Analysis

  • max time kernel
    361s
  • max time network
    363s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    19-06-2024 16:50

General

  • Target

    Desktop.exe

  • Size

    2.9MB

  • MD5

    870bc89aac12414fb0b2283d58a57ce9

  • SHA1

    2e3a4127668b6ae2db7566853a089f885911fd3c

  • SHA256

    1a6f1c3694f5e3a128245228344423d3e5cfea709f72f5e18afcdab1caed7be2

  • SHA512

    88d064936ae963939c1767663dd5a0807eee1c5e3c0cea48dec48be743b20fd1cdad298e708134683d3a3b2785146637d5206eb014a10be0724eeb0404e8a7c7

  • SSDEEP

    49152:xvY3ShUkwbb96kTTEGjFZ01vkfDpf5YVNFbHKpRvv1BRHoMJKxRFwLfe:xw3MUkinXfjFZKvkf95YtjOVo2wRFZ

Malware Config

Signatures

  • DcRat 32 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 21 IoCs
  • Process spawned unexpected child process 54 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 12 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 20 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Desktop.exe
    "C:\Users\Admin\AppData\Local\Temp\Desktop.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exe
      "C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe
        "C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2260
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\MNBkvV.vbe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2600
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\GRg9f5iKbJVOs6KIXB4m8M.bat" "
            5⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:3036
            • C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe
              "C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe"
              6⤵
              • DcRat
              • Modifies WinLogon for persistence
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in Program Files directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2080
              • C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe
                "C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe"
                7⤵
                • Modifies WinLogon for persistence
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:568
                • C:\Windows\system32\cmd.exe
                  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat" "
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:580
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    9⤵
                      PID:1424
      • C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exe
        "C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exe"
        2⤵
        • DcRat
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2784
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\conhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:348
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\conhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2596
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\conhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2628
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\spoolsv.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1656
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2956
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1580
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:352
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1624
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1596
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\wininit.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1240
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Desktop\wininit.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2844
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\wininit.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1696
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\wininit.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2912
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\wininit.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1728
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\wininit.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:676
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\sppsvc.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1052
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Templates\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1480
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:608
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\wininit.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1988
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\wininit.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2296
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\wininit.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1768
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\services.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:408
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2484
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2364
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\sppsvc.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1544
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1672
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1084
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\taskhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2000
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1328
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1860
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "Sessioncrt" /f
      1⤵
      • Process spawned unexpected child process
      PID:2648
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "SessioncrtS" /f
      1⤵
      • Process spawned unexpected child process
      PID:1936
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "conhost" /f
      1⤵
      • Process spawned unexpected child process
      PID:2092
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "conhostc" /f
      1⤵
      • Process spawned unexpected child process
      PID:2848
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "spoolsv" /f
      1⤵
      • Process spawned unexpected child process
      PID:2736
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "spoolsvs" /f
      1⤵
      • Process spawned unexpected child process
      PID:2964
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "audiodg" /f
      1⤵
      • Process spawned unexpected child process
      PID:1644
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "audiodga" /f
      1⤵
      • Process spawned unexpected child process
      PID:1820
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "wininit" /f
      1⤵
      • Process spawned unexpected child process
      PID:3032
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "wininitw" /f
      1⤵
      • Process spawned unexpected child process
      PID:2900
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "wininit" /f
      1⤵
      • Process spawned unexpected child process
      PID:1276
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "wininitw" /f
      1⤵
      • Process spawned unexpected child process
      PID:1940
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "sppsvc" /f
      1⤵
      • Process spawned unexpected child process
      PID:2972
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "sppsvcs" /f
      1⤵
      • Process spawned unexpected child process
      PID:1100
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "wininit" /f
      1⤵
      • Process spawned unexpected child process
      PID:1620
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "wininitw" /f
      1⤵
      • Process spawned unexpected child process
      PID:1632
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "services" /f
      1⤵
      • Process spawned unexpected child process
      PID:1240
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "servicess" /f
      1⤵
      • Process spawned unexpected child process
      PID:1180
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "sppsvc" /f
      1⤵
      • Process spawned unexpected child process
      PID:1692
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "sppsvcs" /f
      1⤵
      • Process spawned unexpected child process
      PID:612
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "taskhost" /f
      1⤵
      • Process spawned unexpected child process
      PID:2840
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "taskhostt" /f
      1⤵
      • Process spawned unexpected child process
      PID:2504
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "audiodg" /f
      1⤵
      • Process spawned unexpected child process
      PID:692
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "audiodga" /f
      1⤵
      • Process spawned unexpected child process
      PID:2940

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Common Files\f3b6ecef712a24
      Filesize

      421B

      MD5

      099e8ce823363ebce6b7bd4acb2befc7

      SHA1

      cfe7f0047b95245023fd0a5cd9afb5ade63c462c

      SHA256

      9466deb4d83ce9dff323610e8db7e4a73a4d980454048563a13e4f0d8f0353eb

      SHA512

      d2bf47989ec0638953eb2103adf7fb42d44aba674e80d27339b8cf1866402a851f9f256e3809be4c3a6b9916256dd050c256cd30a5319924560994c074ad3238

    • C:\Program Files (x86)\Microsoft Analysis Services\b75386f1303e64
      Filesize

      468B

      MD5

      f099c4d2faac9f25cf1522b17c3c5fda

      SHA1

      2cca2d8fa69ec30bb34f559bdf23f980f348c271

      SHA256

      b158dbccd0423f1e3073c56dd745a24b4afa4cfa042268c426a7c8fe513fe769

      SHA512

      503c3917133ebe524bfc3735941de36015b14047df7a5246f4933cc8eaccf58fd9b5b2942d76a0bd463531ba4089da948aad3e992ca4428f406271c64ad9fce4

    • C:\Program Files (x86)\Windows NT\Accessories\es-ES\088424020bedd6
      Filesize

      231B

      MD5

      cb777c2b8322436f935989c6eeaed36e

      SHA1

      cd7b67453396ceda1eb97813bed0871b84df14df

      SHA256

      a050f5cf3292f687fccfac402ac577441ccd46ae4343f6af46859ac092fdf2c1

      SHA512

      066bd5a7d60b134cab5ba33a2570fd25b58e52d72fd2dbf6e299c581581c4da108563c94894b9401a50933a4cf403cd0f95e6a8439439de62fd77ac2e555a5cf

    • C:\Program Files\Windows NT\TableTextService\0a1fd5f707cd16
      Filesize

      881B

      MD5

      72214c1409291a2c57332d926a5e11a7

      SHA1

      c3fca473f36724efc1cb5d424b363bd5e7914b92

      SHA256

      5e0d618f657392b7cbc8be0ca226623e41591eebead4d89f8ef414acd6239439

      SHA512

      07846048d895064749a296799773eb0083395264a759bed45cf48979323437b0e43caca853de810957fe06e4b46195487f0f22a835c9d0b0b3ad1d986e9c8611

    • C:\Program Files\Windows Photo Viewer\fr-FR\56085415360792
      Filesize

      323B

      MD5

      692c193cd6b8ae5a576c008f9c4600d5

      SHA1

      0035236c630cfac40e90363873f2acf587dac8fd

      SHA256

      5c81755884cb8d32574657f1e77bff8d02d0da285bd7a01e84e81bc308396511

      SHA512

      accc4dff77795363cd0979b94a5cc4d8bf29ec86436504d009f9651461cd6eb6a64ead53a8b3b1b8d2443d502997735fc8ebff0a5f359ccd73b7d38b27f7a45b

    • C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat
      Filesize

      379B

      MD5

      c24006cc68e3537e0fc7554e9c27061f

      SHA1

      536502f1214fb8f5f89514c1be7e262d9eb8f2ca

      SHA256

      8cc0fed86e46c17fe9e4975aeccc69f03693a420af0d459d762b9c786fd52ed6

      SHA512

      9c4f35cc589c7a1355b1c1a1a2239fb3600cf8e8a197eee6b0d176549178f5a88f56c0036d5e022dae642ac88e4d4ee26c513cef25366bb8c8c24fb45581a332

    • C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exe
      Filesize

      758KB

      MD5

      cb1929328dea316fcb34f3486697d16e

      SHA1

      8c2db8d4b4644cb356a9283b2fa7bb6a988a5d7b

      SHA256

      7a3deffc327b1e49cbc95dc4c41f1f4c0fd55825cc7c18fd06b96a900e0bf5f9

      SHA512

      90ef1cc19c01c1c0b2b4b802e88d622ff07ffc91273350200cd0589e6acabb63634af2883f6cae554dacab0f401b4294d13291707507c6fa035c282214fc6a28

    • C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\GRg9f5iKbJVOs6KIXB4m8M.bat
      Filesize

      48B

      MD5

      f96a95d4ab98914fa1240be122d6f93f

      SHA1

      1cda6eceb85d4b3e5c97bf686a2fbbf506ddbcd5

      SHA256

      3cc300d7cc5eef9130a8a0fe3b748a2e00b1b57946c5d43df261a211375a5a67

      SHA512

      a210bc272db00f3f7da096a5a46c1aabf7f045b69eabd8e9d443d1c329005592f2efdaff8132c931d468ce434d099bb3da7d67c51f69b6ef8759b00deb52a179

    • C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\MNBkvV.vbe
      Filesize

      227B

      MD5

      6412c9c4ee86bb8143388e5616d1b7c2

      SHA1

      9a5ac602a0e3087439260b045c7c590586a6dac1

      SHA256

      ae456de3284409c2b67cc2d99cde11e00d9947b23ccae05916f3b64ce5759835

      SHA512

      b4b0d3eb2b3eecef0342013fe19632ac5b9a75cb312a1430a536a8b87b9da1a1ca00a216de450c80ac10ed07b546f1920c36e49c7dddf5b9baf8f0147e305cf1

    • C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe
      Filesize

      1.1MB

      MD5

      251de4b1e1bd67479d61328ad352fd95

      SHA1

      c089659cc5f2a8ccb354cc5f2244910fceabcba8

      SHA256

      507e76a1783eff3690bdf15de7dea88d18087b6713f9db5787d61c1e7fe26890

      SHA512

      1f9d43bc2d3acbda7e3b9bb63cbae41cbac790a363f0fa5bde2da07c3df913556d377f5dffd57865983df8de0255556b0b093ebb5a4ebb6b48ff04c2696a5cf7

    • C:\Users\All Users\Microsoft\56085415360792
      Filesize

      146B

      MD5

      d03bd774a9b9f159b80a90218e625c22

      SHA1

      398dea126ae62fc44f5a9204248b40a5664ed8ac

      SHA256

      daa33c367f13b9ba1d5c5e7429dadebfcad367395270ee8178d55aaabd1c26ea

      SHA512

      42619b417a6528535aa66587966d36b251fa48dd6af61202031367e4c885a20112d475145521c88e1ff9a4a21c824a7a6fd787666fbb4c642a1cae727336e1a7

    • C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\42af1c969fbb7b
      Filesize

      400B

      MD5

      45519c2f3c73850faab1b2a91d384939

      SHA1

      c8bd810b3376ee26fe47c0566138c695f86ce2a5

      SHA256

      26c295b7e05db11be78dd3f3b90ff5a0c2b26309cf1aac70736336d5b6783605

      SHA512

      5d8320bdfe5c502dc043aa35f27f62dbc8b0ace63ca89e07edd2d3d77f7dff34c44840a8d0fafc13e40c315e7878f3892284f7d8a442a43b5b0cdd3c4a446e30

    • C:\Users\All Users\Templates\0a1fd5f707cd16
      Filesize

      454B

      MD5

      c1fbd389b43ecc03ff7910fb12333bd0

      SHA1

      9cc65bec965d237880c8c9ef4090415fd0f7d500

      SHA256

      dc633011026d9870f2e167b6f8ad73484c7a9acad8287a01e5dd7626df69d47a

      SHA512

      1dbdac523de8612c620e3a30869a1c673b9a5d17b1a119e7373ab7a21eef0ef6b36b14c3816ff0eb498d051aacf337545a1afaaae35a9650f313d4a62e6d0196

    • C:\Users\Default User\c5b4cb5e9653cc
      Filesize

      224B

      MD5

      adbf41e2f10bf8f05f069ee0ed3b5347

      SHA1

      15aa311900aaa585b74b8abb98313d5229b8efa1

      SHA256

      66f6c46e2f12295c4d9a2b5bf18767bf16cc8b8894a89de17b6230bc32d18370

      SHA512

      ac4c32eb30d92305b510783222dbc94bda4929207d77ac41a1943b8d47880f951ea48990f8d4117dbac2fcabd7210c79e05460be07ed2e8e6c7ce89d6e61c23e

    • C:\Users\Public\Desktop\56085415360792
      Filesize

      47B

      MD5

      625ce673068a61c84b70b8ca8f516e19

      SHA1

      36c1e639aedfc1780cb07aa7198e9696d7d940ae

      SHA256

      8c1c332ac8efa7907d655ca3dff297e5327fc765cb7ff7c06fba5d8827b1694c

      SHA512

      df9138a3ea70022f04c66fb05ec52c8665c83e7439905e12d9ab12a6210b50f980f6607fc7351d8f9f002d0f136c148ed9cf2d085d1c6729831c53c80e8c3a7f

    • \Users\Admin\AppData\Roaming\DCRatBuild_protected.exe
      Filesize

      2.5MB

      MD5

      83618e903d98ec133601e89c1a0e1702

      SHA1

      0eb9e4eb3a1e14db6de7daa2f2adf427ea69b72b

      SHA256

      3e691c4c223f7f73ec372a89395cb52de8857117e0a89f6add5b047cebb0954a

      SHA512

      15de670de060e06e3fd292b5b273a587ece2dc1e7d6052501a01ced508f65d2840c485745fb4852fc3edb2b8bbab471f3abaa524d24ef0b3a64b3131ec7977fb

    • \Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exe
      Filesize

      2.2MB

      MD5

      48e1d67ef1b8e21942e80ef139c49ab5

      SHA1

      f6afc9a69a1f87e4eee7292d24baef715fee9edd

      SHA256

      e9eefea3acb118651c066d0f2a3aa0af471678d601198025f4a30b8fef810b08

      SHA512

      34498df32a3d9ee468bc94b046da999d56af25c850f77f817ac1117a60ded8e19ca1194e5d421fddbac2c9a54da71a4e435b88a10a8f04f67ba002b9275793b2

    • memory/568-92-0x0000000000E10000-0x0000000000F3C000-memory.dmp
      Filesize

      1.2MB

    • memory/1732-42-0x0000000003DF0000-0x00000000041F3000-memory.dmp
      Filesize

      4.0MB

    • memory/2080-63-0x00000000004A0000-0x00000000004B0000-memory.dmp
      Filesize

      64KB

    • memory/2080-65-0x0000000000B10000-0x0000000000B1C000-memory.dmp
      Filesize

      48KB

    • memory/2080-64-0x0000000000860000-0x000000000086A000-memory.dmp
      Filesize

      40KB

    • memory/2080-62-0x0000000000630000-0x000000000064C000-memory.dmp
      Filesize

      112KB

    • memory/2080-61-0x0000000001150000-0x000000000127C000-memory.dmp
      Filesize

      1.2MB

    • memory/2260-54-0x0000000000BD0000-0x0000000000FD3000-memory.dmp
      Filesize

      4.0MB

    • memory/2260-43-0x0000000000BD0000-0x0000000000FD3000-memory.dmp
      Filesize

      4.0MB

    • memory/2784-45-0x0000000001120000-0x00000000011E4000-memory.dmp
      Filesize

      784KB