Analysis
-
max time kernel
600s -
max time network
598s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 01:07
Behavioral task
behavioral1
Sample
DCRatBuild.exe
Resource
win7-20240611-en
General
-
Target
DCRatBuild.exe
-
Size
2.8MB
-
MD5
0a6cd0aed40de98cb0086c11454fc7f5
-
SHA1
364a210567fbff8b8095a09f6d4c8745f44bd82c
-
SHA256
d07d79bfaecfaad730b473aedbedd0b1c49b5361f74aab3a79c7a37c623527eb
-
SHA512
1e90fc51509290d94e96a10c57f681e85a1bb4a28b5e090b20f41567d31123b117a68cff7dead979f3119bc3f2a64cc43fab3194036939c4ec3daf070f6a958a
-
SSDEEP
49152:UbA30Mx6mbB202bRTk7puPi9bOdL/+AmU0FwGkxKYFC19Jm/PKhd:UbYUmbB20sRSuPi9bQL/+AmU0F7LSk
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 3980 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3852 3980 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 764 3980 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1016 3980 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5096 3980 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1252 3980 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4220 3980 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4892 3980 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4092 3980 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 548 3980 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4640 3980 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1884 3980 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3636 3980 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3788 3980 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5048 3980 schtasks.exe -
Processes:
backgroundTaskHost.exeBrokerSvc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" BrokerSvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" BrokerSvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" BrokerSvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe -
Processes:
resource yara_rule C:\PortFontMonitornetcommon\BrokerSvc.exe dcrat behavioral2/memory/840-13-0x0000000000920000-0x0000000000B9A000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
DCRatBuild.exeWScript.exeBrokerSvc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation DCRatBuild.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation BrokerSvc.exe -
Executes dropped EXE 4 IoCs
Processes:
BrokerSvc.exebackgroundTaskHost.execonhost.exetaskhostw.exepid process 840 BrokerSvc.exe 1848 backgroundTaskHost.exe 4072 conhost.exe 3204 taskhostw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
backgroundTaskHost.exeBrokerSvc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BrokerSvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" BrokerSvc.exe -
Drops file in Program Files directory 5 IoCs
Processes:
BrokerSvc.exedescription ioc process File created C:\Program Files\Windows Sidebar\Gadgets\SppExtComObj.exe BrokerSvc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SppExtComObj.exe BrokerSvc.exe File created C:\Program Files\Windows Sidebar\Gadgets\e1ef82546f0b02 BrokerSvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\taskhostw.exe BrokerSvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ea9f0e6c9e2dcd BrokerSvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
BrokerSvc.exedescription ioc process File created C:\Windows\Sun\Java\Deployment\conhost.exe BrokerSvc.exe File created C:\Windows\Sun\Java\Deployment\088424020bedd6 BrokerSvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
DCRatBuild.exeBrokerSvc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings DCRatBuild.exe Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings BrokerSvc.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3636 schtasks.exe 1016 schtasks.exe 5096 schtasks.exe 1252 schtasks.exe 4640 schtasks.exe 4092 schtasks.exe 1884 schtasks.exe 5048 schtasks.exe 2044 schtasks.exe 764 schtasks.exe 4220 schtasks.exe 3788 schtasks.exe 3852 schtasks.exe 4892 schtasks.exe 548 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
BrokerSvc.exebackgroundTaskHost.exepid process 840 BrokerSvc.exe 840 BrokerSvc.exe 840 BrokerSvc.exe 840 BrokerSvc.exe 840 BrokerSvc.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe 1848 backgroundTaskHost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
backgroundTaskHost.exepid process 1848 backgroundTaskHost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
BrokerSvc.exebackgroundTaskHost.execonhost.exetaskhostw.exedescription pid process Token: SeDebugPrivilege 840 BrokerSvc.exe Token: SeDebugPrivilege 1848 backgroundTaskHost.exe Token: SeDebugPrivilege 4072 conhost.exe Token: SeDebugPrivilege 3204 taskhostw.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
DCRatBuild.exeWScript.execmd.exeBrokerSvc.execmd.exedescription pid process target process PID 624 wrote to memory of 4984 624 DCRatBuild.exe WScript.exe PID 624 wrote to memory of 4984 624 DCRatBuild.exe WScript.exe PID 624 wrote to memory of 4984 624 DCRatBuild.exe WScript.exe PID 4984 wrote to memory of 4656 4984 WScript.exe cmd.exe PID 4984 wrote to memory of 4656 4984 WScript.exe cmd.exe PID 4984 wrote to memory of 4656 4984 WScript.exe cmd.exe PID 4656 wrote to memory of 840 4656 cmd.exe BrokerSvc.exe PID 4656 wrote to memory of 840 4656 cmd.exe BrokerSvc.exe PID 840 wrote to memory of 4408 840 BrokerSvc.exe cmd.exe PID 840 wrote to memory of 4408 840 BrokerSvc.exe cmd.exe PID 4656 wrote to memory of 3320 4656 cmd.exe reg.exe PID 4656 wrote to memory of 3320 4656 cmd.exe reg.exe PID 4656 wrote to memory of 3320 4656 cmd.exe reg.exe PID 4408 wrote to memory of 3516 4408 cmd.exe w32tm.exe PID 4408 wrote to memory of 3516 4408 cmd.exe w32tm.exe PID 4408 wrote to memory of 1848 4408 cmd.exe backgroundTaskHost.exe PID 4408 wrote to memory of 1848 4408 cmd.exe backgroundTaskHost.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
backgroundTaskHost.exeBrokerSvc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" BrokerSvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" BrokerSvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" BrokerSvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\PortFontMonitornetcommon\l8BmlyiJVw1zyyh.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\PortFontMonitornetcommon\WdaIp4pfENVLh3Iemy6UjaXhu.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\PortFontMonitornetcommon\BrokerSvc.exe"C:\PortFontMonitornetcommon\BrokerSvc.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:840 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w3ky7Mcri9.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:3516
-
C:\PortFontMonitornetcommon\backgroundTaskHost.exe"C:\PortFontMonitornetcommon\backgroundTaskHost.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1848 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:3320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Gadgets\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Gadgets\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\Sun\Java\Deployment\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\Sun\Java\Deployment\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\PortFontMonitornetcommon\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\PortFontMonitornetcommon\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\PortFontMonitornetcommon\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\My Videos\TrustedInstaller.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Videos\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4472
-
C:\Windows\Sun\Java\Deployment\conhost.exeC:\Windows\Sun\Java\Deployment\conhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4072
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\taskhostw.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\taskhostw.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3204
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PortFontMonitornetcommon\BrokerSvc.exeFilesize
2.5MB
MD5fc27116ce1b57a71d7d201e9aae86b01
SHA1ff047b7c918d9ff388b5c4928bfad5dcc818f1d4
SHA256121d462ca9f33798e076d069ec6b84c5ae0573bbaac8df8dd78efbb7041bd30b
SHA51225747516de2d99e6193fc920435ececf1b7ddb8990487d26d03cf6179b7dab0f5172c0dfa5d4db4a29028c00c12a9fb266bc14d6920e864d6a3934af7748618b
-
C:\PortFontMonitornetcommon\WdaIp4pfENVLh3Iemy6UjaXhu.batFilesize
166B
MD5e09688b8cdb47414e341937de481c43d
SHA1e799a6166c872f085d62a5ea580b0798be36835d
SHA256949721b3bf385d01afc6b13e3c3ad7f37d87d29c49f243e2d59d4152925ee31b
SHA512c6a2aa753e0feaf0549cd22ace526a81c219b1b5513bb8a83154d6adeeb3db0536a4c0f0a9cb14373934ce400f8ed4681046e53bd175da5be10c0b7548690017
-
C:\PortFontMonitornetcommon\l8BmlyiJVw1zyyh.vbeFilesize
237B
MD5e2723c4480fd7a7a5d8c46cb7bd7010e
SHA18ece7fa1a4cc39d5d439c13c8670c416ce4da987
SHA2568064029eab99ac1caed8414e03b5e7c981de56a6fcb7bdce3aa3b3438f430a2b
SHA5128ad0e2d16feaf91c9fc016b048721819d0b0ee5b4802371e5317b1b27ff7368fddd8ad6179de024c478d61fba3273727a3d94a59faef36a3b1cd2cdab32f6c51
-
C:\Users\Admin\AppData\Local\Temp\w3ky7Mcri9.batFilesize
215B
MD50971871ced868145f38160c1a5df6519
SHA1981499b94a98f506f36c773209c64c1dbbc5728b
SHA2566dea0dd9907223d82c52957047978c15fa5df167aafccd0b9c057fd2043e3b5a
SHA5126f9db2696a197ee0d0d046ece1d469a4ba8c760db9cd781d1e2bc3ae88c6021423cc2b060d985e7273cb515dba0006582f1f9ded591b8633f51f182682dc0d9c
-
memory/840-19-0x000000001BD80000-0x000000001BDD6000-memory.dmpFilesize
344KB
-
memory/840-22-0x000000001BD20000-0x000000001BD2C000-memory.dmpFilesize
48KB
-
memory/840-15-0x000000001B7B0000-0x000000001B7CC000-memory.dmpFilesize
112KB
-
memory/840-16-0x000000001BD30000-0x000000001BD80000-memory.dmpFilesize
320KB
-
memory/840-18-0x000000001BCF0000-0x000000001BCFA000-memory.dmpFilesize
40KB
-
memory/840-17-0x000000001BCE0000-0x000000001BCE8000-memory.dmpFilesize
32KB
-
memory/840-13-0x0000000000920000-0x0000000000B9A000-memory.dmpFilesize
2.5MB
-
memory/840-20-0x000000001BD00000-0x000000001BD0C000-memory.dmpFilesize
48KB
-
memory/840-21-0x000000001BD10000-0x000000001BD18000-memory.dmpFilesize
32KB
-
memory/840-14-0x000000001B7A0000-0x000000001B7AE000-memory.dmpFilesize
56KB
-
memory/840-23-0x000000001BDD0000-0x000000001BDDC000-memory.dmpFilesize
48KB
-
memory/840-24-0x000000001C150000-0x000000001C15C000-memory.dmpFilesize
48KB
-
memory/840-25-0x000000001BFE0000-0x000000001BFEE000-memory.dmpFilesize
56KB
-
memory/840-26-0x000000001BFF0000-0x000000001BFFC000-memory.dmpFilesize
48KB
-
memory/840-27-0x000000001C000000-0x000000001C00C000-memory.dmpFilesize
48KB
-
memory/840-12-0x00007FF8D8EC3000-0x00007FF8D8EC5000-memory.dmpFilesize
8KB
-
memory/1848-47-0x000000001C200000-0x000000001C256000-memory.dmpFilesize
344KB
-
memory/1848-48-0x000000001D370000-0x000000001D532000-memory.dmpFilesize
1.8MB