Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 23:05
Behavioral task
behavioral1
Sample
77f3663f1210d1e37a4cc58a71f211e8e0dc2116ad868ca9ff9914e918201ab1.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
77f3663f1210d1e37a4cc58a71f211e8e0dc2116ad868ca9ff9914e918201ab1.exe
Resource
win10v2004-20240508-en
General
-
Target
77f3663f1210d1e37a4cc58a71f211e8e0dc2116ad868ca9ff9914e918201ab1.exe
-
Size
1.1MB
-
MD5
ab175c425a64e74883b16ab9084d39c0
-
SHA1
347e1e8bcf7099ed2c4ffe0eebbc3d0f18e34683
-
SHA256
77f3663f1210d1e37a4cc58a71f211e8e0dc2116ad868ca9ff9914e918201ab1
-
SHA512
f29c0ac1f10a85ec9ce73e3e262358fa7770de1176a75b44ecd198b221057e0d03527dacdddc2f666a33d47b1fe7d6aba238f1f82f669f2bcc05dfa285831707
-
SSDEEP
24576:d2G/nvxW3W+tZ1bmDMmrZGTQuUHXVO9nAJT4qxn:dbA3fZ1bmBZQQ5VVl
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 5956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5092 5956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3364 5956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 5956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5720 5956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5736 5956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3316 5956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 5956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5324 5956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4408 5956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5204 5956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 5956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4560 5956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5156 5956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3812 5956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4072 5956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4400 5956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1248 5956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3784 5956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3088 5956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3672 5956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5196 5956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4944 5956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5540 5956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3616 5956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 5956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 5956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1880 5956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3612 5956 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 5956 schtasks.exe -
Processes:
resource yara_rule C:\MschainWinMonitor\bridgeComsession.exe dcrat behavioral2/memory/6072-13-0x0000000000DD0000-0x0000000000EA6000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
77f3663f1210d1e37a4cc58a71f211e8e0dc2116ad868ca9ff9914e918201ab1.exeWScript.exebridgeComsession.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 77f3663f1210d1e37a4cc58a71f211e8e0dc2116ad868ca9ff9914e918201ab1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation bridgeComsession.exe -
Executes dropped EXE 2 IoCs
Processes:
bridgeComsession.exeunsecapp.exepid process 6072 bridgeComsession.exe 4016 unsecapp.exe -
Drops file in Program Files directory 6 IoCs
Processes:
bridgeComsession.exedescription ioc process File created C:\Program Files\MSBuild\RuntimeBroker.exe bridgeComsession.exe File created C:\Program Files\MSBuild\9e8d7a4ca61bd9 bridgeComsession.exe File created C:\Program Files\Windows Security\RuntimeBroker.exe bridgeComsession.exe File created C:\Program Files\Windows Security\9e8d7a4ca61bd9 bridgeComsession.exe File created C:\Program Files\Java\jre8\lib\dllhost.exe bridgeComsession.exe File created C:\Program Files\Java\jre8\lib\5940a34987c991 bridgeComsession.exe -
Drops file in Windows directory 5 IoCs
Processes:
bridgeComsession.exedescription ioc process File created C:\Windows\ModemLogs\wininit.exe bridgeComsession.exe File opened for modification C:\Windows\ModemLogs\wininit.exe bridgeComsession.exe File created C:\Windows\ModemLogs\56085415360792 bridgeComsession.exe File created C:\Windows\Performance\conhost.exe bridgeComsession.exe File created C:\Windows\Performance\088424020bedd6 bridgeComsession.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
77f3663f1210d1e37a4cc58a71f211e8e0dc2116ad868ca9ff9914e918201ab1.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings 77f3663f1210d1e37a4cc58a71f211e8e0dc2116ad868ca9ff9914e918201ab1.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4560 schtasks.exe 1248 schtasks.exe 1880 schtasks.exe 3784 schtasks.exe 3672 schtasks.exe 3364 schtasks.exe 5720 schtasks.exe 4400 schtasks.exe 3612 schtasks.exe 1928 schtasks.exe 3316 schtasks.exe 4072 schtasks.exe 4944 schtasks.exe 2168 schtasks.exe 2656 schtasks.exe 2816 schtasks.exe 5204 schtasks.exe 5196 schtasks.exe 5156 schtasks.exe 3812 schtasks.exe 3616 schtasks.exe 2188 schtasks.exe 5736 schtasks.exe 4408 schtasks.exe 5540 schtasks.exe 5092 schtasks.exe 5324 schtasks.exe 3088 schtasks.exe 2080 schtasks.exe 2988 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
bridgeComsession.exeunsecapp.exepid process 6072 bridgeComsession.exe 6072 bridgeComsession.exe 6072 bridgeComsession.exe 6072 bridgeComsession.exe 6072 bridgeComsession.exe 4016 unsecapp.exe 4016 unsecapp.exe 4016 unsecapp.exe 4016 unsecapp.exe 4016 unsecapp.exe 4016 unsecapp.exe 4016 unsecapp.exe 4016 unsecapp.exe 4016 unsecapp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
unsecapp.exepid process 4016 unsecapp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bridgeComsession.exeunsecapp.exedescription pid process Token: SeDebugPrivilege 6072 bridgeComsession.exe Token: SeDebugPrivilege 4016 unsecapp.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
77f3663f1210d1e37a4cc58a71f211e8e0dc2116ad868ca9ff9914e918201ab1.exeWScript.execmd.exebridgeComsession.exedescription pid process target process PID 4972 wrote to memory of 2996 4972 77f3663f1210d1e37a4cc58a71f211e8e0dc2116ad868ca9ff9914e918201ab1.exe WScript.exe PID 4972 wrote to memory of 2996 4972 77f3663f1210d1e37a4cc58a71f211e8e0dc2116ad868ca9ff9914e918201ab1.exe WScript.exe PID 4972 wrote to memory of 2996 4972 77f3663f1210d1e37a4cc58a71f211e8e0dc2116ad868ca9ff9914e918201ab1.exe WScript.exe PID 2996 wrote to memory of 448 2996 WScript.exe cmd.exe PID 2996 wrote to memory of 448 2996 WScript.exe cmd.exe PID 2996 wrote to memory of 448 2996 WScript.exe cmd.exe PID 448 wrote to memory of 6072 448 cmd.exe bridgeComsession.exe PID 448 wrote to memory of 6072 448 cmd.exe bridgeComsession.exe PID 6072 wrote to memory of 4016 6072 bridgeComsession.exe unsecapp.exe PID 6072 wrote to memory of 4016 6072 bridgeComsession.exe unsecapp.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\77f3663f1210d1e37a4cc58a71f211e8e0dc2116ad868ca9ff9914e918201ab1.exe"C:\Users\Admin\AppData\Local\Temp\77f3663f1210d1e37a4cc58a71f211e8e0dc2116ad868ca9ff9914e918201ab1.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\MschainWinMonitor\wNtcXu4nRlXtRhLUT8BLaW.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\MschainWinMonitor\eJgYKVcrvPR70qXlHyqbm5zJ.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:448 -
C:\MschainWinMonitor\bridgeComsession.exe"C:\MschainWinMonitor\bridgeComsession.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6072 -
C:\Users\Default\Local Settings\unsecapp.exe"C:\Users\Default\Local Settings\unsecapp.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\ModemLogs\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ModemLogs\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\ModemLogs\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Security\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Local Settings\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Local Settings\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre8\lib\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Java\jre8\lib\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre8\lib\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Performance\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\Performance\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\MschainWinMonitor\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\MschainWinMonitor\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\MschainWinMonitor\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\MSBuild\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MschainWinMonitor\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MschainWinMonitor\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MschainWinMonitor\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MschainWinMonitor\bridgeComsession.exeFilesize
827KB
MD5ff83ff5839ae20a389ef45e3be78efd4
SHA19259010c8bc32b34545476b7b8b5a67b4e9a4da4
SHA256186b894f3ae5d6c86ca5ac16b2c02485b25688bbac081e4a436cc9129a2e4f9f
SHA512eb487aaf5af2192726bbefdb91edf743b7b5c6df9a8f148ab89f743027d3232b7a8ea51b0b1c4fea5749140278e7256972e0944d3b88ad1bb50c7849a3d901b0
-
C:\MschainWinMonitor\eJgYKVcrvPR70qXlHyqbm5zJ.batFilesize
43B
MD5cb15e7204a07edb961ac68a2e13b008c
SHA1f59a6ce012c334ba811e594c5ba51185f5ff3d5a
SHA256f560bf9e927a6c5c143fb814f2aa00b57cbf64f2ce54e93a91e17e153da6d05a
SHA5126a2920f78fc28d40f5e0d968d72c95ffadc0b90f05457615ed99a989e163c312c0cf20116d2ffd3138f9810feb76eb0d4d0c00ce5c089707e40063f5e11bd6ea
-
C:\MschainWinMonitor\wNtcXu4nRlXtRhLUT8BLaW.vbeFilesize
218B
MD5591c2ae870b1bfdfa49c2e067da6e374
SHA142c56374c315095a7fc1259ba7794083f878310b
SHA2560801892b154f7f95d3ce33f3da165a0ba1e842ad669b5ea8db795b790ac0d069
SHA51285e364bf50e00e4faf09b2c3d202f1f244da5cec13d3664389eb8c6cf16048b5070e296ba57facdae24a3f075c85c790fd77ec9eeb5fddcc2d1e6a3f1198fab0
-
memory/6072-12-0x00007FFA71E53000-0x00007FFA71E55000-memory.dmpFilesize
8KB
-
memory/6072-13-0x0000000000DD0000-0x0000000000EA6000-memory.dmpFilesize
856KB