Overview

overview

10

Static

static

10

da479ac368...fb.exe

windows7-x64

10

da479ac368...fb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/03/2025, 11:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe

  • Size

    3.0MB

  • MD5

    4bc701fc5e13c1287646e5d1f79760d4

  • SHA1

    6bc6e4c44012084ec5af5ebdfd09314e598464e1

  • SHA256

    da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb

  • SHA512

    fd3bf97de8840b16ae72295082e6aff5f0833de8791d39dc6a347cab771af1b88cfcc56c307c663112d2207cf2a0059a0882b053aa8fa0b67a1f3a3a183ee503

  • SSDEEP

    49152:S/3iuoi0xrLIy5sx+3K0n+B87/2bHJC3H0oJK7rohky64a65KKRD:ASuMxAxKp+SDqHJq+zy86A

Score
10/10
dcratdefense_evasiondiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

Malware Config

Signatures

  • DcRat 20 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    defense_evasiontrojan
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    defense_evasiontrojan
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 5 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • System policy modification 1 TTPs 6 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe
    "C:\Users\Admin\AppData\Local\Temp\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe"
    1⤵
    • DcRat
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3008
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2784
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\WmiPrvSE.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2988
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\dllhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1100
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1536
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\es-ES\dwm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2028
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:956
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\WmiPrvSE.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1328
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vT6Q8ndOLD.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1808
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1692
        • C:\Program Files (x86)\Windows Defender\WmiPrvSE.exe
          "C:\Program Files (x86)\Windows Defender\WmiPrvSE.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2796
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e7dadb2-6936-4731-a389-5c2b228e254a.vbs"
            4⤵
              PID:560
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34b83c0b-90f2-4816-8403-95b411b3805a.vbs"
              4⤵
                PID:2880
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe" http://localhost:12143/
                4⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1512
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1512 CREDAT:275457 /prefetch:2
                  5⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:1920
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\WmiPrvSE.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2796
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2832
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2916
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\dllhost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2644
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\de-DE\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2600
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2648
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3040
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2480
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:680
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\dwm.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1480
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\dwm.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1108
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\dwm.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3060
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3064
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1368
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2664
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\WmiPrvSE.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:544
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:784
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:484
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2056
        • C:\Windows\system32\wbem\WmiApSrv.exe
          C:\Windows\system32\wbem\WmiApSrv.exe
          1⤵
            PID:1052

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          1
          T1562

          Disable or Modify Tools

          1
          T1562.001

          Modify Registry

          5
          T1112

          Credential Access

          Credentials from Password Stores

          1
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Unsecured Credentials

          2
          T1552

          Credentials In Files

          2
          T1552.001

          Discovery

          Browser Information Discovery

          1
          T1217

          Query Registry

          2
          T1012

          System Information Discovery

          2
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Collection

          Data from Local System

          2
          T1005

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Windows Defender\WmiPrvSE.exe
            Filesize

            3.0MB

            MD5

            39e5809e7bfeb4adbdd11613736732e7

            SHA1

            438e8c706d867d175364f4c79bb1791b788cef98

            SHA256

            139187d87066997761723870e58660d1282bdee9f9590afeaeb78d7680b3f4a3

            SHA512

            53965ed032e078027c48b35298f44c66735d705d44b4ef000a174073bd9b22c370fce64dbb4aa00c6841cf12776c01f8ee4ae9d59b832df5993fb43331c97880

            Download Submit

          • C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe
            Filesize

            3.0MB

            MD5

            4bc701fc5e13c1287646e5d1f79760d4

            SHA1

            6bc6e4c44012084ec5af5ebdfd09314e598464e1

            SHA256

            da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb

            SHA512

            fd3bf97de8840b16ae72295082e6aff5f0833de8791d39dc6a347cab771af1b88cfcc56c307c663112d2207cf2a0059a0882b053aa8fa0b67a1f3a3a183ee503

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
            Filesize

            71KB

            MD5

            83142242e97b8953c386f988aa694e4a

            SHA1

            833ed12fc15b356136dcdd27c61a50f59c5c7d50

            SHA256

            d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

            SHA512

            bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            f29c415e33747652d9e5bebf5c3d920f

            SHA1

            eb81663b988b9f610a23ff8ccecc1cca7f4aec52

            SHA256

            ad7c49dd6bed5ae65b9393df2671614247ec05e133cd7f44c67951ff94d82726

            SHA512

            71e59fafd3c950fda753ca04ff6fc05a54981b01826a77553e3b9dcd7f3299f11f6b004085bcf92b989f466d19f9941f16e258583a7366bfd995b56515fcee43

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            207dfdf85cdeb16e2c538de597ed4242

            SHA1

            ae69d1139f9f6a5391b211303d9a154f0cfdd120

            SHA256

            b693b452b4f83efa0d991e0da82477ac1f6d4d90045b90f5c4b073c3c559c1bb

            SHA512

            249a6e67492e7396a21995dcb927b9dbc7db66b53d2631d4dd09b8393dfdf1869618d3e305c6e2b232127b801d261f613530cbfbfb278e987191a5108afeb616

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            07761276df3f60ec22f1c5f4fb85acbb

            SHA1

            90f472ba35f9fac2f088e1cb19b3b608dc07796e

            SHA256

            42784ad31b70f1d1bbc59b4bb249f2a0567942fa9f63d7aa5c7ee66c48a7c534

            SHA512

            7ba374bd3f6ef7c8caeb0d092184439ae8184bc777ece822c7b2a9eae16abed775ae1b106d4fbab2e511bf92c2877619f251649a79ddce69d31038c089f408b6

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            0f2568a728905e6a12380f2b24d7c98d

            SHA1

            0463e6b3bb16349228d19aeb613d693d7b002c64

            SHA256

            9645a4de30fee1ede8b55b7002d280057c7504255bc9e29e1dc48e0f5c8d1c78

            SHA512

            b969fd8f399cef7e46dc63b6f3d9b31b240e4b2f01078928a4c40399760c454c3501b3a518769a6f9b8b12169d7013e23a45927bb8600838c71b9c5083ffae8b

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            5b0b4c5ccba58d705bcdb696762e69eb

            SHA1

            93b425f82ec98b0e06e7e9d8cb03a91d6d077f23

            SHA256

            0e38f1aebfd58be09f662771b8dcbb2744600a99405861e13311d351ff4bb59b

            SHA512

            671c7738ae31798113fc5b587d4b0d856f6edb3864cc0b3261352c3848ae0fd7a2c3d7df68551d633920fbf49eacc068471ecbe59729117aa913eff2ba0ca380

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            040d17c350259229a09bfb36ec5f55b3

            SHA1

            90d0cff23b469d052c309a7c5a113f31c2d49936

            SHA256

            0263f37ac30f07d6ad5ae78842bf5c3f7a90bae98fa84e99aecccde5c6441812

            SHA512

            640de07fbcf9955cc26f788069ac34836cccece81ec952a5c0e8b8c2f5427678c0c15c8865ebe1f26601f10eb6cd5385cce8325b0bf240cb05d170afc446d457

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            9d745612b661a36a1045112094d4b742

            SHA1

            fef78986f07fe77eec3c6e4538dad794d567cc17

            SHA256

            4f78af70f93338ea0fc6563b930a516b7877ae10791dce1cceb51787564eaa0a

            SHA512

            a0a2af6c2786a9bdf8930be2a529545743735d813954534341b1043a14523f6d662e0d30d4b1302dd8fd5f42b090b41dd526a3ee17572932c736e2bb23f6ceae

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            88626640c5c32be43b76b961cb847a51

            SHA1

            fd36bcd26a6eb317fde068c2de3f6168cbcb537b

            SHA256

            de431290a70a754697b8de51d5174ed8424ec42dc0a385bb86087a2386d8e75c

            SHA512

            9b80ae8580cec996c0f16b97960fe7f6fd61fc660252f79825814f801a4c3fa4636634eed89e4822a3462a90906a5600e2c28b746644d70b78974439cb7f1684

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            a79d958ca3bf06c54ebd9affdce3855a

            SHA1

            fdc5ca94227c20597b4053412c152cd02ca36713

            SHA256

            50346f3d83a71b81d0520d9420ddf440c9fabd201975f90212346a9977baa0f1

            SHA512

            127a50ac1516a3d6f240173a99e2dbb7210a241a996703a951e043302d06f8f04851f1adf4653d7793f0ef32cda5fa66d99db89494557373afdb401df23e491f

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            46c10cb09db1d53d228e02ee8ec80795

            SHA1

            37e65828a653f49b7df00e3599ec0e2afc4c6323

            SHA256

            1fd7f2a0088110f082c86ad432badf0ddc4b536d9af57040fce0d05a1de8379e

            SHA512

            9fcbbc2adbee60d7ee5cb2dda46dc7d651b9a8622de03c0805bb258c5b82774f12bda56a9f43086dd16685de3fa5e95336475b635c527f0e9d1c8a9156b83a6a

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            8e191837334f046d475b73bc2702de60

            SHA1

            91d96cdf4ad141704f02332591f9c465b1ce82d0

            SHA256

            fa30a785dd4534800a39f900d6c5b7bfe5b0061231bb835fb0bc6b08ffc41f95

            SHA512

            65cadb44f19bde601e7b7d6e39ff5c91d2df8f475935d73f7bf822a7784e68bbeb7ac035d61c5f652c8c7122acafec5f3215822df9a0fe0cbfa57d475537f2ab

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            8e2f42ece208d4bcf1afae56df5b584a

            SHA1

            d35655156f30e5779a3c9da08a58f383c7f6db5d

            SHA256

            57e90478ea770f248cebe0e07c619a3e6b5946b2726384cc35304d1a5f6dc951

            SHA512

            5dcafecd86c0d1c847b290d6696de80fb4e12d4f2bca2955604e3b282ceea1f1b7c9db3ce1316b3c695bd4c48538335047519cd52213ff92b68fceb0ccf7cb04

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            5da796318c1655721332d05553d598bb

            SHA1

            1d074acb2d13aa993e895ecb6902e3b71bee1573

            SHA256

            aba0d4eb2c47593f01fc2a69eec5b3be2f45470429573bd796a28bf097e3ae4d

            SHA512

            6ac853d5e9fd6ba181f93f715c78217fc1644bbd9cd5eb36eeb5fcb89765e9dd53ead39ef5912f045d5b7f26d71a00b98a0e339aac29de26822c23ed7f4b4d27

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            da4e141b6aaeaf710e185dc24b5a859a

            SHA1

            35a337b667674e2d5043ec6115a8b37044b9bbc2

            SHA256

            60f026754e52316b1e2e6635014eb715b7e906d84b354cfbcba373014efaece0

            SHA512

            6853057c7e87b33945c5f34db45e357cdaf5f7bbab8633d02a40559a420731479903346d72ba44c4c867dca2951febd3c1808edfe917ff234d242e459672d01b

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            aca04068200038b85eba4cef19399610

            SHA1

            36b2f8ecc5c409adc2aed3de244db2e63091af8a

            SHA256

            bedf142b2440d190527904c145e552592c8636d12893b00feb6169be970ca7c4

            SHA512

            8a1d6a953d5c17708d11afe839b80eb866fd79cdfde405e6632031aa578d652abc9f6fc13f65f5a83aad1c1e18ca4252fe965bb03921d0bd86c850e28ecd77a7

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            61c149534af6dcbb6ecbb4e1f78c5de3

            SHA1

            dedde729a59177b65ef1257887ab69e4e26b1a51

            SHA256

            f31979a945271e820552d44e0e6c05221c16f3a3077fb809cfeadacb9d30a771

            SHA512

            d67cb7b460df25ca64f7b5867100fc1f1700f92149b935c3d6909ba47dc9def6995c0531c67c42d15e6048e5afd39c9559cc69823f6725f3aaccb1f5481694ef

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            8d2fd21d8da0654c907e55ac24edc4ce

            SHA1

            6eb2f85bf70b2521c2d640978c48b50365fe6176

            SHA256

            48c6f1e683d240de7fb10b04ac9f6196e52b86fb355f532a84c56126060b4a27

            SHA512

            cf1563d1c8868deb44a50ab34cffda4f9633202b2d0179d086dd9bbc870c4d226ce94ce5d606b2d3a74d16674a023bbda7704a26c1fabd9a71958955d0339aa7

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            df7f0131e776ec3fbc2e56ff867a05ab

            SHA1

            8fd5459ec237204088df988de7042e581b398a14

            SHA256

            f0f7c08c5aaa3587f347240300f6d2502ef1c4ced2c233b5c7d7d55d984cbff4

            SHA512

            b5d4edda7befc4bcbdbf34b9cf798f68b060e840ade9ce561bf200f30a6697e455b919b35657c1db85532a947f3babcc25ac54c9633989f991e4256803a503ba

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\0e7dadb2-6936-4731-a389-5c2b228e254a.vbs
            Filesize

            728B

            MD5

            346c99acbf8d2b0f2c37b72b3fafd779

            SHA1

            f165c682eacb11abfae9ca99a81bbf23de107bd4

            SHA256

            04d3fe5c11f65c75c6cfd5c88a9f5415234829ecd6b3bf022aeb11d23a84d002

            SHA512

            72574a570b37da0aef3e4aaf2c825a59b00060feb377499fb5066d18fecafbaf2f7dd7cce376e73e502d2f002195fa5005491b62273a429e81ccad9951900b18

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\34b83c0b-90f2-4816-8403-95b411b3805a.vbs
            Filesize

            504B

            MD5

            91cdfc0bfe731373582a924da1e129cf

            SHA1

            e011679ee8a8e315840b325e6a87f729cd0569c1

            SHA256

            a4c295ef51809ba196700734962047ee2af65a693819209c25b3e53b9ff1ec06

            SHA512

            fdfcf4c7ba91ac19490088580ce2f2f05c3a069b612eedcb672f7330b97fea6c03ffa0b22757435d629c7c0eb0a556b45f406cf5d68f1be147a0a839b74eeb10

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Cab11A0.tmp
            Filesize

            70KB

            MD5

            49aebf8cbd62d92ac215b2923fb1b9f5

            SHA1

            1723be06719828dda65ad804298d0431f6aff976

            SHA256

            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

            SHA512

            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Tar1291.tmp
            Filesize

            183KB

            MD5

            109cab5505f5e065b63d01361467a83b

            SHA1

            4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

            SHA256

            ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

            SHA512

            753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\vT6Q8ndOLD.bat
            Filesize

            217B

            MD5

            4707825f205d1f1f1ad54ed4bb36c36f

            SHA1

            407efd5ab395f7819e6a8427cc6e726b525e34cd

            SHA256

            a3cc8e3e30ba92398d5e1be761dbd57f2696d619f0cee926f01fab9f7953fde0

            SHA512

            26fee46d1d35a3c38e6fe06d7b6d84a861f1dce6fe46215b4b3fa6b83ac96e3b465be5a2049fa6b9d57e79606130b2936293033df71095d8820ebef6e3c72f59

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            b3d022d66fee396112f3aadebd06b591

            SHA1

            c49b164cbde55e4302be8c4891da06faadea2fc8

            SHA256

            1eacae46a540d83b3b45de2883daee8257299139638db64087e1de28b0097a9d

            SHA512

            0a9608a8ab6ff26978e7b57b276b9f2da5f2544dbd3793a624df1ab5394d90475f558e9c0f10d7cda16d5d507570f7fb10a265cc910f657a94c7174ee9b45f28

            Download Submit

          • C:\Windows\de-DE\dllhost.exe
            Filesize

            3.0MB

            MD5

            5f3094b89f36e8cc7c89ae2322eef851

            SHA1

            026d7fb8e765ac0e0dae589f843ed1477608cb1c

            SHA256

            e2861ddd75dc1572e53a4abe92b867ebff5b64b3f1d1f9fb01fe2592f8646b23

            SHA512

            4820e4d30632413776a4617fc9b6e126bad0a379d711bb774a56b0d27eb441c9a88a39a303df8476d95a6b14f0517fe2925cb57ef08a2e7e393bbee4587086cb

            Download Submit

          • memory/1100-146-0x000000001B710000-0x000000001B9F2000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/2784-149-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2796-162-0x0000000000230000-0x000000000053E000-memory.dmp

            Filesize

            3.1MB

            Download

          • memory/3008-18-0x0000000001090000-0x000000000109C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/3008-16-0x0000000001050000-0x0000000001058000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3008-0-0x000007FEF5103000-0x000007FEF5104000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3008-26-0x0000000001110000-0x0000000001118000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3008-25-0x0000000001100000-0x000000000110E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/3008-129-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/3008-31-0x000000001ABF0000-0x000000001ABFC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/3008-30-0x0000000001150000-0x000000000115A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/3008-24-0x00000000010E0000-0x00000000010EA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/3008-29-0x0000000001140000-0x0000000001148000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3008-23-0x00000000010F0000-0x00000000010F8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3008-22-0x00000000010D0000-0x00000000010DC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/3008-21-0x00000000010C0000-0x00000000010CC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/3008-20-0x00000000010B0000-0x00000000010B8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3008-19-0x00000000010A0000-0x00000000010AC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/3008-28-0x0000000001130000-0x000000000113C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/3008-27-0x0000000001120000-0x0000000001128000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3008-15-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/3008-17-0x0000000001060000-0x0000000001072000-memory.dmp

            Filesize

            72KB

            Download

          • memory/3008-14-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3008-13-0x0000000000C50000-0x0000000000C5C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/3008-12-0x0000000000C00000-0x0000000000C56000-memory.dmp

            Filesize

            344KB

            Download

          • memory/3008-11-0x0000000000B70000-0x0000000000B7A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/3008-10-0x0000000000B60000-0x0000000000B70000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3008-9-0x0000000000B50000-0x0000000000B58000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3008-7-0x0000000000B20000-0x0000000000B36000-memory.dmp

            Filesize

            88KB

            Download

          • memory/3008-8-0x0000000000B40000-0x0000000000B48000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3008-6-0x0000000000300000-0x0000000000310000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3008-5-0x00000000002F0000-0x00000000002F8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3008-4-0x00000000002D0000-0x00000000002EC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/3008-3-0x00000000002C0000-0x00000000002C8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3008-2-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/3008-1-0x0000000001160000-0x000000000146E000-memory.dmp

            Filesize

            3.1MB

            Download