Overview

overview

10

Static

static

10

eb829087dc...a1.exe

windows7-x64

10

eb829087dc...a1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-01-2025 10:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb829087dc0c18540bb133b5f74c6092c6e9c6e0da94f0da47ff28fa6d404ea1.exe

  • Size

    2.2MB

  • MD5

    9ca4c55fca9566c4fa4190afc1e0f72d

  • SHA1

    6a5648d383c1e9fa49483c1a5c33fd4188dc2cae

  • SHA256

    eb829087dc0c18540bb133b5f74c6092c6e9c6e0da94f0da47ff28fa6d404ea1

  • SHA512

    aa0be340671557983bdd234aa2ce3781bbdf484a6de9f31f39139757d67dd9be45285a121d4e250b79da16fb5f80d2f98b4d9dbd661ffeda593c33514eb1c1b4

  • SSDEEP

    49152:ssSHlG56vO0T3/Nh/ptuw/C3TqGaDxr1NcWTMUvif:sLlK6d3/Nh/bV/Oq3Dxp2RUG

Score
10/10
dcratdefense_evasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 13 IoCs
    persistence
  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
    defense_evasiontrojan
  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 26 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    defense_evasiontrojan
  • Drops file in Program Files directory 45 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • System policy modification 1 TTPs 12 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb829087dc0c18540bb133b5f74c6092c6e9c6e0da94f0da47ff28fa6d404ea1.exe
    "C:\Users\Admin\AppData\Local\Temp\eb829087dc0c18540bb133b5f74c6092c6e9c6e0da94f0da47ff28fa6d404ea1.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Drops file in Drivers directory
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1520
    • C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe
      "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe"
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4900
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2997acd-a148-4d3f-b8ac-cd574443dcd4.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2972
        • C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe
          "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe"
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2416
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6c7d1ca-86da-4480-8146-fe255a169c5c.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4820
            • C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe
              "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe"
              6⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:4324
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6dbf17d-1b78-4548-b053-cfbaec29ba74.vbs"
                7⤵
                  PID:4636
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95424e2c-5d37-4c6a-85fe-1b85ded239d2.vbs"
                  7⤵
                    PID:4360
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b83a43f8-155b-4d64-b570-7444880a0b39.vbs"
                5⤵
                  PID:3972
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bd8d81d-c54f-4f00-aff7-327302bb6a31.vbs"
              3⤵
                PID:1304
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Start Menu\Idle.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1020
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2980
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Start Menu\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1772
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4636
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3456
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4332
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\Registration\CRMLog\fontdrvhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4360
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\fontdrvhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:780
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\CRMLog\fontdrvhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3948
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\fr-FR\fontdrvhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4436
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4176
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2092
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:980
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3592
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3864
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\sysmon.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4928
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\sysmon.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3304
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\sysmon.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:752
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Gadgets\lsass.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3432
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\lsass.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:5056
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Gadgets\lsass.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1988
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4548
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4656
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4996
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1344
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4080
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4188
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Crashpad\reports\SearchApp.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2940
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\SearchApp.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3944
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Crashpad\reports\SearchApp.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1448
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Downloads\Idle.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3628
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Downloads\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2476
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4752
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4732
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4980
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2284
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4272
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1164
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2924

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          1
          T1562

          Disable or Modify Tools

          1
          T1562.001

          Modify Registry

          4
          T1112

          Credential Access

          Discovery

          Query Registry

          2
          T1012

          System Information Discovery

          3
          T1082

          Lateral Movement

          Collection

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe
            Filesize

            2.2MB

            MD5

            e4238e24970b2f6959cdf106e16c8a22

            SHA1

            54f129501f255a07d501b83822ccd4feb0afe27a

            SHA256

            c6fda5723a0956a5e38abca746301c3366fe2e3cc3fbf7fa30baca7284dfdd82

            SHA512

            5056956ea72ee8f54c6a6506d796a29a4f2f99eec2babe506a7ff3e26fb75af9f6b538d99d43a38fd1eafe13f391a5c0bdef3809bb55b0f827a2ee1865cf6ad3

            Download Submit

          • C:\Program Files\Crashpad\reports\SearchApp.exe
            Filesize

            2.2MB

            MD5

            84c6286a64d6529b14d4e5caccb76e8e

            SHA1

            cc2457fe41999554745dea85a963091b62a5f20c

            SHA256

            23592be6cbf4935ec9a5b8bbc42d3aa704125adbe04e49eb2e7cc0b754444096

            SHA512

            64f21fec7cc398a74ee48bce5f6f5c012a135f1f7bc2eefba55ed8801a6fe25fcdfad5ab88d55d21f4c4a2230e4002efa5badf84350c68b5a376ab3c05290a26

            Download Submit

          • C:\Program Files\Windows Defender\fr-FR\fontdrvhost.exe
            Filesize

            2.2MB

            MD5

            a15e3a7450c8e2bdcd91c78111f55c56

            SHA1

            503d7caba3b333c1a8f55545a250b8562d6ce57a

            SHA256

            8dda705e2a0700ddaaa3fc6d77749a89705136e023ec9b0445eee564c3a4b210

            SHA512

            65e2d0e50adad3ae1ebcd75a66f6b7328bbbc5f8d129e16e6b99ca7a02f2a11068ccfb4d23be04bdb9dd76daa69d79b453aa182909232a425ffe209992292e2c

            Download Submit

          • C:\Program Files\Windows Sidebar\Gadgets\lsass.exe
            Filesize

            2.2MB

            MD5

            c9807364be88e047532efb1505dbc203

            SHA1

            09e733893aed0846ceb6d36c23b0053c8f91d294

            SHA256

            904a2695b567139ec25d462442be1f049663a904d4279486f98146880d40d531

            SHA512

            ce7ba3f24e759984b8da2f314a8ac6fa9ed1445e036331b4a58207461d57c709fa876ef5b649545ebc5c78185191bbdf07d19cf0503431808949943ff4662a86

            Download Submit

          • C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe
            Filesize

            2.2MB

            MD5

            9ca4c55fca9566c4fa4190afc1e0f72d

            SHA1

            6a5648d383c1e9fa49483c1a5c33fd4188dc2cae

            SHA256

            eb829087dc0c18540bb133b5f74c6092c6e9c6e0da94f0da47ff28fa6d404ea1

            SHA512

            aa0be340671557983bdd234aa2ce3781bbdf484a6de9f31f39139757d67dd9be45285a121d4e250b79da16fb5f80d2f98b4d9dbd661ffeda593c33514eb1c1b4

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log
            Filesize

            1KB

            MD5

            49b64127208271d8f797256057d0b006

            SHA1

            b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

            SHA256

            2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

            SHA512

            f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\6bd8d81d-c54f-4f00-aff7-327302bb6a31.vbs
            Filesize

            517B

            MD5

            9940db3a9c40174cbe93ea59cf09940c

            SHA1

            8586f65dea1ad49e85a8bacc72d92439da18c794

            SHA256

            c3abefac7de49e6f67dc5a2ed25776c2e87f95f33153d50570a2aa0bf8657f8f

            SHA512

            aab97b882c4f4a4f5f8eb27971f0429daecf1baba7ea1e0641e8a8b398910bfd26348fba46e3e2f144ac01726e3e50c8e8325027e7da876eb60211891609a9a8

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\c2997acd-a148-4d3f-b8ac-cd574443dcd4.vbs
            Filesize

            741B

            MD5

            a27566b3463d833eccf96501bc2d7512

            SHA1

            069b79fe26f033eea3afb97cbabac019681fdb34

            SHA256

            b7934e2159e90efe471a29773ee642257a9a61b75f61cfc5c5f61318b662bb1c

            SHA512

            559473efc1fede4759d6e220634ef7204313fa3fddc981133d820dcefef6997769b270182b9957a6723e6dcf146b0221f54d7f1fc53291e7000010587a9be20e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\c6c7d1ca-86da-4480-8146-fe255a169c5c.vbs
            Filesize

            741B

            MD5

            895c8e48bbfc946b5395c55c71167816

            SHA1

            b4a7dd31a2f309bb7a89302b34d3c0cc2e2db5f5

            SHA256

            a6a201d6ad631315f405559819bd06b99741f3d114df143d59da26d1a3b395c1

            SHA512

            9c045d943f996e5fa764c26143c6951d9e016cb053e1b0a25f579a11dbce4c3a2e338b01ff74df280863313df4fd464867df2bd438eb8c3d693e0c167c28a1d0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\e6dbf17d-1b78-4548-b053-cfbaec29ba74.vbs
            Filesize

            741B

            MD5

            3b5c83f8adb3692f5642bede3f9f0ce4

            SHA1

            0f0adb18c7f3fcb55101860f50a175a9a0012363

            SHA256

            6822844446bf7703b1d0ead1d0eb0aa6251530e335ecf302d9c4c6c8be5de669

            SHA512

            4041adb127bf2cf132ae46049694202943b5b7b46d0553aaefae633ee57456e004332a474073f7a1aa9ee89be89793c4a0c6ac2bd653cd3e7cf55e609d26c892

            Download Submit

          • C:\Users\Public\Downloads\Idle.exe
            Filesize

            2.2MB

            MD5

            a71a4cee2a4f34a6350fd5e4a1c3c2e0

            SHA1

            f7bfc96f584a551e3b2c4199739bc649799b5e39

            SHA256

            109effba5404dab9bcd2398e2bbdce2ffe340020490e70b17b9fa3ba26a7f3c8

            SHA512

            cf929b989b7c1ea748ed4e4010495735dcfeebefef4cb75ad777b29dd356c27a527da31428c12c8617836c63cb48bce3638a7990dda431abe18bb96e904dc2d9

            Download Submit

          • memory/1520-12-0x000000001C030000-0x000000001C040000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1520-25-0x000000001C1F0000-0x000000001C1FE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1520-13-0x000000001C040000-0x000000001C04A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1520-14-0x000000001C050000-0x000000001C05C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1520-19-0x000000001C090000-0x000000001C0A2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1520-17-0x000000001C080000-0x000000001C088000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1520-16-0x000000001C070000-0x000000001C07C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1520-15-0x000000001C060000-0x000000001C068000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1520-20-0x000000001C5F0000-0x000000001CB18000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/1520-21-0x000000001C0C0000-0x000000001C0CC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1520-22-0x000000001C0D0000-0x000000001C0DC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1520-23-0x000000001C0E0000-0x000000001C0EC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1520-24-0x000000001C340000-0x000000001C34A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1520-28-0x000000001C320000-0x000000001C32C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1520-27-0x000000001C310000-0x000000001C31E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1520-29-0x000000001C330000-0x000000001C338000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1520-31-0x000000001C390000-0x000000001C39C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1520-30-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1520-26-0x000000001C200000-0x000000001C208000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1520-0-0x00007FFCED2A3000-0x00007FFCED2A5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1520-34-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1520-11-0x000000001C020000-0x000000001C028000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1520-10-0x000000001BFC0000-0x000000001BFCC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1520-9-0x000000001BFA0000-0x000000001BFB6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1520-167-0x00007FFCED2A3000-0x00007FFCED2A5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1520-7-0x000000001BF80000-0x000000001BF88000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1520-8-0x000000001BF90000-0x000000001BFA0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1520-190-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1520-6-0x000000001BFD0000-0x000000001C020000-memory.dmp

            Filesize

            320KB

            Download

          • memory/1520-250-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1520-251-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1520-1-0x0000000000B00000-0x0000000000D2E000-memory.dmp

            Filesize

            2.2MB

            Download

          • memory/1520-5-0x000000001BF60000-0x000000001BF7C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/1520-4-0x000000001BF50000-0x000000001BF5E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1520-3-0x000000001BF40000-0x000000001BF4E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1520-2-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4900-252-0x0000000000830000-0x0000000000A5E000-memory.dmp

            Filesize

            2.2MB

            Download