Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 03:20

General

  • Target

    Gamesense.exe

  • Size

    2.5MB

  • MD5

    6e292e2932951e7a1cb7dfc313121a6b

  • SHA1

    72cf74f7ecf405b1f72fd3e42f541c30b2ff9fba

  • SHA256

    ebcefb989d32ca643f3560d4223e47cbbe2ea3c97755cf93b9b3fbabaf3545cf

  • SHA512

    ba6dda938a6c1beb724277b9c1b819d54467ce125de99619d19438d432f2273e785b94cd8c02ee747ceafe91159ce27d6fc891ba57f6365e2d4ff3afb1f06ed9

  • SSDEEP

    49152:UbA30sHoNElLsaAB3Olt0BSXYAnjE5fqpCUdwUencN9:UbgHjlLsxeAIj5pCweO

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 57 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Gamesense.exe
    "C:\Users\Admin\AppData\Local\Temp\Gamesense.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\bridgeFont\8kIXiGVnjvW92YDIHYq.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2304
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\bridgeFont\A6eEKUh9zDmgALE.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2748
        • C:\bridgeFont\Blockdriverhost.exe
          "C:\bridgeFont\Blockdriverhost.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2612
          • C:\Program Files (x86)\Windows Photo Viewer\de-DE\wininit.exe
            "C:\Program Files (x86)\Windows Photo Viewer\de-DE\wininit.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2280
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\406eb397-f2a4-41d2-96e5-98254a608383.vbs"
              6⤵
                PID:1724
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b9e2128-7818-4809-a1d0-cae182329023.vbs"
                6⤵
                  PID:1588
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\taskhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2940
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\taskhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2036
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\taskhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2912
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2468
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:112
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1524
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:568
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1964
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1800
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1684
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1676
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1956
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2400
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2396
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2424
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\conhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:748
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1260
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1796
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\conhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1436
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1132
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1444
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\bridgeFont\smss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1392
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\bridgeFont\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2576
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\bridgeFont\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2880
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\System.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2124
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2292
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2272
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\audiodg.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1660
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\audiodg.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2368
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\audiodg.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3064
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\bridgeFont\explorer.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:900
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\bridgeFont\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2052
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\bridgeFont\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2184
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\bridgeFont\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:288
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\bridgeFont\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1500
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\bridgeFont\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1592
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:268
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1988
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2868
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\explorer.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:892
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\L2Schemas\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1784
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\L2Schemas\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1764
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\Globalization\ELS\Transliteration\winlogon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2220
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Globalization\ELS\Transliteration\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:772
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Globalization\ELS\Transliteration\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1012
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2816
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2232
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:880
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "BlockdriverhostB" /sc MINUTE /mo 8 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\Blockdriverhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2452
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Blockdriverhost" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\Blockdriverhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1564
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "BlockdriverhostB" /sc MINUTE /mo 10 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\Blockdriverhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1556
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\es-ES\cmd.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1228
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\es-ES\cmd.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2312
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\es-ES\cmd.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1040
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1184
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2144
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2976
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1800

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\406eb397-f2a4-41d2-96e5-98254a608383.vbs
        Filesize

        737B

        MD5

        ce51ae7d51da129a1646f504644c13d3

        SHA1

        d951f8921f2f23f8d4c21ad10edfc9009e00691e

        SHA256

        b1a7e8d7839f8f5563e0e49f8ebca518a36504cbddeb5fc0d36637b6cb93a4ff

        SHA512

        166c3859f622039def97f6f9cd4314773c565c7b78b2d48efc43c5573ecb06b78506c774786ed1f7b27cce4183387a7a4408c97b583e0877e4c78952a44e6aea

      • C:\Users\Admin\AppData\Local\Temp\5b9e2128-7818-4809-a1d0-cae182329023.vbs
        Filesize

        513B

        MD5

        05e94e53fe0f65db5a370eea95669819

        SHA1

        0fe0a56a6f4464da31ad6df0775786765c74cb5b

        SHA256

        83ca6b5f622e08a45623032fc98ea5bbcb9a9a075c01b2c81d18d38554509b92

        SHA512

        112dcca48cdc68d1d5eb900da003d9355b17653650905d853abe0a47b1b14318d9bbdba066f7fca542dbb10cc0d700a98a9d90a17c56ae09502bbaf13b974d7e

      • C:\bridgeFont\8kIXiGVnjvW92YDIHYq.vbe
        Filesize

        203B

        MD5

        f834877689aa9f2dbd0d2084bb779fb4

        SHA1

        5bcadc4ef4b14e7c41b7fb0b9cf8d918bfabea67

        SHA256

        21f91b10a8abe860f6cc78e0c229737187e13f30f773af62f27e630534039768

        SHA512

        abbade5f776f7e1515bee59b5c01d7d39f89c14f12f72795b5fed7d7c82efb6508c34cbd267a5f6b16e285ae590f5769e28db6522187e5556da14d2bc1886034

      • C:\bridgeFont\A6eEKUh9zDmgALE.bat
        Filesize

        35B

        MD5

        a254cc5bfb66a33ccdee83d23ff8d10b

        SHA1

        40461cbacf4b71e94dd321fc30d7d69febd1e8ee

        SHA256

        f34a02f3f74a210905c17a168415de23a429c4f33f1943fd6ff7d86421ddcf87

        SHA512

        f5f9a32b0e5ace91ee1b4a113c8413a7d61b3d2cc9878b73256e89cb3c59896b8b91b98e9adfb711ffbdd21137d030ddf6489c7fdd587c1b2955a8e65afea05e

      • \bridgeFont\Blockdriverhost.exe
        Filesize

        2.2MB

        MD5

        4021df69fad7e54ef1154a5322b1eece

        SHA1

        ece1a3140a5a394c4a57f110609b9d494e6f59f5

        SHA256

        3bf9e41b570eeb923ed1f44e1fffa81fbd3dfe9f0324c594327d2d271af8cc6f

        SHA512

        0e0a18d8b319f2ff1de023ef8f43d905bbb47e08515ce91a02a868c5ed948fb02ee62576967512582c67da5593618526be8ae272a6e9b3fc4c664d40bd51e9d4

      • memory/2280-69-0x0000000000AB0000-0x0000000000AC2000-memory.dmp
        Filesize

        72KB

      • memory/2280-68-0x0000000000A40000-0x0000000000A96000-memory.dmp
        Filesize

        344KB

      • memory/2280-67-0x0000000000D90000-0x0000000000FBE000-memory.dmp
        Filesize

        2.2MB

      • memory/2612-18-0x0000000000730000-0x0000000000742000-memory.dmp
        Filesize

        72KB

      • memory/2612-19-0x0000000000870000-0x000000000087C000-memory.dmp
        Filesize

        48KB

      • memory/2612-20-0x0000000000880000-0x000000000088A000-memory.dmp
        Filesize

        40KB

      • memory/2612-21-0x00000000020A0000-0x00000000020A8000-memory.dmp
        Filesize

        32KB

      • memory/2612-22-0x0000000002130000-0x000000000213C000-memory.dmp
        Filesize

        48KB

      • memory/2612-17-0x0000000000720000-0x000000000072C000-memory.dmp
        Filesize

        48KB

      • memory/2612-16-0x0000000000710000-0x000000000071C000-memory.dmp
        Filesize

        48KB

      • memory/2612-15-0x0000000002180000-0x00000000021D6000-memory.dmp
        Filesize

        344KB

      • memory/2612-14-0x0000000000700000-0x0000000000708000-memory.dmp
        Filesize

        32KB

      • memory/2612-13-0x00000000000E0000-0x000000000030E000-memory.dmp
        Filesize

        2.2MB