Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 09:46

General

  • Target

    9dfff6301fe6d08ea16c8e4b67c8f073b2de0fc3657539ba93fc68e66e5da471.exe

  • Size

    11.0MB

  • MD5

    0e38f27d79158a60eb55b2cc9a53d711

  • SHA1

    088e81dd3cafb143133da25124a0880a29c448f0

  • SHA256

    9dfff6301fe6d08ea16c8e4b67c8f073b2de0fc3657539ba93fc68e66e5da471

  • SHA512

    ad052b98001936e0e71f89c8c7c117feda317c4a4ff5b0fd3403db2d90cb38d0bd2a7f7396ddf777ddf4d04e992edd2c1e1f288761060c436183d23490363c78

  • SSDEEP

    196608:XDjdqua/WBpKJiziKUKRzBVCzTsx7nJJHywSBJa53pyRQ1I34jMGM:XNm+BpYiuK9RzBIzTsBSBJaBpyRQyoQj

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 45 IoCs
  • DCRat payload 14 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 19 IoCs
  • Loads dropped DLL 13 IoCs
  • Checks whether UAC is enabled 1 TTPs 30 IoCs
  • Detects Pyinstaller 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 45 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\9dfff6301fe6d08ea16c8e4b67c8f073b2de0fc3657539ba93fc68e66e5da471.exe
    "C:\Users\Admin\AppData\Local\Temp\9dfff6301fe6d08ea16c8e4b67c8f073b2de0fc3657539ba93fc68e66e5da471.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2784
    • C:\Users\Admin\AppData\Local\Temp\HyperLix.exe
      "C:\Users\Admin\AppData\Local\Temp\HyperLix.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2992
      • C:\Users\Admin\AppData\Local\Temp\HyperLix.exe
        "C:\Users\Admin\AppData\Local\Temp\HyperLix.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:272
    • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
      "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2276
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\blockbrowserfontref\itVJoLv8U.vbe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2720
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\blockbrowserfontref\NJkyNjia8UfT.bat" "
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2340
          • C:\blockbrowserfontref\Agentsvc.exe
            "C:\blockbrowserfontref\Agentsvc.exe"
            5⤵
            • UAC bypass
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1476
            • C:\blockbrowserfontref\HyperLix.exe
              "C:\blockbrowserfontref\HyperLix.exe"
              6⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2912
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c90fc8cd-fe8d-49f5-9cb5-178dae200074.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2152
                • C:\blockbrowserfontref\HyperLix.exe
                  C:\blockbrowserfontref\HyperLix.exe
                  8⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:1272
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2228fd2d-0517-4c03-9082-509719887bc6.vbs"
                    9⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2984
                    • C:\blockbrowserfontref\HyperLix.exe
                      C:\blockbrowserfontref\HyperLix.exe
                      10⤵
                      • UAC bypass
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:2704
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc29f2fa-d7f8-48b1-a683-5b4a4216fe66.vbs"
                        11⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2836
                        • C:\blockbrowserfontref\HyperLix.exe
                          C:\blockbrowserfontref\HyperLix.exe
                          12⤵
                          • UAC bypass
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          • System policy modification
                          PID:928
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26fa6df4-50b3-48c4-b456-349fbca40f47.vbs"
                            13⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2800
                            • C:\blockbrowserfontref\HyperLix.exe
                              C:\blockbrowserfontref\HyperLix.exe
                              14⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              • System policy modification
                              PID:2320
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15b280e0-e67f-4d63-a4b4-301e5c8ef428.vbs"
                                15⤵
                                  PID:536
                                  • C:\blockbrowserfontref\HyperLix.exe
                                    C:\blockbrowserfontref\HyperLix.exe
                                    16⤵
                                    • UAC bypass
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:972
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\920c4aed-5f1a-4400-b47d-ce50048f82e2.vbs"
                                      17⤵
                                        PID:2748
                                        • C:\blockbrowserfontref\HyperLix.exe
                                          C:\blockbrowserfontref\HyperLix.exe
                                          18⤵
                                          • UAC bypass
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • System policy modification
                                          PID:2468
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69ae968f-6af4-45ed-87b9-0be3f06fbe5d.vbs"
                                            19⤵
                                              PID:1452
                                              • C:\blockbrowserfontref\HyperLix.exe
                                                C:\blockbrowserfontref\HyperLix.exe
                                                20⤵
                                                • UAC bypass
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • System policy modification
                                                PID:2584
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7801cfda-ec9f-4eb2-9b53-8a4593dd089b.vbs"
                                                  21⤵
                                                    PID:2752
                                                    • C:\blockbrowserfontref\HyperLix.exe
                                                      C:\blockbrowserfontref\HyperLix.exe
                                                      22⤵
                                                      • UAC bypass
                                                      • Executes dropped EXE
                                                      • Checks whether UAC is enabled
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • System policy modification
                                                      PID:2700
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\576b7a88-5d37-416d-8139-3ab743e56ccb.vbs"
                                                        23⤵
                                                          PID:2836
                                                          • C:\blockbrowserfontref\HyperLix.exe
                                                            C:\blockbrowserfontref\HyperLix.exe
                                                            24⤵
                                                            • UAC bypass
                                                            • Executes dropped EXE
                                                            • Checks whether UAC is enabled
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • System policy modification
                                                            PID:1820
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec2592db-186b-4a40-b566-22aec2a2b928.vbs"
                                                              25⤵
                                                                PID:1364
                                                                • C:\blockbrowserfontref\HyperLix.exe
                                                                  C:\blockbrowserfontref\HyperLix.exe
                                                                  26⤵
                                                                  • UAC bypass
                                                                  • Executes dropped EXE
                                                                  • Checks whether UAC is enabled
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • System policy modification
                                                                  PID:1100
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d847ac89-60ba-4a87-a530-ed67bc2f009e.vbs"
                                                                    27⤵
                                                                      PID:900
                                                                      • C:\blockbrowserfontref\HyperLix.exe
                                                                        C:\blockbrowserfontref\HyperLix.exe
                                                                        28⤵
                                                                        • UAC bypass
                                                                        • Executes dropped EXE
                                                                        • Checks whether UAC is enabled
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        • System policy modification
                                                                        PID:836
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f7c22d1-6b60-48c3-aecd-70c2754de7ec.vbs"
                                                                          29⤵
                                                                            PID:2608
                                                                            • C:\blockbrowserfontref\HyperLix.exe
                                                                              C:\blockbrowserfontref\HyperLix.exe
                                                                              30⤵
                                                                              • UAC bypass
                                                                              • Executes dropped EXE
                                                                              • Checks whether UAC is enabled
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              • System policy modification
                                                                              PID:2772
                                                                              • C:\Windows\System32\WScript.exe
                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f773951-b7b7-4164-a9fa-688f802f8697.vbs"
                                                                                31⤵
                                                                                  PID:1928
                                                                                  • C:\blockbrowserfontref\HyperLix.exe
                                                                                    C:\blockbrowserfontref\HyperLix.exe
                                                                                    32⤵
                                                                                    • UAC bypass
                                                                                    • Executes dropped EXE
                                                                                    • Checks whether UAC is enabled
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    • System policy modification
                                                                                    PID:1012
                                                                                    • C:\Windows\System32\WScript.exe
                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16900c54-b223-4292-bcec-c676883f4531.vbs"
                                                                                      33⤵
                                                                                        PID:1692
                                                                                      • C:\Windows\System32\WScript.exe
                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\637b2952-a0c3-4366-a6fe-4029fa32184e.vbs"
                                                                                        33⤵
                                                                                          PID:2700
                                                                                    • C:\Windows\System32\WScript.exe
                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e078198-1771-4a18-85e6-fbb936424b84.vbs"
                                                                                      31⤵
                                                                                        PID:2828
                                                                                  • C:\Windows\System32\WScript.exe
                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b007b3b5-3af5-4bc6-82a2-7f34eafb1891.vbs"
                                                                                    29⤵
                                                                                      PID:764
                                                                                • C:\Windows\System32\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ebd457d-b21b-482e-b0c2-0e1d5887bc25.vbs"
                                                                                  27⤵
                                                                                    PID:1544
                                                                              • C:\Windows\System32\WScript.exe
                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88b4465c-23e6-4e1d-bee3-e0f221d92f37.vbs"
                                                                                25⤵
                                                                                  PID:1992
                                                                            • C:\Windows\System32\WScript.exe
                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5961411-6b17-40ca-b46b-74f0697c6f02.vbs"
                                                                              23⤵
                                                                                PID:2424
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\434a0a59-e509-4080-bb0f-2593a88d6b09.vbs"
                                                                            21⤵
                                                                              PID:2572
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfdb4e0a-ea4a-4c86-ad98-879c668844f6.vbs"
                                                                          19⤵
                                                                            PID:2204
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99f55305-2312-4ad9-ac36-4b70234a1f16.vbs"
                                                                        17⤵
                                                                          PID:3000
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3da0261c-baa3-4cda-84d7-ba68ea8d89e1.vbs"
                                                                      15⤵
                                                                        PID:596
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f65c6f88-f8aa-488d-8d03-f98d8fe3a779.vbs"
                                                                    13⤵
                                                                      PID:1972
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fbb3d8a-19ef-4454-8e27-75e9d32254f1.vbs"
                                                                  11⤵
                                                                    PID:2952
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b054d1a7-9e60-4596-92c4-55cfe8a3380a.vbs"
                                                                9⤵
                                                                  PID:2652
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b925ccb4-57cf-4818-81a4-032fb517422e.vbs"
                                                              7⤵
                                                                PID:2552
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Creates scheduled task(s)
                                                    PID:900
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Creates scheduled task(s)
                                                    PID:3040
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Creates scheduled task(s)
                                                    PID:2388
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "HyperLixH" /sc MINUTE /mo 10 /tr "'C:\blockbrowserfontref\HyperLix.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Creates scheduled task(s)
                                                    PID:880
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "HyperLix" /sc ONLOGON /tr "'C:\blockbrowserfontref\HyperLix.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Creates scheduled task(s)
                                                    PID:1452
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "HyperLixH" /sc MINUTE /mo 8 /tr "'C:\blockbrowserfontref\HyperLix.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Creates scheduled task(s)
                                                    PID:1164

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Temp\15b280e0-e67f-4d63-a4b4-301e5c8ef428.vbs
                                                    Filesize

                                                    711B

                                                    MD5

                                                    58ad6a64b691b4056d85dc9a47c8cc9c

                                                    SHA1

                                                    26a1ad65716fb6aa812431208cf71ec5552fc847

                                                    SHA256

                                                    75d7984ef90d494382b66ae5e7d696e2f724080fd7ff855c52374878155cfd71

                                                    SHA512

                                                    349b3d5b377741b113f9e817744ed57e89b9d8c536fa80a2dcb0e234cbdb518915059038b82467156f1b6f1c1a0944ee3b883d5b9898327987208a949ed4c25a

                                                  • C:\Users\Admin\AppData\Local\Temp\2228fd2d-0517-4c03-9082-509719887bc6.vbs
                                                    Filesize

                                                    711B

                                                    MD5

                                                    e188823bc463cc65347fe315157e5bc6

                                                    SHA1

                                                    bbed4ff9d86c230fba5cef688ae4e8603579858c

                                                    SHA256

                                                    766db556babc532f3dd72687922d264c367b5526970c10d97d11523e53304415

                                                    SHA512

                                                    fd57a4791a135aedfbb1a96b71f0563214b7b3012405f0e94b10931ff9afaab46a79f2d84282bbc7c14070977d93cd019e370866fb89e61ddaa7e9785fccfe2f

                                                  • C:\Users\Admin\AppData\Local\Temp\26fa6df4-50b3-48c4-b456-349fbca40f47.vbs
                                                    Filesize

                                                    710B

                                                    MD5

                                                    4e982b6a17b2858fdcc78cc9943ce80b

                                                    SHA1

                                                    0dfb73071a7773569955fe12bee5ccf0ddb733f3

                                                    SHA256

                                                    da1f5ac086369a6e49d490f4ba491917284cf066f1693e97e0698df0ed171761

                                                    SHA512

                                                    036fcf61848aa86d8711864ce82b4c13acafb9fcddc4c68233dde9b2b4997ce73da23b90e3e66a7b7565e18a6ee08aaedf9de1e22103100c0a8e8e3c8caa7b1d

                                                  • C:\Users\Admin\AppData\Local\Temp\69ae968f-6af4-45ed-87b9-0be3f06fbe5d.vbs
                                                    Filesize

                                                    711B

                                                    MD5

                                                    ced9f3870bffa5ecb1fb27cd1fb2ed11

                                                    SHA1

                                                    2bd0e4fc3c11ec1cdde9ded60541c3d987565b32

                                                    SHA256

                                                    ee46297e58ad483f3a9c5c8d26fa8695a752e1a45a91b99ea6fbac0663c3b130

                                                    SHA512

                                                    6805d22b63fa8c88078cc3c57bba0f8d7e60c9da1d5b0de702dead5b74481f2a0cd5ed654f9d571036864eb4ecb22106f81a154d755e083eba46d470736d4a01

                                                  • C:\Users\Admin\AppData\Local\Temp\7801cfda-ec9f-4eb2-9b53-8a4593dd089b.vbs
                                                    Filesize

                                                    711B

                                                    MD5

                                                    6288b97505a506da782c796745a920ec

                                                    SHA1

                                                    abd139d11c51b02b158cd9ef806099bdab4e949e

                                                    SHA256

                                                    6e52b3b2ba3efa87606052a77445a8f409c67245100aa23c3f0f42d139052e99

                                                    SHA512

                                                    4e61334fd7d1a35f79b06b27235eb6d1af1edda3b0e1390b97358a86bf863d719113bd9b4688b67cf64c1b6dce7c95ee40224817766aa71b70561c07537ce62a

                                                  • C:\Users\Admin\AppData\Local\Temp\920c4aed-5f1a-4400-b47d-ce50048f82e2.vbs
                                                    Filesize

                                                    710B

                                                    MD5

                                                    ee8edc7b01816fb581806635a55240c0

                                                    SHA1

                                                    0c234bd4bfed5b0633634bc9c60a6c7702da0a46

                                                    SHA256

                                                    4e1a069d574b01c1407518463d6ddc37408af44edda982d138d4618f0046cd58

                                                    SHA512

                                                    fab39ea0fbcc1a11daf0eb24661cc25ed51c5eb2a57d5fdd8c6450a519a9899be714b4e663ab575521fe4cfc84e0358885c1874a54f2ea9de89c3457b4a25ec4

                                                  • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
                                                    Filesize

                                                    1.7MB

                                                    MD5

                                                    94bac967cb5ad8c8379a409c2c620212

                                                    SHA1

                                                    9d60be3ece1700cf5ea83da272869a14334bfb08

                                                    SHA256

                                                    e3351b1acb6fe1a38cae6e924768c3594f9a65757311d31f9c2e0c71f0acca76

                                                    SHA512

                                                    fa796ad334e86c80e1b49bdc9a315afd9248a34a674d80b4965a7192096874f54df5a266a4388c0604a3787962ed2eddc7b832f17457cca0ac9f856b9366ee9f

                                                  • C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-file-l1-2-0.dll
                                                    Filesize

                                                    21KB

                                                    MD5

                                                    1c58526d681efe507deb8f1935c75487

                                                    SHA1

                                                    0e6d328faf3563f2aae029bc5f2272fb7a742672

                                                    SHA256

                                                    ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

                                                    SHA512

                                                    8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

                                                  • C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-localization-l1-2-0.dll
                                                    Filesize

                                                    21KB

                                                    MD5

                                                    724223109e49cb01d61d63a8be926b8f

                                                    SHA1

                                                    072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

                                                    SHA256

                                                    4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

                                                    SHA512

                                                    19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

                                                  • C:\Users\Admin\AppData\Local\Temp\_MEI29922\python311.dll
                                                    Filesize

                                                    5.5MB

                                                    MD5

                                                    9a24c8c35e4ac4b1597124c1dcbebe0f

                                                    SHA1

                                                    f59782a4923a30118b97e01a7f8db69b92d8382a

                                                    SHA256

                                                    a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

                                                    SHA512

                                                    9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

                                                  • C:\Users\Admin\AppData\Local\Temp\_MEI29922\ucrtbase.dll
                                                    Filesize

                                                    992KB

                                                    MD5

                                                    0e0bac3d1dcc1833eae4e3e4cf83c4ef

                                                    SHA1

                                                    4189f4459c54e69c6d3155a82524bda7549a75a6

                                                    SHA256

                                                    8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

                                                    SHA512

                                                    a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

                                                  • C:\Users\Admin\AppData\Local\Temp\b925ccb4-57cf-4818-81a4-032fb517422e.vbs
                                                    Filesize

                                                    487B

                                                    MD5

                                                    4b8718b42ef74980039023e39689e6e4

                                                    SHA1

                                                    74bf95bd367ef60e813cb7f909d2619623de4bf9

                                                    SHA256

                                                    2a45088fadf2f267da6786e829090b3dab420d23db2b569ea8924e89f77183fa

                                                    SHA512

                                                    ece3e59cc237d76d47b6bbace2a4b60c5f4fdee4e49aad0cf1176539bcd6202580a13262a5720f4da855197f46d075652907498b212cd9f8f839ddbf87f4927e

                                                  • C:\Users\Admin\AppData\Local\Temp\bc29f2fa-d7f8-48b1-a683-5b4a4216fe66.vbs
                                                    Filesize

                                                    711B

                                                    MD5

                                                    ac3509ec838c0505e700040ebe37be7f

                                                    SHA1

                                                    f262fb594dbdd5de06072f128da29423a7ed3b14

                                                    SHA256

                                                    8641d17ce98b1cab414fa8cbe16f5b67eddefc3ee0c7a1168983cff1d38d15e5

                                                    SHA512

                                                    9a0731b6d7a0b0a21353e546979e656e2d78e00399a576b681c15114952ae015f6ab84b61bce920b298ae197ba1afe92216886d4fa4f293bf320fe5db7836e73

                                                  • C:\Users\Admin\AppData\Local\Temp\c90fc8cd-fe8d-49f5-9cb5-178dae200074.vbs
                                                    Filesize

                                                    711B

                                                    MD5

                                                    fb2d35147c9197474acd33765747bf62

                                                    SHA1

                                                    8e065c8151b1d13d775bbcf9cf31e0f6d284f8d2

                                                    SHA256

                                                    8dd4ea3276685234844a8b2c792fd82c2b4071a0f45c67b90dbf97c479ddea43

                                                    SHA512

                                                    137f283290b8d8380da9a1e105f854b15d3b3ff68785fac5ee6f5070676ddea0cd2879ee6ff010ffd5dfee5dfefdee62b7da588d37a377fd346da9acac3206fc

                                                  • C:\blockbrowserfontref\NJkyNjia8UfT.bat
                                                    Filesize

                                                    37B

                                                    MD5

                                                    2ce72bdfcfea06524c9fdb5b376898cb

                                                    SHA1

                                                    5fdd4050e4a71f2dfefb12e55e49f9d08fdd49b3

                                                    SHA256

                                                    5a8124f36cdaff184844eb28e1eb49fd29b83632a0995398312a2d136969a21b

                                                    SHA512

                                                    cf5356c8bf1ba99d7c42d5f4989de8fb13ae5260297f81d136d66c00c10f98c3b6a62c88da21eca26e2098ff3d107fbb8c331830ff417a02c14fd1484b079f81

                                                  • C:\blockbrowserfontref\itVJoLv8U.vbe
                                                    Filesize

                                                    208B

                                                    MD5

                                                    6b7d585fa23f467144e38fd8d87ce65b

                                                    SHA1

                                                    c6d0cbe286ee6b199bc85dd9e19fdca8aba89469

                                                    SHA256

                                                    935001f4e3b76448cfd852ffa5d8c8d4222c536d585b0944c38c8e0f5235b2d6

                                                    SHA512

                                                    ee47be5b67b926e3ce10ab1bbd7b132e122d9387791840f34cc25f55fe1f65c8d3934e8bbd30fd0bca9317d23030a85bd50ac9a1e1d2d882908c2679eff07d9d

                                                  • \Users\Admin\AppData\Local\Temp\HyperLix.exe
                                                    Filesize

                                                    9.8MB

                                                    MD5

                                                    edbd1d66fc17605a5a6d31eefcf12bff

                                                    SHA1

                                                    5ea7852db625ba57e8cc04206e0c99492385f39a

                                                    SHA256

                                                    dc059b4e721219525c803617c5dfbea0df9e0a39bd43d85e113a2a4183ae0550

                                                    SHA512

                                                    39203efcc10951c82bf8ac531e3bae8cad92e18c9bd31b3be89f16d5361bfc1bc7f24ea62ddc5b39a45f2f617840c951ea863ab317e160f22124df823aa6f5bd

                                                  • \Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-file-l2-1-0.dll
                                                    Filesize

                                                    18KB

                                                    MD5

                                                    bfffa7117fd9b1622c66d949bac3f1d7

                                                    SHA1

                                                    402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

                                                    SHA256

                                                    1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

                                                    SHA512

                                                    b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

                                                  • \Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-processthreads-l1-1-1.dll
                                                    Filesize

                                                    21KB

                                                    MD5

                                                    517eb9e2cb671ae49f99173d7f7ce43f

                                                    SHA1

                                                    4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

                                                    SHA256

                                                    57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

                                                    SHA512

                                                    492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

                                                  • \Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-timezone-l1-1-0.dll
                                                    Filesize

                                                    21KB

                                                    MD5

                                                    d12403ee11359259ba2b0706e5e5111c

                                                    SHA1

                                                    03cc7827a30fd1dee38665c0cc993b4b533ac138

                                                    SHA256

                                                    f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

                                                    SHA512

                                                    9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

                                                  • \blockbrowserfontref\Agentsvc.exe
                                                    Filesize

                                                    1.4MB

                                                    MD5

                                                    3838335da14cea139c2ac51bce47b3e7

                                                    SHA1

                                                    2cff0de5e1fad90672cac8a8354fac63c5a67f38

                                                    SHA256

                                                    ff1d4fc95e90a6e9469d1b3075c00a49b575f6e365f6773d09ca5eb05b8e70aa

                                                    SHA512

                                                    06576f15ff248577ed77f3bc13e4cda846281a181cf23978e60698ba4adf287fc299aa65293581356233f21e884fcf449f6d4e92a313468ac70049f4a8f24a0a

                                                  • memory/836-2129-0x0000000000020000-0x0000000000196000-memory.dmp
                                                    Filesize

                                                    1.5MB

                                                  • memory/1012-2144-0x00000000001A0000-0x0000000000316000-memory.dmp
                                                    Filesize

                                                    1.5MB

                                                  • memory/1012-2145-0x0000000002160000-0x0000000002172000-memory.dmp
                                                    Filesize

                                                    72KB

                                                  • memory/1100-2121-0x0000000000340000-0x00000000004B6000-memory.dmp
                                                    Filesize

                                                    1.5MB

                                                  • memory/1272-2020-0x0000000000E30000-0x0000000000FA6000-memory.dmp
                                                    Filesize

                                                    1.5MB

                                                  • memory/1476-1024-0x0000000002150000-0x0000000002160000-memory.dmp
                                                    Filesize

                                                    64KB

                                                  • memory/1476-1021-0x00000000007F0000-0x0000000000806000-memory.dmp
                                                    Filesize

                                                    88KB

                                                  • memory/1476-1026-0x0000000002130000-0x000000000213C000-memory.dmp
                                                    Filesize

                                                    48KB

                                                  • memory/1476-1028-0x0000000002170000-0x000000000217A000-memory.dmp
                                                    Filesize

                                                    40KB

                                                  • memory/1476-1023-0x0000000002140000-0x0000000002152000-memory.dmp
                                                    Filesize

                                                    72KB

                                                  • memory/1476-1027-0x0000000002160000-0x000000000216A000-memory.dmp
                                                    Filesize

                                                    40KB

                                                  • memory/1476-1022-0x00000000005C0000-0x00000000005C8000-memory.dmp
                                                    Filesize

                                                    32KB

                                                  • memory/1476-1025-0x0000000000810000-0x000000000081A000-memory.dmp
                                                    Filesize

                                                    40KB

                                                  • memory/1476-1019-0x0000000000820000-0x0000000000996000-memory.dmp
                                                    Filesize

                                                    1.5MB

                                                  • memory/1476-1020-0x0000000000650000-0x000000000066C000-memory.dmp
                                                    Filesize

                                                    112KB

                                                  • memory/1820-2113-0x0000000000360000-0x00000000004D6000-memory.dmp
                                                    Filesize

                                                    1.5MB

                                                  • memory/2320-2056-0x0000000001350000-0x00000000014C6000-memory.dmp
                                                    Filesize

                                                    1.5MB

                                                  • memory/2468-2079-0x00000000001F0000-0x0000000000366000-memory.dmp
                                                    Filesize

                                                    1.5MB

                                                  • memory/2584-2091-0x0000000000DE0000-0x0000000000F56000-memory.dmp
                                                    Filesize

                                                    1.5MB

                                                  • memory/2700-2104-0x0000000000410000-0x0000000000422000-memory.dmp
                                                    Filesize

                                                    72KB

                                                  • memory/2700-2103-0x00000000010C0000-0x0000000001236000-memory.dmp
                                                    Filesize

                                                    1.5MB

                                                  • memory/2704-2033-0x0000000000620000-0x0000000000632000-memory.dmp
                                                    Filesize

                                                    72KB

                                                  • memory/2704-2032-0x0000000000F30000-0x00000000010A6000-memory.dmp
                                                    Filesize

                                                    1.5MB

                                                  • memory/2912-1039-0x0000000000CE0000-0x0000000000E56000-memory.dmp
                                                    Filesize

                                                    1.5MB