Analysis

  • max time kernel
    61s
  • max time network
    58s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    17-07-2024 11:23

General

  • Target

    Riga Client.exe

  • Size

    2.0MB

  • MD5

    40ac7d11ebb91612d8d5c16c05af0a13

  • SHA1

    543a6c16f8f058fb6ba029ee3a9c5fde92aaa212

  • SHA256

    4963827ab4881382f900255fa034f5c5f369cdc11d30863c69a04ed7f6abca5e

  • SHA512

    223ecc008fe3b9818597c3870ef605674eb96c52f8f140edb1d7c878691ce16c604440be77107c795a2bbb4e1b5c28ba94141e5703d9488c3a06580e38bf953c

  • SSDEEP

    49152:PbA3HdwWe2aSe6pcUwxE0G+dK7RB7/wWnm1Xl:Pbt2M4cUwxEII7RB0d1Xl

Malware Config

Signatures

  • DcRat 39 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 27 IoCs
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 26 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Riga Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Riga Client.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1896
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\componentCommon\TsZJDcKjHujznUYiyXhQefVwV2.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\componentCommon\j1nvYpGjbyEFrc.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1980
        • C:\componentCommon\ComInto.exe
          "C:\componentCommon\ComInto.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2804
          • C:\Users\Default User\spoolsv.exe
            "C:\Users\Default User\spoolsv.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:320
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8eeba68d-8cbf-45ae-8309-1c19845f098d.vbs"
              6⤵
                PID:1572
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\440f4fe4-9dcd-433f-a114-d591f0d5e174.vbs"
                6⤵
                  PID:3048
                • C:\Windows\system32\cmd.exe
                  cmd /c ""C:\Users\Admin\AppData\Local\Temp\6M87tNVNy8.bat" "
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1644
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    7⤵
                      PID:2904
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\componentCommon\conhost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2724
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\componentCommon\conhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1044
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\componentCommon\conhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2792
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Documents\dwm.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2528
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Documents\dwm.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2292
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Documents\dwm.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2544
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\dwm.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2496
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Fonts\dwm.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2548
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\Fonts\dwm.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2116
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\lsass.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2384
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\lsass.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1644
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\lsass.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2904
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\explorer.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2452
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\explorer.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2540
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\explorer.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2892
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2964
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2896
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2956
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\componentCommon\explorer.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2816
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\componentCommon\explorer.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2684
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\componentCommon\explorer.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2924
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\AppPatch\AppPatch64\dllhost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:456
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\AppPatch\AppPatch64\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1072
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\AppPatch\AppPatch64\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2376
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\spoolsv.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2320
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:988
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2596
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\componentCommon\smss.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2056
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\componentCommon\smss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2740
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\componentCommon\smss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1792
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2340
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2032
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2092
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Links\csrss.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1444
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Links\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2044
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Links\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1424
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\lsm.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1464
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\lsm.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1200
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\lsm.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1492
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /delete /tn "ComInto" /f
          1⤵
          • Process spawned unexpected child process
          PID:2280
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /delete /tn "ComIntoC" /f
          1⤵
          • Process spawned unexpected child process
          PID:2336
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /delete /tn "conhost" /f
          1⤵
          • Process spawned unexpected child process
          PID:2508
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /delete /tn "conhostc" /f
          1⤵
          • Process spawned unexpected child process
          PID:2640
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /delete /tn "dwm" /f
          1⤵
          • Process spawned unexpected child process
          PID:2532
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /delete /tn "dwmd" /f
          1⤵
          • Process spawned unexpected child process
          PID:1068
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /delete /tn "dwm" /f
          1⤵
          • Process spawned unexpected child process
          PID:2724
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /delete /tn "dwmd" /f
          1⤵
          • Process spawned unexpected child process
          PID:2136
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /delete /tn "lsass" /f
          1⤵
          • Process spawned unexpected child process
          PID:2624
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /delete /tn "lsassl" /f
          1⤵
          • Process spawned unexpected child process
          PID:2148
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /delete /tn "explorer" /f
          1⤵
          • Process spawned unexpected child process
          PID:2828
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /delete /tn "explorere" /f
          1⤵
          • Process spawned unexpected child process
          PID:2936
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /delete /tn "services" /f
          1⤵
          • Process spawned unexpected child process
          PID:2944
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /delete /tn "servicess" /f
          1⤵
          • Process spawned unexpected child process
          PID:2132
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /delete /tn "explorer" /f
          1⤵
          • Process spawned unexpected child process
          PID:2972
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /delete /tn "explorere" /f
          1⤵
          • Process spawned unexpected child process
          PID:2384
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /delete /tn "dllhost" /f
          1⤵
          • Process spawned unexpected child process
          PID:1340
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /delete /tn "dllhostd" /f
          1⤵
          • Process spawned unexpected child process
          PID:2668
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /delete /tn "spoolsv" /f
          1⤵
          • Process spawned unexpected child process
          PID:2284
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /delete /tn "spoolsvs" /f
          1⤵
          • Process spawned unexpected child process
          PID:2360
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /delete /tn "smss" /f
          1⤵
          • Process spawned unexpected child process
          PID:1236
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /delete /tn "smsss" /f
          1⤵
          • Process spawned unexpected child process
          PID:676
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /delete /tn "lsm" /f
          1⤵
          • Process spawned unexpected child process
          PID:2076
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /delete /tn "lsml" /f
          1⤵
          • Process spawned unexpected child process
          PID:928
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /delete /tn "csrss" /f
          1⤵
          • Process spawned unexpected child process
          PID:2312
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /delete /tn "csrssc" /f
          1⤵
            PID:2308
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /delete /tn "lsm" /f
            1⤵
              PID:2388
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /delete /tn "lsml" /f
              1⤵
                PID:1132
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /delete /tn "spoolsv" /f
                1⤵
                  PID:1984
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /delete /tn "spoolsvs" /f
                  1⤵
                    PID:2988

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\c5b4cb5e9653cc

                    Filesize

                    345B

                    MD5

                    79a3e3eeb67d3edb02af27b72bd75321

                    SHA1

                    f4625739a92dd23b631c8bc23926e8a60c43e279

                    SHA256

                    851c6f81f9c0ea6170677086a0984120b1aca6040798674a8b6e26e3b333fd9b

                    SHA512

                    cb629955b83ed25bacfcd6707ab818c376603b559c9c7a25a185aa962cd5801fd703b5409de7acb40f371288ddf94621c1e4df7c3a3e542e97e6f273a6660650

                  • C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\7a0fd90576e088

                    Filesize

                    849B

                    MD5

                    7445351786bd3cf0ebd2c2b5ef9062c4

                    SHA1

                    3c4b409cfe491042a9dd831808d260c5a3b5c3c6

                    SHA256

                    16aaaeb4d431d11ec24506018c352f616467a509548552a9ba803d2f7696f03a

                    SHA512

                    5a3e3450b00295395b9324124da560fa6f768e53459d736b24c5d02ba436c51bd27b8644e1baf6d131e6501ee77bb723f3441e2ba019935829c7d5ba5a3c37f0

                  • C:\Program Files\Uninstall Information\101b941d020240

                    Filesize

                    174B

                    MD5

                    ce156a0b1c72f3f79a24f4f23ae67c05

                    SHA1

                    992dbcd97efd63858e318a2a98ef2fab4ef23e9c

                    SHA256

                    85cc25acef14e7d68089867d8d03311a90051d72466109bff496af9987f7ede1

                    SHA512

                    da2984456fae1b4862f41b83331151149d34923169305b70b3ccb28289f24babbfdafaaca9649ea19a3b13875dc4e9808d298fb9f6c9bf8687fc47d217994ce2

                  • C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\101b941d020240

                    Filesize

                    140B

                    MD5

                    580a8e263196690afa5c429cb74244b8

                    SHA1

                    d6202a12f60f4a2f9fca4731c833186a3f6c042f

                    SHA256

                    73b6054a682a4d3d2fb6a563a1c2941ec1870ecd81ca94c45423cdb14fe7ad64

                    SHA512

                    a553d164c154804e8075e1d5dcef6290e6c62ae5d0d27db7f5f1fcfd8b0702cb9c2f2fcd45b568add3dbdcd415a11d43ba3b12a302b3bedc5972ea8093e3ad60

                  • C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\6203df4a6bafc7

                    Filesize

                    222B

                    MD5

                    0f91eeb84dce2aa1ebd5a2994a17cb7a

                    SHA1

                    d563b8bc8baf522f6fe439d7c51bda45351c37e9

                    SHA256

                    6213d0e65dd80c966f424a16849ff5f9c2382e7877d1210bc081aa9f1e0c5727

                    SHA512

                    1502d5468fa5507e0d4e8584b1008df79340a5c2f933563e8e4813cccf04bacafe1eccb011e099294f4347b0b45dfed39c743f16c8d4e4be69195dcbffbe1d74

                  • C:\Users\Admin\AppData\Local\Temp\440f4fe4-9dcd-433f-a114-d591f0d5e174.vbs

                    Filesize

                    485B

                    MD5

                    949a215f98fd1f7395bd0f06a3786032

                    SHA1

                    c5a0d40f88838f393f0b178e03854363bb9e610f

                    SHA256

                    4d0bf02924dd346cc2457dbb40494e5690f33a8b1fcbd79c35f158879c0305c2

                    SHA512

                    ba504d29d6189050cb5696d836f8493f4d040526b9529025d28b7c59b3a28603eca394d9fdef41d16b05811b5dd9bceeda27b10cc80ffda74ab16efe1b87b57a

                  • C:\Users\Admin\AppData\Local\Temp\6M87tNVNy8.bat

                    Filesize

                    255B

                    MD5

                    ce4a512a2c58bba98729f49c51708e61

                    SHA1

                    ccd59ce6b3c57c990f517a230e840d90257f078d

                    SHA256

                    13ebf0b0fa972539c5b04155ff1bf4fcaf15e83b01f25b99aee9017bc0211f65

                    SHA512

                    02558040d751f88ddac7d628e35298e2d3ee8d16f27dcd9818ca48980d9da5c5ae3250962776a88caa31598605af115813c6d998f35843f6989862aceaf3ee31

                  • C:\Users\Admin\AppData\Local\Temp\8eeba68d-8cbf-45ae-8309-1c19845f098d.vbs

                    Filesize

                    708B

                    MD5

                    c5d202211ff88e7e0dbe470f032b2ba0

                    SHA1

                    0a547f9e91c39c3f0e53b8d46c41e3793f9f9169

                    SHA256

                    0cbefad56c6141b03d375349d56d292de6d8f1fd3f149008b9df25cb65f41e35

                    SHA512

                    7ae5fbf97050f76cc6208acb0a13b3140bc4854e2a13e3eda8e66c061f8f2e3699ac9f29e7c4b4b67e147b8db36276adc2d3eed45768c1834c1e086e0a044d17

                  • C:\Users\All Users\Documents\6cb0b6c459d5d3

                    Filesize

                    484B

                    MD5

                    cff7cf832ab47a76414c576e5db3158a

                    SHA1

                    dad16bea43d57a2f5609427907cd6822e105d93c

                    SHA256

                    92ead13ab9c261536d17ebe20fa16f6993200e69db9bdf6edb746d031c6489cb

                    SHA512

                    3e9c462699f6afacfca1e36a1de373f78134e00d2743f8d583c4455b165cdc7651f87a41a35d87654ab1ddcf2273067d9bae8713819dba7d50137fb35635ad15

                  • C:\Users\Default\Links\886983d96e3d3e

                    Filesize

                    378B

                    MD5

                    c8ccb57b827e7808987f3a72338aa0a7

                    SHA1

                    ca9c3380959fca112455fed50f0436836fee02be

                    SHA256

                    5473ef49447c729790cc3f871e2c6550bdddff4047c82e8d1384c9354eaccad1

                    SHA512

                    e76a9b98fa681c69d69da19ce84ef38a2c77d153fc87f25abd1ebbbf07609af469894d6c57efced68277a850c81cbab45c8636ff90a7905fb9491a962c25fffc

                  • C:\Windows\AppPatch\AppPatch64\5940a34987c991

                    Filesize

                    770B

                    MD5

                    483293cdff6705336846afc9bb41219b

                    SHA1

                    a65f7d2b8defcf095aafce690ee7a07e8bd09b46

                    SHA256

                    25a40b6c382b886b313d97c2d28f8fe8897dbca1f18694deb4fc4f166f9a7926

                    SHA512

                    ef432d5aff5e84cbc6705fcc61fe2f4722d0388de2c64026ee78cf1544b5024ee4df02844d11c551928acc5ef8bdd2dc39e3a36714ef33e4f793887dc80f7ad6

                  • C:\Windows\Fonts\6cb0b6c459d5d3

                    Filesize

                    804B

                    MD5

                    db726b6c98fab37ecc15ee38db003995

                    SHA1

                    2c82b82c39b888a0eaea3ee07033b18a9142e7e1

                    SHA256

                    078522288fa7b990dd5487f2644206ed1e13ec323d79d82184d978ee09f9fc0a

                    SHA512

                    182c25fda1e189297b9cc1dcffa760417db0a1e613d63a5f64bfe997b0a24ffceb85884cb5597f8a80642eb9810a150a2f1d42c71d76af11cee323d017bf40c5

                  • C:\componentCommon\088424020bedd6

                    Filesize

                    245B

                    MD5

                    dd69a4d47560c1b488641f1ff4d6083a

                    SHA1

                    64950ad1970471eae3e16e3c0df5d72970e0a59b

                    SHA256

                    e9b15099fd01dfc6334276c27b8d90353ea29e030ffa046428c366c126fa4ac0

                    SHA512

                    74a6c957924980156327d5e8da3aaacf8d40bf21b7748a7cf582dbf2249f2288f34e419afc5319eb1526aad4e21f5d8bba12684a75b0be09b28a8c8419d36f69

                  • C:\componentCommon\69ddcba757bf72

                    Filesize

                    967B

                    MD5

                    fb653a64037487546ff6e5492fbefa0d

                    SHA1

                    d033015851d5e249971712a74e2a4861a76c854a

                    SHA256

                    f662c9d47ec5031b8545482d6b27e8054d947c840902bed57c9dd67eb21fff3e

                    SHA512

                    09bcbea1eeb62888966e0980138b98fd38c11163db6442a383166a925dc3c4df032fa22ebe2d9bb827a31a60e7738cb5ff342b39fda4c1ed5e5a63f6b4e164f1

                  • C:\componentCommon\7a0fd90576e088

                    Filesize

                    681B

                    MD5

                    69521eff073f08bbad5ca7d2f9b131f5

                    SHA1

                    7e48c316875f6eb2686d116ca78696ad48a4ba6b

                    SHA256

                    19a444711a33ff507bd693bff214c263659f97fef5761ab1db19a20304ae8a94

                    SHA512

                    2421867c3e842977769422a34d5d31da39555f40c81e3b9faadf90bf5b8fc68a36bc533e7d7f35efc79cf83b388b511701600d094f744cd745e76003e60f4915

                  • C:\componentCommon\TsZJDcKjHujznUYiyXhQefVwV2.vbe

                    Filesize

                    206B

                    MD5

                    e986ea5d4cac976a6de65d3f1ef8b332

                    SHA1

                    6465da0abcfac05b8ed1f32b9cca57e2e2f54aea

                    SHA256

                    3ad8783bacfea22158df341d1bbedf8f6f0dcc4d9504555b36a756d2fcd83831

                    SHA512

                    896934c1a2941a8edfd38b03a858fc589cfb6622ae75019a542638be0c9c4e436aacd0916196dd71442d1a90404afa29d2864c92401222ff5ec2a712d873fa11

                  • C:\componentCommon\j1nvYpGjbyEFrc.bat

                    Filesize

                    32B

                    MD5

                    a0b9b0891c2cae67cd1beae705d09d4f

                    SHA1

                    997953188d6226de19faa0ab4e8fdbddf1fb5617

                    SHA256

                    13593fab7a2113730fdbe4cbf436dde9a26116cda0bd4a33dff27d5678e9f9fc

                    SHA512

                    bdcd0c6a765c3927180706f7b30f2ea0f7cab6f27e512433839ebe3f6cb148923a6733ae954c24fa6eedeca97b8dc01cae945eea07e1121ff74885a69b34f2bb

                  • \componentCommon\ComInto.exe

                    Filesize

                    1.6MB

                    MD5

                    9a0cee5a5ce317b7a70f88bb6aaa49e1

                    SHA1

                    95a779063656075a8ddc2f2164393fa59e3c93d9

                    SHA256

                    701924dd5d93b99a1e90fcd92f399c4453455e78375125f7a06aca20b84956bc

                    SHA512

                    d9c6240b6809c3decbdf4d97aca246f308670097b704b47449c53d8dc121f391d3ec6596f7947c36a01a388eeefe6f9ac9785698cf743f8a89c7cbf7b9da41a4

                  • memory/320-60-0x0000000000AE0000-0x0000000000C8C000-memory.dmp

                    Filesize

                    1.7MB

                  • memory/320-61-0x0000000000540000-0x0000000000552000-memory.dmp

                    Filesize

                    72KB

                  • memory/2804-18-0x00000000008A0000-0x00000000008A8000-memory.dmp

                    Filesize

                    32KB

                  • memory/2804-27-0x00000000023A0000-0x00000000023AC000-memory.dmp

                    Filesize

                    48KB

                  • memory/2804-26-0x0000000002310000-0x000000000231C000-memory.dmp

                    Filesize

                    48KB

                  • memory/2804-25-0x0000000002300000-0x000000000230E000-memory.dmp

                    Filesize

                    56KB

                  • memory/2804-24-0x00000000022F0000-0x00000000022FA000-memory.dmp

                    Filesize

                    40KB

                  • memory/2804-23-0x0000000000AA0000-0x0000000000AA8000-memory.dmp

                    Filesize

                    32KB

                  • memory/2804-22-0x0000000000A80000-0x0000000000A8C000-memory.dmp

                    Filesize

                    48KB

                  • memory/2804-21-0x0000000000A70000-0x0000000000A82000-memory.dmp

                    Filesize

                    72KB

                  • memory/2804-20-0x00000000008B0000-0x00000000008B8000-memory.dmp

                    Filesize

                    32KB

                  • memory/2804-19-0x00000000008C0000-0x00000000008D0000-memory.dmp

                    Filesize

                    64KB

                  • memory/2804-17-0x0000000000690000-0x00000000006A6000-memory.dmp

                    Filesize

                    88KB

                  • memory/2804-16-0x0000000000170000-0x0000000000178000-memory.dmp

                    Filesize

                    32KB

                  • memory/2804-15-0x0000000000150000-0x000000000016C000-memory.dmp

                    Filesize

                    112KB

                  • memory/2804-14-0x0000000000140000-0x000000000014E000-memory.dmp

                    Filesize

                    56KB

                  • memory/2804-13-0x0000000000360000-0x000000000050C000-memory.dmp

                    Filesize

                    1.7MB