Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

3d79293d37...14.exe

windows7-x64

10

3d79293d37...14.exe

windows10-2004-x64

10

3d79293d37...14.exe

android-9-x86

3d79293d37...14.exe

android-10-x64

3d79293d37...14.exe

android-11-x64

3d79293d37...14.exe

macos-10.15-amd64

3d79293d37...14.exe

ubuntu-18.04-amd64

3d79293d37...14.exe

debian-9-armhf

3d79293d37...14.exe

debian-9-mips

3d79293d37...14.exe

debian-9-mipsel

Resubmissions

14/01/2025, 02:46 UTC

250114-c9pv5avjfz 10

14/01/2025, 02:24 UTC

250114-cv7sdswpbj 10

Analysis

  • max time kernel
    900s
  • max time network
    634s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/01/2025, 02:46 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe

  • Size

    16.0MB

  • MD5

    5aa236eabe65a1e444f1eb31fb330eba

  • SHA1

    b6a8d5362991511526ea5a2b86ad70f05e70652c

  • SHA256

    3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714

  • SHA512

    0ab8e56f1f8a09491d96416bdc2798874ff153ef56c6476cd9eda9fe0744e77f56132073524f1a2719a75d5dea8dcd5706ee1497867f8b3e62c9a52641afc0be

  • SSDEEP

    98304:mjHzjFPB6n2gC9U851tTRIXDNgn+ojsSw9y4Q1vL3NPt:yHHFPgns9BvpyNgnNW4

Score
10/10
dcratdiscoveryevasionexecutioninfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe
    C:\Users\Admin\AppData\Local\Temp\3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4688
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XenoSetup(1).exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2092
    • C:\Users\Admin\AppData\Local\Temp\XenoSetup(1).exe
      "C:\Users\Admin\AppData\Local\Temp\XenoSetup(1).exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2224
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\portBrokerDll\2jfojLJgRy.vbe"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3136
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\portBrokerDll\Ac4k16M5JuZ3cBUzCeuZfRwt20LYrImECkDEo2qhe7JRV.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:884
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:4644
          • C:\portBrokerDll\DriverbrokerCrtDhcp.exe
            "C:\portBrokerDll/DriverbrokerCrtDhcp.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1124
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3wfv2uvn\3wfv2uvn.cmdline"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2088
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7431.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8FCE0C04AA6C44C08477E174793D3C33.TMP"
                7⤵
                  PID:4304
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ermltavx\ermltavx.cmdline"
                6⤵
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:1804
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74BE.tmp" "c:\Windows\System32\CSCB602D4A293F843BDA5E89F16D6FA3414.TMP"
                  7⤵
                    PID:1940
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LTvLTcctgQ.bat"
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4428
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    7⤵
                      PID:2924
                    • C:\Windows\system32\PING.EXE
                      ping -n 10 localhost
                      7⤵
                      • System Network Configuration Discovery: Internet Connection Discovery
                      • Runs ping.exe
                      PID:1744
                    • C:\Windows\System32Local\spoolsv.exe
                      "C:\Windows\System32Local\spoolsv.exe"
                      7⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3492
          • C:\Users\Admin\AppData\Local\Temp\Xeno.exe
            "C:\Users\Admin\AppData\Local\Temp\Xeno.exe"
            2⤵
            • Executes dropped EXE
            PID:232
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\System32Local\spoolsv.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2480
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32Local\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4612
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\System32Local\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2872
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "DriverbrokerCrtDhcpD" /sc MINUTE /mo 12 /tr "'C:\portBrokerDll\DriverbrokerCrtDhcp.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4836
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "DriverbrokerCrtDhcp" /sc ONLOGON /tr "'C:\portBrokerDll\DriverbrokerCrtDhcp.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3444
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "DriverbrokerCrtDhcpD" /sc MINUTE /mo 10 /tr "'C:\portBrokerDll\DriverbrokerCrtDhcp.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3408
        • C:\Windows\System32Local\spoolsv.exe
          C:\Windows\System32Local\spoolsv.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3168
        • C:\Windows\System32Local\spoolsv.exe
          C:\Windows\System32Local\spoolsv.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2800
        • C:\portBrokerDll\DriverbrokerCrtDhcp.exe
          C:\portBrokerDll\DriverbrokerCrtDhcp.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3600
        • C:\Windows\System32Local\spoolsv.exe
          C:\Windows\System32Local\spoolsv.exe
          1⤵
          • Executes dropped EXE
          PID:4688

        Network

        • flag-us
          DNS
          196.249.167.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          196.249.167.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          0.159.190.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          0.159.190.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          167.173.78.104.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          167.173.78.104.in-addr.arpa
          IN PTR
          Response
          167.173.78.104.in-addr.arpa
          IN PTR
          a104-78-173-167deploystaticakamaitechnologiescom
        • flag-us
          DNS
          209.205.72.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          209.205.72.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          200.163.202.172.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          200.163.202.172.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          241.42.69.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          241.42.69.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          21.49.80.91.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          21.49.80.91.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          8.153.16.2.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          8.153.16.2.in-addr.arpa
          IN PTR
          Response
          8.153.16.2.in-addr.arpa
          IN PTR
          a2-16-153-8deploystaticakamaitechnologiescom
        • flag-us
          DNS
          804052cm.nyashkoon.ru
          spoolsv.exe
          Remote address:
          8.8.8.8:53
          Request
          804052cm.nyashkoon.ru
          IN A
          Response
        • flag-us
          DNS
          14.227.111.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          14.227.111.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          131.72.42.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          131.72.42.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          804052cm.nyashkoon.ru
          spoolsv.exe
          Remote address:
          8.8.8.8:53
          Request
          804052cm.nyashkoon.ru
          IN A
          Response
        • flag-us
          DNS
          804052cm.nyashkoon.ru
          spoolsv.exe
          Remote address:
          8.8.8.8:53
          Request
          804052cm.nyashkoon.ru
          IN A
          Response
        No results found
        • 8.8.8.8:53
          196.249.167.52.in-addr.arpa
          dns
          73 B
           147 B
           1
          1

          DNS Request

          196.249.167.52.in-addr.arpa

        • 8.8.8.8:53
          0.159.190.20.in-addr.arpa
          dns
          71 B
           157 B
           1
          1

          DNS Request

          0.159.190.20.in-addr.arpa

        • 8.8.8.8:53
          167.173.78.104.in-addr.arpa
          dns
          73 B
           139 B
           1
          1

          DNS Request

          167.173.78.104.in-addr.arpa

        • 8.8.8.8:53
          209.205.72.20.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          209.205.72.20.in-addr.arpa

        • 8.8.8.8:53
          200.163.202.172.in-addr.arpa
          dns
          74 B
           160 B
           1
          1

          DNS Request

          200.163.202.172.in-addr.arpa

        • 8.8.8.8:53
          241.42.69.40.in-addr.arpa
          dns
          71 B
           145 B
           1
          1

          DNS Request

          241.42.69.40.in-addr.arpa

        • 8.8.8.8:53
          21.49.80.91.in-addr.arpa
          dns
          70 B
           145 B
           1
          1

          DNS Request

          21.49.80.91.in-addr.arpa

        • 8.8.8.8:53
          8.153.16.2.in-addr.arpa
          dns
          69 B
           131 B
           1
          1

          DNS Request

          8.153.16.2.in-addr.arpa

        • 8.8.8.8:53
          804052cm.nyashkoon.ru
          dns
          spoolsv.exe
          67 B
           128 B
           1
          1

          DNS Request

          804052cm.nyashkoon.ru

        • 8.8.8.8:53
          14.227.111.52.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          14.227.111.52.in-addr.arpa

        • 8.8.8.8:53
          131.72.42.20.in-addr.arpa
          dns
          71 B
           157 B
           1
          1

          DNS Request

          131.72.42.20.in-addr.arpa

        • 8.8.8.8:53
          804052cm.nyashkoon.ru
          dns
          spoolsv.exe
          67 B
           128 B
           1
          1

          DNS Request

          804052cm.nyashkoon.ru

        • 8.8.8.8:53
          804052cm.nyashkoon.ru
          dns
          spoolsv.exe
          67 B
           128 B
           1
          1

          DNS Request

          804052cm.nyashkoon.ru

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Modify Registry

        3
        T1112

        Credential Access

        Discovery

        Query Registry

        2
        T1012

        Remote System Discovery

        1
        T1018

        System Information Discovery

        2
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        System Network Configuration Discovery

        1
        T1016

        Internet Connection Discovery

        1
        T1016.001

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DriverbrokerCrtDhcp.exe.log
          Filesize

          1KB

          MD5

          a6cd1c3e645a5feb627a00f125da9fc8

          SHA1

          61d3b101c5e286ff21cc62a0e21484e556835317

          SHA256

          fbbf9453956534a33bd6f75f61926c50fd62bfca4976b818ccca5b8260fd4917

          SHA512

          5e70d82849172c3b978172ead140a5a9a3e6ee91a570e998f3b0536e788dad22499deef0685f9cd22f6aa15ba315d65600750414f6e21fd6a851c0bd70e11518

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log
          Filesize

          1KB

          MD5

          bbb951a34b516b66451218a3ec3b0ae1

          SHA1

          7393835a2476ae655916e0a9687eeaba3ee876e9

          SHA256

          eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

          SHA512

          63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\LTvLTcctgQ.bat
          Filesize

          164B

          MD5

          8417ee2f9b964d20ae5c6ae8bb5d8ae0

          SHA1

          89653f70669f745f35b21f120b4ea132d9497520

          SHA256

          f41e37cc6834eae3241a63e6b00e597892022e958b1eaf063887141e7eb4ea22

          SHA512

          fd6f9f53698f35f9e4ce8c3a3a323434ebe0d5a1f177d9acf364297029a50f7e26df31d4da32408226846832578e69a8fff66318f8e7e3f634528969073bf69a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RES7431.tmp
          Filesize

          1KB

          MD5

          a38fc3261701abbaa62a300175dc005a

          SHA1

          7f2c818bffb5dd481736ed702989159a9755ffc4

          SHA256

          4f3ebf22ed502c5f8b5316876c314a04d17b4561b988e7db3c213650911d5138

          SHA512

          f28f799a9ef50cdcf0feaa51ffd9b3ac52b8742110f98aff62d839c3ece098d7f54063932905ef94d74ce11cbd3be622f9cb47430907d1906fe299d8cac98143

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RES74BE.tmp
          Filesize

          1KB

          MD5

          4b9f084f7071f0ddc9ca9c403cb2cf0d

          SHA1

          b3a6d52b4d5541636c877727865d420bbdb07206

          SHA256

          1b629db6cbc6346003b3494587ddfb1adc57e57247c972cca403e703bb48f8a6

          SHA512

          f4c95143765754029a22ac9bc6e00397e9c0b405b9d56d7333d63ee7e45dc6650a5c9f66c3d793b85bbab85101d345822ca11eba1bf39df585eeeb8d87d2d21c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Xeno.exe
          Filesize

          3.5MB

          MD5

          056586e6a4d9b97c77fd606b2a63f604

          SHA1

          b13e10949df28f3944c68b950617a641ea20491b

          SHA256

          4d3b4ef0ec929ebd649637f55aabd856954e3d6424ac337a17ee4bb65ec2e8f3

          SHA512

          da2c4066a7975ede5c1645d6cd82f0499b452a021d18aa86ad64130efc9f1da2270be30a7af89b4cce97b0eb13c27f55f37c70db5f2f6aa4a2b5a54dcae72cc0

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\XenoSetup(1).exe
          Filesize

          3.5MB

          MD5

          bcf49847a74e554a807294d4f5adfa62

          SHA1

          c6f105b28ac3bc7dd2e4a444cf96edbcdc45febf

          SHA256

          eae94b757fe5e150f8f1039140feebc969788bd2c0ef7fe2d4675a81f6dc9898

          SHA512

          489cf5844853a4ba7489386a545d0369e1eca835a70053aa6e408aed7f42eaa26684859ddf50b874c643c53ae050dcd3d1a27e887e413c8db8636818ba7dcdcf

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0w3xecdc.dsp.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\portBrokerDll\2jfojLJgRy.vbe
          Filesize

          237B

          MD5

          851d51cdee60a57d4aef51ea7f466436

          SHA1

          34a13967e69d21091850d4f0dffb2bce88c80e0c

          SHA256

          5d612089c06bbe2b32de8bfcc3e0ba1e0ef2155cd6cde83b280797c6061ca269

          SHA512

          7fed60da3ed3ff2a26b8b4cadf0cf6cd3e28259a4a7ec7e3ba97509fa47b7ca75753ca49edf2f218ae323830977c2ecdfb2f05b6fa5de303038c31012926e953

          Download Submit

        • C:\portBrokerDll\Ac4k16M5JuZ3cBUzCeuZfRwt20LYrImECkDEo2qhe7JRV.bat
          Filesize

          194B

          MD5

          69c0edf85b6d3ab82c42e82ef04f50f7

          SHA1

          7acb4d2454d9e04db488c2ee4352cfece1b8ae58

          SHA256

          3041cc5e5c4251ea1eddccaa5d145446719d6e86dcfd3bc40bc23c80b3102ec2

          SHA512

          04877f967609e6efb4a8c4f99c4130b3894eb223f390d32c6e2248abaf1bdff71f539f122635f18fa432648b927cc597dd7bdaa52284824f8c57c7909f7dca21

          Download Submit

        • C:\portBrokerDll\DriverbrokerCrtDhcp.exe
          Filesize

          3.3MB

          MD5

          c9d8bce0425ed81346b9a43f148d948b

          SHA1

          d3bcb8f02ef3732ffa70fc798cd4ad3d77bbbde6

          SHA256

          884de0ba4d113a1674b112f76b7d6af9bb11c562d6b58155e974e549694e0f58

          SHA512

          60e0d21db0518d66f4546dceb978b15d2eb87347cc1676b7420eb2a6c4c1c6fa947d31ae8cb70ce880b76f931702aaab51c46f559dd91a49c9a4bdc83b75368b

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\3wfv2uvn\3wfv2uvn.0.cs
          Filesize

          388B

          MD5

          b194545888e0394510d7fcf239c3dc75

          SHA1

          cc64b922807436efa17d9ad89f8d58e03eee55da

          SHA256

          b252ad04ce707f94f9ab41ef2380465e999451b3952ac9462c32a30612fcd15c

          SHA512

          ecb5c9e7747eddbc7cfc9d9e23d9ec8cd3a8b7d84aa54ec7a52be9d16abc6c8010a45f5985f86b98afa2fa9f37c1c7a33325d33dc91a90ca0ba7ce58fad04a72

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\3wfv2uvn\3wfv2uvn.cmdline
          Filesize

          255B

          MD5

          ee10be656b23cd60064ff44b2f1d8c87

          SHA1

          9f48d270e3134bb0f3dbb965597ff6f4729ec94e

          SHA256

          b7298c9cce0b71b2acf48605b9fddec06157b4e3fe468653a94cb1bfc413cb85

          SHA512

          cf70c1ea84a2a138171b00fd166622d790b097f0efb22c498c4e1fe9237478e3db8168a0c9a489764471ce69602784d4a4c8817d0d7b7678393a180c78e66fdf

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\CSC8FCE0C04AA6C44C08477E174793D3C33.TMP
          Filesize

          1KB

          MD5

          dc289c30c143fd2f8e608119ae4846a0

          SHA1

          2f0d6888b80d26d9ff52b5decdd63963255e5113

          SHA256

          37aac241c050fb90090b36441ae1f198d11a0da4ee5f30e3332673f3c6ecf40a

          SHA512

          68bffd2b69ee9d5857fc9d5b2a71561a985738b5fe0768fc7dd23a753c976529158042f2a239ffe74ed99b5bd4b469fd2220a990d20a742935f5560a55f2d6fd

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\ermltavx\ermltavx.0.cs
          Filesize

          368B

          MD5

          70a25ac969bfff4767e3d35b4bda769b

          SHA1

          ac45f7f83f877c4d8b04b89c28c5b92b9bac9d7e

          SHA256

          d15d120b1d89788dca449cc8d546a9a91ea0d8a23f711043fedc96694adae190

          SHA512

          288e15be4ffc8b639e6c09c3ae9aab00992d2cddb70b895b00da4c79b4cd8cf7cf749a5f00594ff2e702d880c252da072bc82bf557ff612a5625a1f48e1da398

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\ermltavx\ermltavx.cmdline
          Filesize

          235B

          MD5

          05bd2d1735f837ae070d0b756df8499a

          SHA1

          967d556a90fea5006c9288312179b045554c6c3b

          SHA256

          5640fa6c42f2ec3f45c6e2c4619ad0df70acc94837edc25c8d2ae46b7b0f0f2f

          SHA512

          186723621f7f5cb75a667055130626556a294b9ad0ddaf5603854f79c455b0fe9a990778938620c6b5359684a39059444801c4d432b603d1e1e07174f4f5b90c

          Download Submit

        • \??\c:\Windows\System32\CSCB602D4A293F843BDA5E89F16D6FA3414.TMP
          Filesize

          1KB

          MD5

          be99f41194f5159cc131a1a4353a0e0a

          SHA1

          f24e3bf06e777b4de8d072166cff693e43f2295c

          SHA256

          564d9051e5639603c83562a9ff2c2e478cc7e13d54faf39f761297bac78603bf

          SHA512

          51d1a50772bb7d689193e6a9b2e363185cf5438103644b2b68cf13e08274c5d99407b99f8cdc856143d28669f5ee4ee316041a8e33df42f55bfd181aa3f3c0f5

          Download Submit

        • memory/1124-64-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-3616-0x000000001B200000-0x000000001B21C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1124-70-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-106-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-112-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-118-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-116-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-114-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-110-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-108-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-104-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-100-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-98-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-96-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-94-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-92-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-102-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-90-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-88-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-86-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-84-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-82-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-80-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-78-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-76-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-74-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-68-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-62-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-60-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-58-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-56-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-72-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-55-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-3612-0x000000001B1D0000-0x000000001B1F6000-memory.dmp

          Filesize

          152KB

          Download

        • memory/1124-3614-0x00000000027B0000-0x00000000027BE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1124-66-0x000000001B240000-0x000000001B5D9000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-3617-0x000000001B630000-0x000000001B680000-memory.dmp

          Filesize

          320KB

          Download

        • memory/1124-3619-0x000000001B1A0000-0x000000001B1B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1124-3621-0x000000001B5E0000-0x000000001B5F8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/1124-3623-0x000000001B1B0000-0x000000001B1C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1124-3625-0x000000001B1C0000-0x000000001B1D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1124-3627-0x000000001B220000-0x000000001B22E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1124-3629-0x000000001B600000-0x000000001B60C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1124-3631-0x000000001B610000-0x000000001B61E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1124-3633-0x000000001B6A0000-0x000000001B6B2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1124-3635-0x000000001B620000-0x000000001B630000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1124-3637-0x000000001BBE0000-0x000000001BBF6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/1124-3639-0x000000001BC00000-0x000000001BC12000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1124-3640-0x000000001C150000-0x000000001C678000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/1124-3642-0x000000001B680000-0x000000001B68E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1124-3644-0x000000001B690000-0x000000001B6A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1124-3646-0x000000001B6C0000-0x000000001B6D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1124-3648-0x000000001BC80000-0x000000001BCDA000-memory.dmp

          Filesize

          360KB

          Download

        • memory/1124-3650-0x000000001BC20000-0x000000001BC2E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1124-3652-0x000000001BC30000-0x000000001BC40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1124-3654-0x000000001BC40000-0x000000001BC4E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1124-3656-0x000000001BEE0000-0x000000001BEF8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/1124-3658-0x000000001BC50000-0x000000001BC5C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1124-3660-0x000000001BF50000-0x000000001BF9E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/1124-54-0x000000001B240000-0x000000001B5E0000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/1124-53-0x00000000006A0000-0x00000000006A8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2092-18-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2092-15-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2092-14-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2092-13-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2092-12-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2092-4-0x000001B1827C0000-0x000001B1827E2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4688-22-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4688-1-0x0000000000FB0000-0x0000000001332000-memory.dmp

          Filesize

          3.5MB

          Download

        • memory/4688-0-0x00007FFBAD563000-0x00007FFBAD565000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4688-39-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

          Filesize

          10.8MB

          Download

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.