dcrat | b45b4ee4146fc230dc6ea93a1af252314acc9b4adab82f36103e8f782589983d

Resubmissions

25-01-2022 20:58

220125-zr9txafah2 10

25-01-2022 05:22

220125-f2kszshddn 10

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-en-20211208
submitted
25-01-2022 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5320340037751e10748b6463fab8ee0.exe
Size

2.1MB
MD5

b5320340037751e10748b6463fab8ee0
SHA1

b3e9a125688e9da67708adfcada41bb56de2cd3d
SHA256

b45b4ee4146fc230dc6ea93a1af252314acc9b4adab82f36103e8f782589983d
SHA512

67e3bdc6c8db9ed127dc0a7a0fcb431a7294fd8daf77fe6ce4042a3cb63b9576130f1d3b3aee665dc16c1de4ede96ed7976789e63a4d61178c631d3d76e06138

Score

10^/10

dcrat infostealer persistence rat suricata

Malware Config

Signatures

DcRat 9 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeb5320340037751e10748b6463fab8ee0.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
788	schtasks.exe
File created	C:\Windows\Vss\Writers\System\audiodg.exe	b5320340037751e10748b6463fab8ee0.exe
2008	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Documents and Settings\\explorer.exe\""	b5320340037751e10748b6463fab8ee0.exe
1860	schtasks.exe
1176	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\Vss\\Writers\\System\\audiodg.exe\""	b5320340037751e10748b6463fab8ee0.exe
1828	schtasks.exe
896	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 1 IoCs
persistence

Winlogon Helper DLL
T1004

Modify Registry
T1112

Processes:

services.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe" services.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	services.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	816	schtasks.exe

suricata: ET MALWARE DCRAT Activity (GET)
suricata: ET MALWARE DCRAT Activity (GET)
suricata
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

1668 services.exe
Deletes itself 1 IoCs

Processes:

services.exe

pid process

1668 services.exe

pid	process
1668	services.exe

pid	process
1668	services.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b5320340037751e10748b6463fab8ee0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\Vss\\Writers\\System\\audiodg.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Documents and Settings\\explorer.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\spcmsg\\services.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Globalization\\ELS\\Transliteration\\csrss.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\ieUnatt\\smss.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\mssip32\\taskhost.exe\""	b5320340037751e10748b6463fab8ee0.exe

Drops file in System32 directory 6 IoCs

Processes:

b5320340037751e10748b6463fab8ee0.exe

description	ioc	process
File created	C:\Windows\System32\mssip32\taskhost.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\mssip32\b75386f1303e64	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\spcmsg\services.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\spcmsg\c5b4cb5e9653cc	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\ieUnatt\smss.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\ieUnatt\69ddcba757bf72	b5320340037751e10748b6463fab8ee0.exe

Drops file in Windows directory 5 IoCs

Processes:

b5320340037751e10748b6463fab8ee0.exe

description	ioc	process
File created	C:\Windows\Vss\Writers\System\audiodg.exe	b5320340037751e10748b6463fab8ee0.exe
File opened for modification	C:\Windows\Vss\Writers\System\audiodg.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\Vss\Writers\System\42af1c969fbb7b	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\Globalization\ELS\Transliteration\csrss.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\Globalization\ELS\Transliteration\886983d96e3d3e	b5320340037751e10748b6463fab8ee0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2008 schtasks.exe
1828 schtasks.exe
896 schtasks.exe
1860 schtasks.exe
788 schtasks.exe
1176 schtasks.exe

pid	process
2008	schtasks.exe
1828	schtasks.exe
896	schtasks.exe
1860	schtasks.exe
788	schtasks.exe
1176	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

b5320340037751e10748b6463fab8ee0.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeservices.exepowershell.exe

pid	process
740	b5320340037751e10748b6463fab8ee0.exe
988	powershell.exe
1728	powershell.exe
1756	powershell.exe
2032	powershell.exe
336	powershell.exe
1692	powershell.exe
1668	services.exe
1668	services.exe
1668	services.exe
1668	services.exe
1668	services.exe
1668	services.exe
1668	services.exe
1668	services.exe
1724	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

b5320340037751e10748b6463fab8ee0.exeservices.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	740	b5320340037751e10748b6463fab8ee0.exe
Token: SeDebugPrivilege	1668	services.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	336	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

b5320340037751e10748b6463fab8ee0.exeservices.execmd.exe

description	pid	process	target process
PID 740 wrote to memory of 988	740	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 740 wrote to memory of 988	740	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 740 wrote to memory of 988	740	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 740 wrote to memory of 336	740	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 740 wrote to memory of 336	740	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 740 wrote to memory of 336	740	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 740 wrote to memory of 2032	740	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 740 wrote to memory of 2032	740	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 740 wrote to memory of 2032	740	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 740 wrote to memory of 1692	740	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 740 wrote to memory of 1692	740	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 740 wrote to memory of 1692	740	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 740 wrote to memory of 1728	740	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 740 wrote to memory of 1728	740	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 740 wrote to memory of 1728	740	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 740 wrote to memory of 1724	740	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 740 wrote to memory of 1724	740	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 740 wrote to memory of 1724	740	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 740 wrote to memory of 1756	740	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 740 wrote to memory of 1756	740	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 740 wrote to memory of 1756	740	b5320340037751e10748b6463fab8ee0.exe	powershell.exe
PID 740 wrote to memory of 1668	740	b5320340037751e10748b6463fab8ee0.exe	services.exe
PID 740 wrote to memory of 1668	740	b5320340037751e10748b6463fab8ee0.exe	services.exe
PID 740 wrote to memory of 1668	740	b5320340037751e10748b6463fab8ee0.exe	services.exe
PID 1668 wrote to memory of 1292	1668	services.exe	schtasks.exe
PID 1668 wrote to memory of 1292	1668	services.exe	schtasks.exe
PID 1668 wrote to memory of 1292	1668	services.exe	schtasks.exe
PID 1668 wrote to memory of 1816	1668	services.exe	schtasks.exe
PID 1668 wrote to memory of 1816	1668	services.exe	schtasks.exe
PID 1668 wrote to memory of 1816	1668	services.exe	schtasks.exe
PID 1668 wrote to memory of 2016	1668	services.exe	schtasks.exe
PID 1668 wrote to memory of 2016	1668	services.exe	schtasks.exe
PID 1668 wrote to memory of 2016	1668	services.exe	schtasks.exe
PID 1668 wrote to memory of 736	1668	services.exe	schtasks.exe
PID 1668 wrote to memory of 736	1668	services.exe	schtasks.exe
PID 1668 wrote to memory of 736	1668	services.exe	schtasks.exe
PID 1668 wrote to memory of 108	1668	services.exe	schtasks.exe
PID 1668 wrote to memory of 108	1668	services.exe	schtasks.exe
PID 1668 wrote to memory of 108	1668	services.exe	schtasks.exe
PID 1668 wrote to memory of 1828	1668	services.exe	schtasks.exe
PID 1668 wrote to memory of 1828	1668	services.exe	schtasks.exe
PID 1668 wrote to memory of 1828	1668	services.exe	schtasks.exe
PID 1668 wrote to memory of 1628	1668	services.exe	schtasks.exe
PID 1668 wrote to memory of 1628	1668	services.exe	schtasks.exe
PID 1668 wrote to memory of 1628	1668	services.exe	schtasks.exe
PID 1668 wrote to memory of 788	1668	services.exe	schtasks.exe
PID 1668 wrote to memory of 788	1668	services.exe	schtasks.exe
PID 1668 wrote to memory of 788	1668	services.exe	schtasks.exe
PID 1668 wrote to memory of 1464	1668	services.exe	cmd.exe
PID 1668 wrote to memory of 1464	1668	services.exe	cmd.exe
PID 1668 wrote to memory of 1464	1668	services.exe	cmd.exe
PID 1464 wrote to memory of 1452	1464	cmd.exe	w32tm.exe
PID 1464 wrote to memory of 1452	1464	cmd.exe	w32tm.exe
PID 1464 wrote to memory of 1452	1464	cmd.exe	w32tm.exe

C:\Users\Admin\AppData\Local\Temp\b5320340037751e10748b6463fab8ee0.exe
"C:\Users\Admin\AppData\Local\Temp\b5320340037751e10748b6463fab8ee0.exe"
1⤵
- DcRat
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\b5320340037751e10748b6463fab8ee0.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\explorer.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\System\audiodg.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\spcmsg\services.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\ELS\Transliteration\csrss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\ieUnatt\smss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\mssip32\taskhost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Windows\System32\spcmsg\services.exe
  "C:\Windows\System32\spcmsg\services.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Deletes itself
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\system32\schtasks.exe
    "schtasks" /Delete /tn "b5320340037751e10748b6463fab8ee0" /f
    3⤵
    PID:1292
- - C:\Windows\system32\schtasks.exe
    "schtasks" /Delete /tn "audiodg" /f
    3⤵
    PID:1816
- - C:\Windows\system32\schtasks.exe
    "schtasks" /Delete /tn "explorer" /f
    3⤵
    PID:2016
- - C:\Windows\system32\schtasks.exe
    "schtasks" /Delete /tn "services" /f
    3⤵
    PID:736
- - C:\Windows\system32\schtasks.exe
    "schtasks" /Delete /tn "csrss" /f
    3⤵
    PID:108
- - C:\Windows\system32\schtasks.exe
    "schtasks" /Delete /tn "smss" /f
    3⤵
    PID:1828
- - C:\Windows\system32\schtasks.exe
    "schtasks" /Delete /tn "taskhost" /f
    3⤵
    PID:1628
- - C:\Windows\system32\schtasks.exe
    "schtasks" /Delete /tn "services" /f
    3⤵
    PID:788
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\WOs9W2tFAs.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1464
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Documents and Settings\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\spcmsg\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Globalization\ELS\Transliteration\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\ieUnatt\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\mssip32\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\7a0fd90576e088

MD5
32a828896ee3edb91e6b5ead0c1663a1

SHA1
da354144913f7ba1d89acec11c97c4e5e4d9d84d

SHA256
05036d059170b77f1fdca4849bc2d28095c7eb0726d5abe09714f804af938332

SHA512
595d3326253d408d0f1ca799cb42b7c8af991af81faf7518ecd4b1425c09e1864394a86ed8698d1bdd2f46e0a15bb4bc67fcdc2b3697fdac06333e5cb40e53d2

Download Submit
C:\Documents and Settings\explorer.exe

MD5
b5320340037751e10748b6463fab8ee0

SHA1
b3e9a125688e9da67708adfcada41bb56de2cd3d

SHA256
b45b4ee4146fc230dc6ea93a1af252314acc9b4adab82f36103e8f782589983d

SHA512
67e3bdc6c8db9ed127dc0a7a0fcb431a7294fd8daf77fe6ce4042a3cb63b9576130f1d3b3aee665dc16c1de4ede96ed7976789e63a4d61178c631d3d76e06138

Download Submit
C:\Users\Admin\AppData\Local\Temp\WOs9W2tFAs.bat

MD5
3bf94a5e9d47693aea4992c19756d7ba

SHA1
ca2e59ed33de1c180f643cb6960d2abc1df76d68

SHA256
193eac8e743c8c2682f46305171cd1db849ce466da8ca62a0a0ac1e4642a93aa

SHA512
cc1dff97101d56947a800e3368a2d9456f5c31d015f3560569642f8a68b3f10623021fd0eabe69690e828a54b76b7e1f09bc907251ef9623d350fa40dd71e917

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
935e9161e6f5371cb3fc8361276caf5d

SHA1
72f39679596c9e9dda928ce2af5d9ed7137170a8

SHA256
ce649e01a6dd664775985659c29efce0c1add7af4d20bff362ceda79aada33da

SHA512
b94dbe99c2b6b8fc8995de94018e82bb7f91854288891e49f4578c303c2599445b052dc6b7d569b6b750614279cbc6a0b487e7d1753e9963731d5c5caac7d0e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
935e9161e6f5371cb3fc8361276caf5d

SHA1
72f39679596c9e9dda928ce2af5d9ed7137170a8

SHA256
ce649e01a6dd664775985659c29efce0c1add7af4d20bff362ceda79aada33da

SHA512
b94dbe99c2b6b8fc8995de94018e82bb7f91854288891e49f4578c303c2599445b052dc6b7d569b6b750614279cbc6a0b487e7d1753e9963731d5c5caac7d0e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
935e9161e6f5371cb3fc8361276caf5d

SHA1
72f39679596c9e9dda928ce2af5d9ed7137170a8

SHA256
ce649e01a6dd664775985659c29efce0c1add7af4d20bff362ceda79aada33da

SHA512
b94dbe99c2b6b8fc8995de94018e82bb7f91854288891e49f4578c303c2599445b052dc6b7d569b6b750614279cbc6a0b487e7d1753e9963731d5c5caac7d0e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
935e9161e6f5371cb3fc8361276caf5d

SHA1
72f39679596c9e9dda928ce2af5d9ed7137170a8

SHA256
ce649e01a6dd664775985659c29efce0c1add7af4d20bff362ceda79aada33da

SHA512
b94dbe99c2b6b8fc8995de94018e82bb7f91854288891e49f4578c303c2599445b052dc6b7d569b6b750614279cbc6a0b487e7d1753e9963731d5c5caac7d0e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
935e9161e6f5371cb3fc8361276caf5d

SHA1
72f39679596c9e9dda928ce2af5d9ed7137170a8

SHA256
ce649e01a6dd664775985659c29efce0c1add7af4d20bff362ceda79aada33da

SHA512
b94dbe99c2b6b8fc8995de94018e82bb7f91854288891e49f4578c303c2599445b052dc6b7d569b6b750614279cbc6a0b487e7d1753e9963731d5c5caac7d0e4

Download Submit
C:\Windows\Globalization\ELS\Transliteration\886983d96e3d3e

MD5
28b36525c111d4033d97d6ddbe7e9ed3

SHA1
663e6ee65ca75ed4a55c4a20a66025237ab037e1

SHA256
808d8e838834c50248ccc7b532fa7a649523d7fc029565650411edfbc7cf1660

SHA512
f12472cdddac6772beab8a7d815723ce28952c1fcff6ef404c8b93555ba38da7fc17d40912f0ad482a4b2f07b2d8ceee182074bb9ce7e3b230758d1765f7a85e

Download Submit
C:\Windows\Globalization\ELS\Transliteration\csrss.exe

MD5
b5320340037751e10748b6463fab8ee0

SHA1
b3e9a125688e9da67708adfcada41bb56de2cd3d

SHA256
b45b4ee4146fc230dc6ea93a1af252314acc9b4adab82f36103e8f782589983d

SHA512
67e3bdc6c8db9ed127dc0a7a0fcb431a7294fd8daf77fe6ce4042a3cb63b9576130f1d3b3aee665dc16c1de4ede96ed7976789e63a4d61178c631d3d76e06138

Download Submit
C:\Windows\System32\ieUnatt\69ddcba757bf72

MD5
9241be5ce5e10e46493d9cb2738be510

SHA1
0efc450e271f4de142f888aa5e096b50b926e604

SHA256
2471d2e0b3097890f30024ced7a869852e8f53780fdb6cdccc2186db9e29dc4b

SHA512
a3635fc03bc0935d559594283a244345ac31f4724f4d5556dc55c64c2ad73e00eb37dc114b9b43d7e356b37205b602a2b3a4e57ae07aae4f76c05ec262949e06

Download Submit
C:\Windows\System32\ieUnatt\smss.exe

MD5
b5320340037751e10748b6463fab8ee0

SHA1
b3e9a125688e9da67708adfcada41bb56de2cd3d

SHA256
b45b4ee4146fc230dc6ea93a1af252314acc9b4adab82f36103e8f782589983d

SHA512
67e3bdc6c8db9ed127dc0a7a0fcb431a7294fd8daf77fe6ce4042a3cb63b9576130f1d3b3aee665dc16c1de4ede96ed7976789e63a4d61178c631d3d76e06138

Download Submit
C:\Windows\System32\mssip32\b75386f1303e64

MD5
118e355054dbeeb9120591058603aae9

SHA1
7bf551a19608852fdade67aa86a93f4a32b48533

SHA256
43b65f59ae4fcf8ca0c454ab8c2b11b7be43d46c5d6359fa9f5e88fa96363aa2

SHA512
5c2fcbd64bb5281229167b2634ba0e4ef2fde86ec4b703914d6e4b971cbf285cb43b7af90640c1236226336dcb6b8e433b219238c903438a1a9b013ad9533aad

Download Submit
C:\Windows\System32\mssip32\taskhost.exe

MD5
b5320340037751e10748b6463fab8ee0

SHA1
b3e9a125688e9da67708adfcada41bb56de2cd3d

SHA256
b45b4ee4146fc230dc6ea93a1af252314acc9b4adab82f36103e8f782589983d

SHA512
67e3bdc6c8db9ed127dc0a7a0fcb431a7294fd8daf77fe6ce4042a3cb63b9576130f1d3b3aee665dc16c1de4ede96ed7976789e63a4d61178c631d3d76e06138

Download Submit
C:\Windows\System32\spcmsg\c5b4cb5e9653cc

MD5
c041b615ce21210825ab772577221aef

SHA1
c5685e831282543bbc3cd7f214fe62e2206de854

SHA256
f648f286e456043744181f13f6bc33c04a84d57dc4f0ef058070347818ce24f1

SHA512
54994e1406d7105c75598327fb5413fa96e0f2bfc8c52158785b051cf395f4f503ba4b507012af72abef09d72235ffa28c1f123b8b6fa7f4df602e96ff3ec9ae

Download Submit
C:\Windows\System32\spcmsg\services.exe

MD5
b5320340037751e10748b6463fab8ee0

SHA1
b3e9a125688e9da67708adfcada41bb56de2cd3d

SHA256
b45b4ee4146fc230dc6ea93a1af252314acc9b4adab82f36103e8f782589983d

SHA512
67e3bdc6c8db9ed127dc0a7a0fcb431a7294fd8daf77fe6ce4042a3cb63b9576130f1d3b3aee665dc16c1de4ede96ed7976789e63a4d61178c631d3d76e06138

Download Submit
C:\Windows\System32\spcmsg\services.exe

MD5
b5320340037751e10748b6463fab8ee0

SHA1
b3e9a125688e9da67708adfcada41bb56de2cd3d

SHA256
b45b4ee4146fc230dc6ea93a1af252314acc9b4adab82f36103e8f782589983d

SHA512
67e3bdc6c8db9ed127dc0a7a0fcb431a7294fd8daf77fe6ce4042a3cb63b9576130f1d3b3aee665dc16c1de4ede96ed7976789e63a4d61178c631d3d76e06138

Download Submit
C:\Windows\Vss\Writers\System\42af1c969fbb7b

MD5
a65a50cea0bc6c174680b031f4faa4e8

SHA1
bd5ef0166b0015016a54db771f5adeef061aed56

SHA256
39af6790ae8e6356fd7dfdca0ae79008545466f49a63b20145255d19480bf48c

SHA512
4defbf65612fd35bb48c663cfdff24514effcefec3b050e23df3e63cea106cf4c6348e717d5f50510231778c4f55a697a065ac57095a812f9c20558412ab07f3

Download Submit
C:\Windows\Vss\Writers\System\audiodg.exe

MD5
b5320340037751e10748b6463fab8ee0

SHA1
b3e9a125688e9da67708adfcada41bb56de2cd3d

SHA256
b45b4ee4146fc230dc6ea93a1af252314acc9b4adab82f36103e8f782589983d

SHA512
67e3bdc6c8db9ed127dc0a7a0fcb431a7294fd8daf77fe6ce4042a3cb63b9576130f1d3b3aee665dc16c1de4ede96ed7976789e63a4d61178c631d3d76e06138

Download Submit
memory/336-97-0x00000000022C2000-0x00000000022C4000-memory.dmp

Filesize
8KB

Download
memory/336-102-0x000007FEEAAC0000-0x000007FEEB61D000-memory.dmp

Filesize
11.4MB

Download
memory/336-98-0x00000000022C4000-0x00000000022C7000-memory.dmp

Filesize
12KB

Download
memory/336-96-0x00000000022C0000-0x00000000022C2000-memory.dmp

Filesize
8KB

Download
memory/336-113-0x00000000022CB000-0x00000000022EA000-memory.dmp

Filesize
124KB

Download
memory/336-108-0x000000001B760000-0x000000001BA5F000-memory.dmp

Filesize
3.0MB

Download
memory/740-59-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/740-58-0x0000000000150000-0x000000000015A000-memory.dmp

Filesize
40KB

Download
memory/740-55-0x0000000000B60000-0x0000000000D8C000-memory.dmp

Filesize
2.2MB

Download
memory/740-57-0x0000000000360000-0x00000000003B6000-memory.dmp

Filesize
344KB

Download
memory/740-56-0x000000001B340000-0x000000001B342000-memory.dmp

Filesize
8KB

Download
memory/740-62-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/740-60-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/740-63-0x00000000005A0000-0x00000000005AA000-memory.dmp

Filesize
40KB

Download
memory/740-61-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/988-90-0x0000000002660000-0x0000000002662000-memory.dmp

Filesize
8KB

Download
memory/988-111-0x000000000266B000-0x000000000268A000-memory.dmp

Filesize
124KB

Download
memory/988-64-0x000007FEFC241000-0x000007FEFC243000-memory.dmp

Filesize
8KB

Download
memory/988-74-0x000007FEEAAC0000-0x000007FEEB61D000-memory.dmp

Filesize
11.4MB

Download
memory/988-92-0x0000000002664000-0x0000000002667000-memory.dmp

Filesize
12KB

Download
memory/988-91-0x0000000002662000-0x0000000002664000-memory.dmp

Filesize
8KB

Download
memory/988-104-0x000000001B6F0000-0x000000001B9EF000-memory.dmp

Filesize
3.0MB

Download
memory/1668-101-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/1668-83-0x000000001ADB0000-0x000000001ADB2000-memory.dmp

Filesize
8KB

Download
memory/1668-80-0x00000000010A0000-0x00000000012CC000-memory.dmp

Filesize
2.2MB

Download
memory/1692-93-0x0000000002710000-0x0000000002712000-memory.dmp

Filesize
8KB

Download
memory/1692-94-0x0000000002712000-0x0000000002714000-memory.dmp

Filesize
8KB

Download
memory/1692-77-0x000007FEEAAC0000-0x000007FEEB61D000-memory.dmp

Filesize
11.4MB

Download
memory/1692-109-0x000000000271B000-0x000000000273A000-memory.dmp

Filesize
124KB

Download
memory/1692-95-0x0000000002714000-0x0000000002717000-memory.dmp

Filesize
12KB

Download
memory/1724-132-0x00000000026CB000-0x00000000026EA000-memory.dmp

Filesize
124KB

Download
memory/1724-130-0x00000000026C2000-0x00000000026C4000-memory.dmp

Filesize
8KB

Download
memory/1724-129-0x00000000026C0000-0x00000000026C2000-memory.dmp

Filesize
8KB

Download
memory/1724-128-0x000000001B950000-0x000000001BC4F000-memory.dmp

Filesize
3.0MB

Download
memory/1724-127-0x000007FEEB660000-0x000007FEEC1BD000-memory.dmp

Filesize
11.4MB

Download
memory/1724-131-0x00000000026C4000-0x00000000026C7000-memory.dmp

Filesize
12KB

Download
memory/1728-100-0x00000000026D4000-0x00000000026D7000-memory.dmp

Filesize
12KB

Download
memory/1728-110-0x00000000026DB000-0x00000000026FA000-memory.dmp

Filesize
124KB

Download
memory/1728-84-0x00000000026D0000-0x00000000026D2000-memory.dmp

Filesize
8KB

Download
memory/1728-99-0x00000000026D2000-0x00000000026D4000-memory.dmp

Filesize
8KB

Download
memory/1728-103-0x000007FEEAAC0000-0x000007FEEB61D000-memory.dmp

Filesize
11.4MB

Download
memory/1728-107-0x000000001B7C0000-0x000000001BABF000-memory.dmp

Filesize
3.0MB

Download
memory/1756-73-0x000007FEEAAC0000-0x000007FEEB61D000-memory.dmp

Filesize
11.4MB

Download
memory/1756-87-0x00000000027E0000-0x00000000027E2000-memory.dmp

Filesize
8KB

Download
memory/1756-105-0x000000001B810000-0x000000001BB0F000-memory.dmp

Filesize
3.0MB

Download
memory/1756-88-0x00000000027E2000-0x00000000027E4000-memory.dmp

Filesize
8KB

Download
memory/1756-89-0x00000000027E4000-0x00000000027E7000-memory.dmp

Filesize
12KB

Download
memory/1756-114-0x00000000027EB000-0x000000000280A000-memory.dmp

Filesize
124KB

Download
memory/2032-86-0x0000000002A14000-0x0000000002A17000-memory.dmp

Filesize
12KB

Download
memory/2032-112-0x0000000002A1B000-0x0000000002A3A000-memory.dmp

Filesize
124KB

Download
memory/2032-82-0x0000000002A10000-0x0000000002A12000-memory.dmp

Filesize
8KB

Download
memory/2032-85-0x0000000002A12000-0x0000000002A14000-memory.dmp

Filesize
8KB

Download
memory/2032-72-0x000007FEEAAC0000-0x000007FEEB61D000-memory.dmp

Filesize
11.4MB

Download