Analysis

  • max time kernel
    137s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/11/2023, 00:06

General

  • Target

    3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe

  • Size

    2.0MB

  • MD5

    9b57b45ad1b718ed5e83fb62a8b726c3

  • SHA1

    25e29ba21022424a4d74f2d184238f288a788f32

  • SHA256

    3dd0a5685e10ef6d63758cafee7c651f8ae80a47664158976ace7b80c825a032

  • SHA512

    f9b439d71536513bd8a190774cd4c3c6a5729ecf54f5f70e7abbbffde54485188998c3537b5955f98dac4a390742bfddf2b4ef6f257729e46565bcf862de3209

  • SSDEEP

    24576:JB432G/nvxW3Ww0tLXA/ZohBQTRtWpekBST0Z3jJWOyFFgU91cD0knE4BTi:QbA30DDhBQNxkk0pljyF2U911qi

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Drops file in Program Files directory 11 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe
    "C:\Users\Admin\AppData\Local\Temp\3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3740
    • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
      "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
      2⤵
      • Executes dropped EXE
      PID:1372
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\fontintosessionsvc\AtbmE4.vbe"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4600
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\fontintosessionsvc\aWM6CbC4aFWBvDgJSFPV9Iz.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2192
          • C:\fontintosessionsvc\bridgeWebdll.exe
            "C:\fontintosessionsvc\bridgeWebdll.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3172
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pfPAM1z6vu.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3856
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:3440
                • C:\Users\Default\conhost.exe
                  "C:\Users\Default\conhost.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5080
      • C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe
        "C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe"
        2⤵
        • Executes dropped EXE
        PID:3108
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\fontintosessionsvc\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1280
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\fontintosessionsvc\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4552
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\fontintosessionsvc\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:368
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\pris\fontdrvhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4892
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\pris\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1712
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\pris\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4568
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft OneDrive\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2848
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3556
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft OneDrive\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3520
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Start Menu\WaaSMedicAgent.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3604
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\WaaSMedicAgent.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2064
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Start Menu\WaaSMedicAgent.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1824
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2360
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1080
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4524
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2960
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3028
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4976
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\odt\fontdrvhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4448
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4984
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3332
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\conhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4016
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:440
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1260
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\odt\dwm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4076
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2276
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4092
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "bridgeWebdllb" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\bridgeWebdll.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1648
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "bridgeWebdll" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\bridgeWebdll.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4740
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "bridgeWebdllb" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\bridgeWebdll.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:880
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2552
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4172
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2972
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4928
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4284
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4228
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4908
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4316
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1516
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5076
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4108
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1020
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:828
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3148
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2092
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\odt\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2020
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3796
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1372
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2880
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1960
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3212

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

            Filesize

            1.5MB

            MD5

            8548cc870e74723070353d67d1df6cba

            SHA1

            1e51a150d92378cecb1c60ffb4715da8838d9fa4

            SHA256

            37a20cc147c98eb43b4532c1cb76e7b3358fc4b815d930aaa8507dc6ac3095b6

            SHA512

            c236b7600429cebf88fecbb1815c7eac3b92891828d7c3646da10e93223490a31b6c7c50df70203ca5977d2cdb17d3135549b43ea866e05c25df62f1126c41c0

          • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

            Filesize

            1.5MB

            MD5

            8548cc870e74723070353d67d1df6cba

            SHA1

            1e51a150d92378cecb1c60ffb4715da8838d9fa4

            SHA256

            37a20cc147c98eb43b4532c1cb76e7b3358fc4b815d930aaa8507dc6ac3095b6

            SHA512

            c236b7600429cebf88fecbb1815c7eac3b92891828d7c3646da10e93223490a31b6c7c50df70203ca5977d2cdb17d3135549b43ea866e05c25df62f1126c41c0

          • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

            Filesize

            1.5MB

            MD5

            8548cc870e74723070353d67d1df6cba

            SHA1

            1e51a150d92378cecb1c60ffb4715da8838d9fa4

            SHA256

            37a20cc147c98eb43b4532c1cb76e7b3358fc4b815d930aaa8507dc6ac3095b6

            SHA512

            c236b7600429cebf88fecbb1815c7eac3b92891828d7c3646da10e93223490a31b6c7c50df70203ca5977d2cdb17d3135549b43ea866e05c25df62f1126c41c0

          • C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe

            Filesize

            336KB

            MD5

            73809a6768903e090178f10eb46ff2c1

            SHA1

            8449c27be4b36b4066996b50b9b3d6078a4f736c

            SHA256

            0ed4df7c5b8324315b6625586bb0e2cd09cdb7db2d2278910cd377fe7f371ee5

            SHA512

            dcdd5c6cf5e18bafcf1d8b478726777f6735d53ceb1356e90ad7016ed2462161a4cf1595db2d754dcfc20395564b8aa35029b4691067eccbc7c599d52aa4968e

          • C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe

            Filesize

            336KB

            MD5

            73809a6768903e090178f10eb46ff2c1

            SHA1

            8449c27be4b36b4066996b50b9b3d6078a4f736c

            SHA256

            0ed4df7c5b8324315b6625586bb0e2cd09cdb7db2d2278910cd377fe7f371ee5

            SHA512

            dcdd5c6cf5e18bafcf1d8b478726777f6735d53ceb1356e90ad7016ed2462161a4cf1595db2d754dcfc20395564b8aa35029b4691067eccbc7c599d52aa4968e

          • C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe

            Filesize

            336KB

            MD5

            73809a6768903e090178f10eb46ff2c1

            SHA1

            8449c27be4b36b4066996b50b9b3d6078a4f736c

            SHA256

            0ed4df7c5b8324315b6625586bb0e2cd09cdb7db2d2278910cd377fe7f371ee5

            SHA512

            dcdd5c6cf5e18bafcf1d8b478726777f6735d53ceb1356e90ad7016ed2462161a4cf1595db2d754dcfc20395564b8aa35029b4691067eccbc7c599d52aa4968e

          • C:\Users\Admin\AppData\Local\Temp\pfPAM1z6vu.bat

            Filesize

            193B

            MD5

            ebab391a7c17fb232c6e950f72ede442

            SHA1

            a880a45ffb58477cd1291414fb31929a49b98e96

            SHA256

            73415633ab112333ba2aec293bdc9ddea610e21cc80ae96bcb71cd82fea1b932

            SHA512

            d0fda3299265f26a81ca5ec543b72842fa290ebaddb2813c2c55cc67a3c61a9833b3d994301de5b57babacff4750e3f144e4b189387e492a608c62706c94f88d

          • C:\Users\Default\conhost.exe

            Filesize

            1.2MB

            MD5

            d241d05d6cc53887772cc12e93759c50

            SHA1

            e13109e21acd264714539f7f3c9b7f0ff44d0211

            SHA256

            8099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0

            SHA512

            eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712

          • C:\Users\Default\conhost.exe

            Filesize

            1.2MB

            MD5

            d241d05d6cc53887772cc12e93759c50

            SHA1

            e13109e21acd264714539f7f3c9b7f0ff44d0211

            SHA256

            8099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0

            SHA512

            eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712

          • C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\pris\fontdrvhost.exe

            Filesize

            1.2MB

            MD5

            d241d05d6cc53887772cc12e93759c50

            SHA1

            e13109e21acd264714539f7f3c9b7f0ff44d0211

            SHA256

            8099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0

            SHA512

            eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712

          • C:\fontintosessionsvc\AtbmE4.vbe

            Filesize

            218B

            MD5

            bfc4c3394520c5407a7a70e99743ca72

            SHA1

            e6e32f2b7807d33f03d6e35a4fc77f4dfbe85d17

            SHA256

            c37245170203c5ab6487bf1ec57aed0eba66da843a1ed5b87e3752b903381e6d

            SHA512

            2ca69c9e6056a44cb097c95c32c7a93bf2c007766bbf81bd46f9da861d831eddee2d977103bd61c7efabfb967b6f4eb833e5166a85f33acd07ee38afe322cca1

          • C:\fontintosessionsvc\aWM6CbC4aFWBvDgJSFPV9Iz.bat

            Filesize

            40B

            MD5

            72fa4f55254901b819a5996d5eff7bcb

            SHA1

            950f1b3bf5a55a2d88fce41b03a3b5ab079d716d

            SHA256

            962a03b716b55d4758553f335d4028caaa453667d6181f899db95ab1fc9f71e0

            SHA512

            c4c090eb5f9584b88ce8a9052a8fe11c1bf9bce33bc7574347d0a161e551a374d7d41146a2b5e64242786e510fd73b3f6a194596d3ad6105b06c31965be32ce6

          • C:\fontintosessionsvc\bridgeWebdll.exe

            Filesize

            1.2MB

            MD5

            d241d05d6cc53887772cc12e93759c50

            SHA1

            e13109e21acd264714539f7f3c9b7f0ff44d0211

            SHA256

            8099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0

            SHA512

            eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712

          • C:\fontintosessionsvc\bridgeWebdll.exe

            Filesize

            1.2MB

            MD5

            d241d05d6cc53887772cc12e93759c50

            SHA1

            e13109e21acd264714539f7f3c9b7f0ff44d0211

            SHA256

            8099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0

            SHA512

            eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712

          • memory/3172-30-0x00007FFA02A80000-0x00007FFA03541000-memory.dmp

            Filesize

            10.8MB

          • memory/3172-33-0x000000001B5A0000-0x000000001B5F0000-memory.dmp

            Filesize

            320KB

          • memory/3172-34-0x000000001AED0000-0x000000001AEE6000-memory.dmp

            Filesize

            88KB

          • memory/3172-35-0x000000001AE60000-0x000000001AE6C000-memory.dmp

            Filesize

            48KB

          • memory/3172-32-0x0000000002570000-0x000000000258C000-memory.dmp

            Filesize

            112KB

          • memory/3172-31-0x000000001AE70000-0x000000001AE80000-memory.dmp

            Filesize

            64KB

          • memory/3172-76-0x00007FFA02A80000-0x00007FFA03541000-memory.dmp

            Filesize

            10.8MB

          • memory/3172-29-0x00000000001A0000-0x00000000002D2000-memory.dmp

            Filesize

            1.2MB

          • memory/3740-14-0x0000000000400000-0x00000000005FF000-memory.dmp

            Filesize

            2.0MB

          • memory/5080-80-0x00007FFA029D0000-0x00007FFA03491000-memory.dmp

            Filesize

            10.8MB

          • memory/5080-81-0x000000001BC90000-0x000000001BCA0000-memory.dmp

            Filesize

            64KB

          • memory/5080-83-0x00007FFA029D0000-0x00007FFA03491000-memory.dmp

            Filesize

            10.8MB