f7831d9ee21770079e91f083b8c4ce77a544695

    SHA256

    2dc114e83c3e2339c249a58648875ec0988dec9158ab35cbfe9cff50171ae3ac

    SHA512

    4c0539d4584d7814ea3c73b771a80321fc58208e9a122f29129898621d0dbe4de72c05100c9fac7f503b0b7a0ada4045cedd7fb9434bd904bb51b8b9a74f3830

  • C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe

    Filesize

    1.3MB

    MD5

    6a052712569ad65c7bd5a0ffab54c051

    SHA1

    0dbff6cdf01b13465a729e2370cf2244fe5a0218

    SHA256

    ab64355e0ceb9e47a235a8f1be8d557d22e267521be47733d476f8004a3a69e0

    SHA512

    8875cd956120870a452dd85113e90cf3b3fe7132bf6b699caf9944a72b8700dced4e5e41e882c021b34a376fa645c2a841e454eba49bda684285512baaa91cda

  • C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\wozFTjVIuw5Ij.vbe

    Filesize

    244B

    MD5

    30a1a984f3afcec8d166e9b90ae4dded

    SHA1

    5dd5a1fb85732376bcb5478e5f627d251ef79983

    SHA256

    6fc7d156666453ba430f30ea19b47c55a0bf88a7c1a8ce407322270e8f596929

    SHA512

    63e72a5178fbffda94382356177f07a0781bb4a597be67075395c3afe4002a9c186d5b5edb5b7e4bed6c38c8c8b06acc0c623a0ec963fa4216383a6112ffc768

  • \Users\Admin\AppData\Local\Temp\dcrat1.exe

    Filesize

    1.6MB

    MD5

    81e978a9392b56444619c5fc28bcf0b0

    SHA1

    cf322f5be4a9c3fad09714a1efb7e730ba977c40

    SHA256

    70eae81f9363375c7301e4d48a7c5bc5588a9100cbd300eb358fed2327c40dbe

    SHA512

    370e4faf61c93d47b3e60196fc1f8c17de35b076b383566a817c5a2358396dd6a7dc5677b86115cd61d413e4c717ddc5c426aaa2590f47b63643bbfab148d76c

  • \Users\Admin\AppData\Local\Temp\dcrat3.exe

    Filesize

    72KB

    MD5

    2c7d37e90dd8ab57d06dad5bc7956885

    SHA1

    da789c107c4c68b8250b6589e45e5a3cf7a9a143

    SHA256

    5ede5d774ab65f25357cf5a1fa5e354f6f2a9868651a0fa717485802b21b1939

    SHA512

    e74ae891771bfd9c6fcdfbe8e4f33f0d5f7c3457cd84b257500cdaf8fa8b16fe458a18db9b3a60591465982fc2871f4c3f2e7541c765f00a0516f805e7e9ca0f

  • memory/296-32-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/756-0-0x000000007482E000-0x000000007482F000-memory.dmp

    Filesize

    4KB

  • memory/756-1-0x0000000000DF0000-0x0000000000FAC000-memory.dmp

    Filesize

    1.7MB

  • memory/1352-58-0x0000000001180000-0x00000000012D0000-memory.dmp

    Filesize

    1.3MB

  • memory/1352-59-0x0000000000380000-0x0000000000392000-memory.dmp

    Filesize

    72KB

  • memory/2436-33-0x0000000000360000-0x000000000037C000-memory.dmp

    Filesize

    112KB

  • memory/2436-34-0x0000000000380000-0x0000000000396000-memory.dmp

    Filesize

    88KB

  • memory/2436-31-0x0000000000B90000-0x0000000000CE0000-memory.dmp

    Filesize

    1.3MB

  • memory/2436-35-0x0000000000340000-0x0000000000352000-memory.dmp

    Filesize

    72KB

  • memory/2436-36-0x0000000000490000-0x000000000049E000-memory.dmp

    Filesize

    56KB