Overview

overview

10

Static

static

3853eeaac8...56.exe

windows7-x64

10

3853eeaac8...56.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    15-10-2022 08:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3853eeaac891a4cefed467a48599ed56.exe

  • Size

    4.9MB

  • MD5

    3853eeaac891a4cefed467a48599ed56

  • SHA1

    83611ff9b18910db848187cbddf9c907c044c6f1

  • SHA256

    6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4

  • SHA512

    7f3f785358671ef8934c5b4376ddab04c54758b78938505a8b6826bcb595422755f45c826af4aff06e0273a2e4f4ecb8363843498a9cb102940e5b9c09802654

  • SSDEEP

    49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score
10/10
dcratevasioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops file in Program Files directory 16 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\3853eeaac891a4cefed467a48599ed56.exe
    "C:\Users\Admin\AppData\Local\Temp\3853eeaac891a4cefed467a48599ed56.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:532
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1532
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:984
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:648
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1992
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1296
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1668
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:664
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:612
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1980
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2020
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2028
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1760
    • C:\Program Files\Java\jre7\bin\server\services.exe
      "C:\Program Files\Java\jre7\bin\server\services.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2164
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\services.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:980
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1872
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1760
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1312
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1432
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1072
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\services.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1816
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:268
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1940
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1884
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1892
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1820
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\wininit.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1184
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:316
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2000
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\wininit.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:512
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:948
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1060
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\bin\server\services.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1604
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\server\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1080
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre7\bin\server\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:968
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\Idle.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1740
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2020
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1108
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "3853eeaac891a4cefed467a48599ed563" /sc MINUTE /mo 8 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\3853eeaac891a4cefed467a48599ed56.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:816
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "3853eeaac891a4cefed467a48599ed56" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\3853eeaac891a4cefed467a48599ed56.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1896
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "3853eeaac891a4cefed467a48599ed563" /sc MINUTE /mo 6 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\3853eeaac891a4cefed467a48599ed56.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1960
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\lsass.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1832
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1476
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1056
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\AppCompat\Programs\System.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1336
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1756
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\AppCompat\Programs\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Bypass User Account Control

1
T1088

Scheduled Task

1
T1053

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Java\jre7\bin\server\services.exe
    Filesize

    4.9MB

    MD5

    fb7e539ec8694eda606d34be1db97247

    SHA1

    42c261c0b770353ff044f47a7a02f7e00d855a56

    SHA256

    b07a869999fc3ed18d9a2d011b6e92fce83a7ad96adac8b4b97d7703e8e1062c

    SHA512

    b34ac4126424f2c355176f129f3f5c471a2589b011ce2be1d78ec495843212640401ce1b697a8549b6a63cd76e53b9b4d2e15fca3d2030d9dee31e80ef429008

    Download Submit
  • C:\Program Files\Java\jre7\bin\server\services.exe
    Filesize

    4.9MB

    MD5

    fb7e539ec8694eda606d34be1db97247

    SHA1

    42c261c0b770353ff044f47a7a02f7e00d855a56

    SHA256

    b07a869999fc3ed18d9a2d011b6e92fce83a7ad96adac8b4b97d7703e8e1062c

    SHA512

    b34ac4126424f2c355176f129f3f5c471a2589b011ce2be1d78ec495843212640401ce1b697a8549b6a63cd76e53b9b4d2e15fca3d2030d9dee31e80ef429008

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    61628c1afb32074579ef05e405bbf506

    SHA1

    266e82e0a47561b60fc32d9619ee7edb8a8d86c8

    SHA256

    c43bebac3b0286941a9975a54eac0696f9d5cc3381b906b897cd4e29701270a9

    SHA512

    ca8d18529154724bf713248eb63ed9ae6fdb92f72819f163f6d0113efb252a65976976f92f9f7fe9873b4d81cc6abaa9bf26fc31f38ffec0ecd4e645201ee909

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    61628c1afb32074579ef05e405bbf506

    SHA1

    266e82e0a47561b60fc32d9619ee7edb8a8d86c8

    SHA256

    c43bebac3b0286941a9975a54eac0696f9d5cc3381b906b897cd4e29701270a9

    SHA512

    ca8d18529154724bf713248eb63ed9ae6fdb92f72819f163f6d0113efb252a65976976f92f9f7fe9873b4d81cc6abaa9bf26fc31f38ffec0ecd4e645201ee909

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    61628c1afb32074579ef05e405bbf506

    SHA1

    266e82e0a47561b60fc32d9619ee7edb8a8d86c8

    SHA256

    c43bebac3b0286941a9975a54eac0696f9d5cc3381b906b897cd4e29701270a9

    SHA512

    ca8d18529154724bf713248eb63ed9ae6fdb92f72819f163f6d0113efb252a65976976f92f9f7fe9873b4d81cc6abaa9bf26fc31f38ffec0ecd4e645201ee909

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    61628c1afb32074579ef05e405bbf506

    SHA1

    266e82e0a47561b60fc32d9619ee7edb8a8d86c8

    SHA256

    c43bebac3b0286941a9975a54eac0696f9d5cc3381b906b897cd4e29701270a9

    SHA512

    ca8d18529154724bf713248eb63ed9ae6fdb92f72819f163f6d0113efb252a65976976f92f9f7fe9873b4d81cc6abaa9bf26fc31f38ffec0ecd4e645201ee909

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    61628c1afb32074579ef05e405bbf506

    SHA1

    266e82e0a47561b60fc32d9619ee7edb8a8d86c8

    SHA256

    c43bebac3b0286941a9975a54eac0696f9d5cc3381b906b897cd4e29701270a9

    SHA512

    ca8d18529154724bf713248eb63ed9ae6fdb92f72819f163f6d0113efb252a65976976f92f9f7fe9873b4d81cc6abaa9bf26fc31f38ffec0ecd4e645201ee909

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    61628c1afb32074579ef05e405bbf506

    SHA1

    266e82e0a47561b60fc32d9619ee7edb8a8d86c8

    SHA256

    c43bebac3b0286941a9975a54eac0696f9d5cc3381b906b897cd4e29701270a9

    SHA512

    ca8d18529154724bf713248eb63ed9ae6fdb92f72819f163f6d0113efb252a65976976f92f9f7fe9873b4d81cc6abaa9bf26fc31f38ffec0ecd4e645201ee909

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    61628c1afb32074579ef05e405bbf506

    SHA1

    266e82e0a47561b60fc32d9619ee7edb8a8d86c8

    SHA256

    c43bebac3b0286941a9975a54eac0696f9d5cc3381b906b897cd4e29701270a9

    SHA512

    ca8d18529154724bf713248eb63ed9ae6fdb92f72819f163f6d0113efb252a65976976f92f9f7fe9873b4d81cc6abaa9bf26fc31f38ffec0ecd4e645201ee909

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    61628c1afb32074579ef05e405bbf506

    SHA1

    266e82e0a47561b60fc32d9619ee7edb8a8d86c8

    SHA256

    c43bebac3b0286941a9975a54eac0696f9d5cc3381b906b897cd4e29701270a9

    SHA512

    ca8d18529154724bf713248eb63ed9ae6fdb92f72819f163f6d0113efb252a65976976f92f9f7fe9873b4d81cc6abaa9bf26fc31f38ffec0ecd4e645201ee909

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    61628c1afb32074579ef05e405bbf506

    SHA1

    266e82e0a47561b60fc32d9619ee7edb8a8d86c8

    SHA256

    c43bebac3b0286941a9975a54eac0696f9d5cc3381b906b897cd4e29701270a9

    SHA512

    ca8d18529154724bf713248eb63ed9ae6fdb92f72819f163f6d0113efb252a65976976f92f9f7fe9873b4d81cc6abaa9bf26fc31f38ffec0ecd4e645201ee909

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    61628c1afb32074579ef05e405bbf506

    SHA1

    266e82e0a47561b60fc32d9619ee7edb8a8d86c8

    SHA256

    c43bebac3b0286941a9975a54eac0696f9d5cc3381b906b897cd4e29701270a9

    SHA512

    ca8d18529154724bf713248eb63ed9ae6fdb92f72819f163f6d0113efb252a65976976f92f9f7fe9873b4d81cc6abaa9bf26fc31f38ffec0ecd4e645201ee909

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    61628c1afb32074579ef05e405bbf506

    SHA1

    266e82e0a47561b60fc32d9619ee7edb8a8d86c8

    SHA256

    c43bebac3b0286941a9975a54eac0696f9d5cc3381b906b897cd4e29701270a9

    SHA512

    ca8d18529154724bf713248eb63ed9ae6fdb92f72819f163f6d0113efb252a65976976f92f9f7fe9873b4d81cc6abaa9bf26fc31f38ffec0ecd4e645201ee909

    Download Submit
  • \??\PIPE\srvsvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • memory/532-64-0x00000000009D0000-0x00000000009DE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/532-58-0x00000000005B0000-0x00000000005C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/532-54-0x00000000010D0000-0x00000000015C4000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/532-55-0x000000001B780000-0x000000001B8AE000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/532-56-0x0000000000580000-0x000000000059C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/532-57-0x00000000005A0000-0x00000000005A8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/532-59-0x00000000007D0000-0x00000000007E6000-memory.dmp
    Filesize

    88KB

    Download
  • memory/532-60-0x00000000007F0000-0x0000000000800000-memory.dmp
    Filesize

    64KB

    Download
  • memory/532-68-0x0000000000B90000-0x0000000000B9C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/532-61-0x0000000000800000-0x000000000080A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/532-62-0x0000000000810000-0x0000000000822000-memory.dmp
    Filesize

    72KB

    Download
  • memory/532-63-0x00000000009C0000-0x00000000009CA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/532-67-0x0000000000B80000-0x0000000000B88000-memory.dmp
    Filesize

    32KB

    Download
  • memory/532-66-0x0000000000B70000-0x0000000000B78000-memory.dmp
    Filesize

    32KB

    Download
  • memory/532-65-0x0000000000AE0000-0x0000000000AEE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/612-135-0x000007FEED190000-0x000007FEEDCED000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/612-165-0x00000000024E4000-0x00000000024E7000-memory.dmp
    Filesize

    12KB

    Download
  • memory/612-83-0x0000000000000000-mapping.dmp
    Download
  • memory/612-126-0x00000000024E4000-0x00000000024E7000-memory.dmp
    Filesize

    12KB

    Download
  • memory/612-154-0x000000001B800000-0x000000001BAFF000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/612-166-0x00000000024EB000-0x000000000250A000-memory.dmp
    Filesize

    124KB

    Download
  • memory/612-115-0x000007FEEAA70000-0x000007FEEB493000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/648-183-0x00000000026CB000-0x00000000026EA000-memory.dmp
    Filesize

    124KB

    Download
  • memory/648-181-0x000000001B700000-0x000000001B9FF000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/648-177-0x000007FEEAA70000-0x000007FEEB493000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/648-180-0x00000000026C4000-0x00000000026C7000-memory.dmp
    Filesize

    12KB

    Download
  • memory/648-71-0x0000000000000000-mapping.dmp
    Download
  • memory/648-179-0x000007FEF54C0000-0x000007FEF601D000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/648-182-0x00000000026C4000-0x00000000026C7000-memory.dmp
    Filesize

    12KB

    Download
  • memory/664-125-0x0000000002754000-0x0000000002757000-memory.dmp
    Filesize

    12KB

    Download
  • memory/664-169-0x000000000275B000-0x000000000277A000-memory.dmp
    Filesize

    124KB

    Download
  • memory/664-112-0x000007FEEAA70000-0x000007FEEB493000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/664-138-0x000007FEED190000-0x000007FEEDCED000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/664-77-0x0000000000000000-mapping.dmp
    Download
  • memory/664-167-0x0000000002754000-0x0000000002757000-memory.dmp
    Filesize

    12KB

    Download
  • memory/984-140-0x000000001B8A0000-0x000000001BB9F000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/984-146-0x0000000002834000-0x0000000002837000-memory.dmp
    Filesize

    12KB

    Download
  • memory/984-80-0x000007FEEAA70000-0x000007FEEB493000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/984-142-0x000000000283B000-0x000000000285A000-memory.dmp
    Filesize

    124KB

    Download
  • memory/984-149-0x000000000283B000-0x000000000285A000-memory.dmp
    Filesize

    124KB

    Download
  • memory/984-120-0x000007FEED190000-0x000007FEEDCED000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/984-123-0x0000000002834000-0x0000000002837000-memory.dmp
    Filesize

    12KB

    Download
  • memory/984-70-0x0000000000000000-mapping.dmp
    Download
  • memory/1296-147-0x00000000029A4000-0x00000000029A7000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1296-145-0x00000000029AB000-0x00000000029CA000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1296-74-0x0000000000000000-mapping.dmp
    Download
  • memory/1296-141-0x000000001BA40000-0x000000001BD3F000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1296-148-0x00000000029AB000-0x00000000029CA000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1296-116-0x000007FEEAA70000-0x000007FEEB493000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/1296-131-0x00000000029A4000-0x00000000029A7000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1296-137-0x000007FEED190000-0x000007FEEDCED000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/1532-130-0x0000000002504000-0x0000000002507000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1532-158-0x000000000250B000-0x000000000252A000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1532-69-0x0000000000000000-mapping.dmp
    Download
  • memory/1532-160-0x0000000002504000-0x0000000002507000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1532-132-0x000007FEED190000-0x000007FEEDCED000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/1532-78-0x000007FEEAA70000-0x000007FEEB493000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/1532-143-0x000000001B7A0000-0x000000001BA9F000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1532-73-0x000007FEFB751000-0x000007FEFB753000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1668-76-0x0000000000000000-mapping.dmp
    Download
  • memory/1668-133-0x000007FEED190000-0x000007FEEDCED000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/1668-157-0x0000000002374000-0x0000000002377000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1668-144-0x000000001B860000-0x000000001BB5F000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1668-129-0x0000000002374000-0x0000000002377000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1668-159-0x000000000237B000-0x000000000239A000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1668-117-0x000007FEEAA70000-0x000007FEEB493000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/1760-162-0x000000000244B000-0x000000000246A000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1760-110-0x000007FEEAA70000-0x000007FEEB493000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/1760-94-0x0000000000000000-mapping.dmp
    Download
  • memory/1760-161-0x0000000002444000-0x0000000002447000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1760-122-0x0000000002444000-0x0000000002447000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1760-119-0x000007FEED190000-0x000007FEEDCED000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/1980-111-0x000007FEEAA70000-0x000007FEEB493000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/1980-153-0x000000001B790000-0x000000001BA8F000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1980-127-0x0000000001F94000-0x0000000001F97000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1980-171-0x0000000001F94000-0x0000000001F97000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1980-136-0x000007FEED190000-0x000007FEEDCED000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/1980-84-0x0000000000000000-mapping.dmp
    Download
  • memory/1980-174-0x0000000001F9B000-0x0000000001FBA000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1992-178-0x0000000002734000-0x0000000002737000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1992-155-0x000000001B780000-0x000000001BA7F000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1992-168-0x000000000273B000-0x000000000275A000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1992-139-0x000007FEED190000-0x000007FEEDCED000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/1992-72-0x0000000000000000-mapping.dmp
    Download
  • memory/1992-173-0x000000000273B000-0x000000000275A000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1992-114-0x000007FEEAA70000-0x000007FEEB493000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/1992-124-0x0000000002734000-0x0000000002737000-memory.dmp
    Filesize

    12KB

    Download
  • memory/2020-172-0x00000000027EB000-0x000000000280A000-memory.dmp
    Filesize

    124KB

    Download
  • memory/2020-128-0x00000000027E4000-0x00000000027E7000-memory.dmp
    Filesize

    12KB

    Download
  • memory/2020-87-0x0000000000000000-mapping.dmp
    Download
  • memory/2020-170-0x00000000027E4000-0x00000000027E7000-memory.dmp
    Filesize

    12KB

    Download
  • memory/2020-152-0x000000001B770000-0x000000001BA6F000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/2020-109-0x000007FEEAA70000-0x000007FEEB493000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/2020-134-0x000007FEED190000-0x000007FEEDCED000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/2028-89-0x0000000000000000-mapping.dmp
    Download
  • memory/2028-113-0x000007FEEAA70000-0x000007FEEB493000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/2028-164-0x000000000239B000-0x00000000023BA000-memory.dmp
    Filesize

    124KB

    Download
  • memory/2028-150-0x000000001B7D0000-0x000000001BACF000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/2028-121-0x0000000002394000-0x0000000002397000-memory.dmp
    Filesize

    12KB

    Download
  • memory/2028-118-0x000007FEED190000-0x000007FEEDCED000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/2028-163-0x0000000002394000-0x0000000002397000-memory.dmp
    Filesize

    12KB

    Download
  • memory/2164-108-0x0000000000F10000-0x0000000001404000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2164-105-0x0000000000000000-mapping.dmp
    Download