Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-05-2024 05:45

General

  • Target

    fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe

  • Size

    2.7MB

  • MD5

    a78d0c51cca6fcf4a6ef0c33e5fd0bd4

  • SHA1

    5768a7cf4aeed1327d64087f55fc6fba34f817fd

  • SHA256

    fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8

  • SHA512

    a3d3c48766afe5890562f0e86f5c44bf62beefebcf8f87dfc5065ba53ecae6cb8f9e4f441ac87ec5359170c08792fc784e9187366cb7c9a64fc6eb4c90e250c5

  • SSDEEP

    49152:iH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:iHfE5Ad8Xd295UmGc

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 18 IoCs
  • Process spawned unexpected child process 54 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Detects executables packed with SmartAssembly 8 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 36 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 24 IoCs
  • Drops file in Windows directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 54 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe
    "C:\Users\Admin\AppData\Local\Temp\fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3652
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1792
    • C:\Users\Public\Pictures\smss.exe
      "C:\Users\Public\Pictures\smss.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:4824
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1232
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1536
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4680
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\explorer.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1340
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1632
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3200
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4392
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:960
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5076
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\smss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2500
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Pictures\smss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2264
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\smss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3304
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\taskhostw.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3336
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\taskhostw.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1396
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Multimedia Platform\taskhostw.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:932
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Windows\Sun\backgroundTaskHost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3504
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Sun\backgroundTaskHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2768
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Windows\Sun\backgroundTaskHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:700
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\OfficeClickToRun.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2316
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:448
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2472
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Prefetch\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1832
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Prefetch\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4512
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3400
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\fontdrvhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4576
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\L2Schemas\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4912
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4804
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\SysWOW64\tr-TR\smss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2304
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\SysWOW64\tr-TR\smss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4260
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\SysWOW64\tr-TR\smss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2140
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\OfficeClickToRun.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3488
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5028
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2200
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\sysmon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2188
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Public\Pictures\sysmon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3620
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\sysmon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:980
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4808
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4208
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1708
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Windows\INF\ESENT\0410\unsecapp.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4360
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\INF\ESENT\0410\unsecapp.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4472
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Windows\INF\ESENT\0410\unsecapp.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4168
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1160
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4888
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1936
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\SearchApp.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:844
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Admin\SearchApp.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1904
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\SearchApp.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4008
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\dwm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1044
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1808
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3992
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\RuntimeBroker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2980
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3920
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Windows Defender\de-DE\RCX8CD0.tmp

    Filesize

    2.7MB

    MD5

    d9d7acdb9a142121002743b6c8bd0013

    SHA1

    7507f0bda7b154909e200e09663fa6803cd9a683

    SHA256

    8d0096b8474c1fb7057138178fb291fad8695c9af18032e909010e13decedad1

    SHA512

    6a1d3ddad6d46c155932cb347febf87e0e25661fd6ca233754763ce2ee22d63fe6f0b15482a7a7c21521469d604f5dc26ab5104fd88f34a1d6911eb52f5d8d87

  • C:\Program Files\Windows Multimedia Platform\taskhostw.exe

    Filesize

    2.7MB

    MD5

    a78d0c51cca6fcf4a6ef0c33e5fd0bd4

    SHA1

    5768a7cf4aeed1327d64087f55fc6fba34f817fd

    SHA256

    fdf58fac5f5d5c152dee83f08c0799b510b1ce936518248db6078c6c081f20b8

    SHA512

    a3d3c48766afe5890562f0e86f5c44bf62beefebcf8f87dfc5065ba53ecae6cb8f9e4f441ac87ec5359170c08792fc784e9187366cb7c9a64fc6eb4c90e250c5

  • C:\Program Files\Windows Multimedia Platform\taskhostw.exe

    Filesize

    2.7MB

    MD5

    d0580b07a083f3b0a350986d0d202165

    SHA1

    8a313d2fb6010c166a7972cb06d6513726166274

    SHA256

    c21adfaa96108fa3ad0618cca8b46e26c75ad78681681d78ea25db512d53a624

    SHA512

    fd4b662dd5b8bc69ae046bbe879b3686d0dfffa575fe6ff4d0b41cacee5c26fcf90d14641d4cdabaf97509cce081bdd724684c365a5eaa5701981910b471f728

  • C:\Program Files\Windows Portable Devices\RCX883A.tmp

    Filesize

    2.7MB

    MD5

    04479fcb901e1acb9718e457d95a13a2

    SHA1

    c3eec52ef48f4434e709e09b9151a98b01dcad20

    SHA256

    2793f19a919c52ff7426d61a06499295b767a26e0a7e2779ba920a078b311cd7

    SHA512

    5f80cab96c262f7168674da3fef9cd63c8497088adbc26e6ffffd1efd6e84f7f6aaa5ecc472bf05fa6c630c1b623005160affddc31a70c3afc189fe32a1dbb56

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fsj2yjzl.hyz.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/1792-244-0x0000014DBDFD0000-0x0000014DBDFF2000-memory.dmp

    Filesize

    136KB

  • memory/3652-18-0x000000001BD60000-0x000000001BD6C000-memory.dmp

    Filesize

    48KB

  • memory/3652-23-0x000000001BFB0000-0x000000001BFBC000-memory.dmp

    Filesize

    48KB

  • memory/3652-8-0x0000000002B20000-0x0000000002B36000-memory.dmp

    Filesize

    88KB

  • memory/3652-10-0x0000000002B50000-0x0000000002B58000-memory.dmp

    Filesize

    32KB

  • memory/3652-9-0x0000000002B40000-0x0000000002B48000-memory.dmp

    Filesize

    32KB

  • memory/3652-11-0x0000000002B60000-0x0000000002B70000-memory.dmp

    Filesize

    64KB

  • memory/3652-12-0x0000000002B70000-0x0000000002B7A000-memory.dmp

    Filesize

    40KB

  • memory/3652-13-0x000000001B6E0000-0x000000001B736000-memory.dmp

    Filesize

    344KB

  • memory/3652-14-0x0000000002B80000-0x0000000002B88000-memory.dmp

    Filesize

    32KB

  • memory/3652-15-0x000000001B670000-0x000000001B678000-memory.dmp

    Filesize

    32KB

  • memory/3652-16-0x000000001B730000-0x000000001B73C000-memory.dmp

    Filesize

    48KB

  • memory/3652-17-0x000000001BD50000-0x000000001BD58000-memory.dmp

    Filesize

    32KB

  • memory/3652-0-0x00007FF95E6F3000-0x00007FF95E6F5000-memory.dmp

    Filesize

    8KB

  • memory/3652-19-0x000000001BD70000-0x000000001BD7C000-memory.dmp

    Filesize

    48KB

  • memory/3652-20-0x000000001BE80000-0x000000001BE88000-memory.dmp

    Filesize

    32KB

  • memory/3652-6-0x0000000001480000-0x0000000001488000-memory.dmp

    Filesize

    32KB

  • memory/3652-22-0x000000001BEA0000-0x000000001BEAC000-memory.dmp

    Filesize

    48KB

  • memory/3652-21-0x000000001BE90000-0x000000001BE98000-memory.dmp

    Filesize

    32KB

  • memory/3652-26-0x000000001BFE0000-0x000000001BFEC000-memory.dmp

    Filesize

    48KB

  • memory/3652-29-0x00007FF95E6F0000-0x00007FF95F1B1000-memory.dmp

    Filesize

    10.8MB

  • memory/3652-25-0x000000001BFD0000-0x000000001BFDA000-memory.dmp

    Filesize

    40KB

  • memory/3652-24-0x000000001BFC0000-0x000000001BFC8000-memory.dmp

    Filesize

    32KB

  • memory/3652-30-0x00007FF95E6F0000-0x00007FF95F1B1000-memory.dmp

    Filesize

    10.8MB

  • memory/3652-7-0x0000000002B10000-0x0000000002B20000-memory.dmp

    Filesize

    64KB

  • memory/3652-5-0x000000001B690000-0x000000001B6E0000-memory.dmp

    Filesize

    320KB

  • memory/3652-4-0x0000000002AF0000-0x0000000002B0C000-memory.dmp

    Filesize

    112KB

  • memory/3652-3-0x0000000001180000-0x0000000001188000-memory.dmp

    Filesize

    32KB

  • memory/3652-2-0x00007FF95E6F0000-0x00007FF95F1B1000-memory.dmp

    Filesize

    10.8MB

  • memory/3652-1-0x0000000000700000-0x00000000009C0000-memory.dmp

    Filesize

    2.8MB

  • memory/3652-257-0x00007FF95E6F0000-0x00007FF95F1B1000-memory.dmp

    Filesize

    10.8MB