dcrat | 286acc4048494eecfb642fa7c95f459551c0fa3f7d2d117c8792cb6a1b3ab33d

Analysis

max time kernel
146s
max time network
154s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19-01-2023 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d454a64e7f14ab734752a9414f8cbd0.exe
Size

2.5MB
MD5

3d454a64e7f14ab734752a9414f8cbd0
SHA1

a239dccbba74d4d17fae19552e122043f9501b2d
SHA256

286acc4048494eecfb642fa7c95f459551c0fa3f7d2d117c8792cb6a1b3ab33d
SHA512

4cfb9e4005fd18c3d9b0805c64fd34627c7090e8945fd7aa8fc0ba91babe6840a660245547b8971467416c629ad28e4362298520dbe9efdb734c310ff3ed0f77
SSDEEP

49152:iSg8kOqBMdDhtQM4I+MkmJm9LcBwQYdXQ4J:9fkOqGhhtn9+nmJm9LcBCXvJ

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 6 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1716 schtasks.exe
452 schtasks.exe
1852 schtasks.exe
1300 schtasks.exe
584 schtasks.exe
360 schtasks.exe

pid	process
1716	schtasks.exe
452	schtasks.exe
1852	schtasks.exe
1300	schtasks.exe
584	schtasks.exe
360	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

3d454a64e7f14ab734752a9414f8cbd0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31001cc2-2a3d-11ed-9244-9c23e66b04e4\\csrss.exe\""	3d454a64e7f14ab734752a9414f8cbd0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31001cc2-2a3d-11ed-9244-9c23e66b04e4\\csrss.exe\", \"C:\\Program Files\\Windows Sidebar\\es-ES\\WMIADAP.exe\""	3d454a64e7f14ab734752a9414f8cbd0.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	1568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	1568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	360	1568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	1568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	1568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	1568	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/848-54-0x00000000008D0000-0x0000000000B5E000-memory.dmp	dcrat
C:\Program Files\Windows Sidebar\es-ES\WMIADAP.exe	dcrat
C:\Program Files\Windows Sidebar\es-ES\WMIADAP.exe	dcrat
behavioral1/memory/2100-107-0x0000000001200000-0x000000000148E000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

WMIADAP.exe

pid process

2100 WMIADAP.exe

pid	process
2100	WMIADAP.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3d454a64e7f14ab734752a9414f8cbd0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\31001cc2-2a3d-11ed-9244-9c23e66b04e4\\csrss.exe\""	3d454a64e7f14ab734752a9414f8cbd0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\31001cc2-2a3d-11ed-9244-9c23e66b04e4\\csrss.exe\""	3d454a64e7f14ab734752a9414f8cbd0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Program Files\\Windows Sidebar\\es-ES\\WMIADAP.exe\""	3d454a64e7f14ab734752a9414f8cbd0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Program Files\\Windows Sidebar\\es-ES\\WMIADAP.exe\""	3d454a64e7f14ab734752a9414f8cbd0.exe

Drops file in Program Files directory 5 IoCs

Processes:

3d454a64e7f14ab734752a9414f8cbd0.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\RCX19AD.tmp	3d454a64e7f14ab734752a9414f8cbd0.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\RCX1D18.tmp	3d454a64e7f14ab734752a9414f8cbd0.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\WMIADAP.exe	3d454a64e7f14ab734752a9414f8cbd0.exe
File created	C:\Program Files\Windows Sidebar\es-ES\WMIADAP.exe	3d454a64e7f14ab734752a9414f8cbd0.exe
File created	C:\Program Files\Windows Sidebar\es-ES\75a57c1bdf437c	3d454a64e7f14ab734752a9414f8cbd0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1852 schtasks.exe
1300 schtasks.exe
584 schtasks.exe
1716 schtasks.exe
360 schtasks.exe
452 schtasks.exe

pid	process
1852	schtasks.exe
1300	schtasks.exe
584	schtasks.exe
1716	schtasks.exe
360	schtasks.exe
452	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

3d454a64e7f14ab734752a9414f8cbd0.exeWMIADAP.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
848	3d454a64e7f14ab734752a9414f8cbd0.exe
2100	WMIADAP.exe
1644	powershell.exe
692	powershell.exe
1648	powershell.exe
1432	powershell.exe
1768	powershell.exe
1008	powershell.exe
952	powershell.exe
1916	powershell.exe
1500	powershell.exe
1740	powershell.exe
1968	powershell.exe
1732	powershell.exe
2100	WMIADAP.exe
2100	WMIADAP.exe
2100	WMIADAP.exe
2100	WMIADAP.exe
2100	WMIADAP.exe
2100	WMIADAP.exe
2100	WMIADAP.exe
2100	WMIADAP.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WMIADAP.exe

pid process

2100 WMIADAP.exe

pid	process
2100	WMIADAP.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	848	3d454a64e7f14ab734752a9414f8cbd0.exe
Token: SeDebugPrivilege	2100	WMIADAP.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

3d454a64e7f14ab734752a9414f8cbd0.exeWMIADAP.exe

description	pid	process	target process
PID 848 wrote to memory of 1500	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 1500	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 1500	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 1648	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 1648	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 1648	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 1432	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 1432	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 1432	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 1768	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 1768	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 1768	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 1740	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 1740	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 1740	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 1732	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 1732	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 1732	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 692	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 692	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 692	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 1008	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 1008	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 1008	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 1916	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 1916	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 1916	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 952	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 952	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 952	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 1968	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 1968	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 1968	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 1644	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 1644	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 1644	848	3d454a64e7f14ab734752a9414f8cbd0.exe	powershell.exe
PID 848 wrote to memory of 2100	848	3d454a64e7f14ab734752a9414f8cbd0.exe	WMIADAP.exe
PID 848 wrote to memory of 2100	848	3d454a64e7f14ab734752a9414f8cbd0.exe	WMIADAP.exe
PID 848 wrote to memory of 2100	848	3d454a64e7f14ab734752a9414f8cbd0.exe	WMIADAP.exe
PID 2100 wrote to memory of 2812	2100	WMIADAP.exe	WScript.exe
PID 2100 wrote to memory of 2812	2100	WMIADAP.exe	WScript.exe
PID 2100 wrote to memory of 2812	2100	WMIADAP.exe	WScript.exe
PID 2100 wrote to memory of 2868	2100	WMIADAP.exe	WScript.exe
PID 2100 wrote to memory of 2868	2100	WMIADAP.exe	WScript.exe
PID 2100 wrote to memory of 2868	2100	WMIADAP.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\3d454a64e7f14ab734752a9414f8cbd0.exe
"C:\Users\Admin\AppData\Local\Temp\3d454a64e7f14ab734752a9414f8cbd0.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Program Files\Windows Sidebar\es-ES\WMIADAP.exe
"C:\Program Files\Windows Sidebar\es-ES\WMIADAP.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e8fed91-bb9a-4e51-9835-04a846facf0f.vbs"
3⤵
PID:2812

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\644bb824-0292-4127-922e-eb3956a4d044.vbs"
3⤵
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\es-ES\WMIADAP.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\es-ES\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\es-ES\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\es-ES\WMIADAP.exe
Filesize
2.5MB

MD5
c7a07eeeb97b858308a45259b1c3e300

SHA1
2cac5490071411a88a71b1ba5cd7639eafd0094d

SHA256
1c65004583a6cc75bf0ab3469ba2fc01b60feafaf887a2d25d1c251c1b892c55

SHA512
8b29ae6cd68f596a5d806525b7255e92d1d63c383d8af4617c8432e9526d14237d13387cc5ed0e9219c6398b1c483c6ffe10f6602510b5a3121c4ab8d91f79c7

Download Submit
C:\Program Files\Windows Sidebar\es-ES\WMIADAP.exe
Filesize
2.5MB

MD5
c7a07eeeb97b858308a45259b1c3e300

SHA1
2cac5490071411a88a71b1ba5cd7639eafd0094d

SHA256
1c65004583a6cc75bf0ab3469ba2fc01b60feafaf887a2d25d1c251c1b892c55

SHA512
8b29ae6cd68f596a5d806525b7255e92d1d63c383d8af4617c8432e9526d14237d13387cc5ed0e9219c6398b1c483c6ffe10f6602510b5a3121c4ab8d91f79c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\644bb824-0292-4127-922e-eb3956a4d044.vbs
Filesize
502B

MD5
81dad73c5d95c0c1a540a0fb83d6051c

SHA1
03e9212175d4899e08125f421d20be23b2f32a01

SHA256
394f89b3d1cc387f7cca58dade9208b753765ccc6405585708ece1a40b21b63d

SHA512
8307d917cdd7c96f10969e458f4d8a70418bb8691533b3254a7dc4bf51e6af3459036c418132f19fdfa30a168a6fc53569e20e210f58ad12556c12c23ab95d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e8fed91-bb9a-4e51-9835-04a846facf0f.vbs
Filesize
726B

MD5
747d1880cd3d2d81c705eac55b7e8a88

SHA1
ca9a754c4d5582c57b9d29fd36f82c768d9fc478

SHA256
c8dfb7bd307d229f47fef37680883c766c8a2a9b23f06fa25fb43d546edf83f4

SHA512
5b9d829338ef1d10c1f7f8e672dac3e4729cd9f6b1b518cfd18eb5a71094281201c711cb7d81769caa688f31079229816812aa6bf2f6da80f637beb3ca16293f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
dc59d5f28576c9212ddddd6668009ef7

SHA1
30ad631d947c99a62ec5f7327d1dd9841fd5713b

SHA256
51785024d8c9c030f85d6ccfa8e261e0849b85f3049194da891362dcdd841c7c

SHA512
7a667cd2124504968eedd989716901978d806f0bbd9b384eb4f33910c6e4e7670c3534aff1116b216a2d4f3f9de15ce6c40e3184ca9c808258b385bc5d2d737f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
dc59d5f28576c9212ddddd6668009ef7

SHA1
30ad631d947c99a62ec5f7327d1dd9841fd5713b

SHA256
51785024d8c9c030f85d6ccfa8e261e0849b85f3049194da891362dcdd841c7c

SHA512
7a667cd2124504968eedd989716901978d806f0bbd9b384eb4f33910c6e4e7670c3534aff1116b216a2d4f3f9de15ce6c40e3184ca9c808258b385bc5d2d737f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
dc59d5f28576c9212ddddd6668009ef7

SHA1
30ad631d947c99a62ec5f7327d1dd9841fd5713b

SHA256
51785024d8c9c030f85d6ccfa8e261e0849b85f3049194da891362dcdd841c7c

SHA512
7a667cd2124504968eedd989716901978d806f0bbd9b384eb4f33910c6e4e7670c3534aff1116b216a2d4f3f9de15ce6c40e3184ca9c808258b385bc5d2d737f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
dc59d5f28576c9212ddddd6668009ef7

SHA1
30ad631d947c99a62ec5f7327d1dd9841fd5713b

SHA256
51785024d8c9c030f85d6ccfa8e261e0849b85f3049194da891362dcdd841c7c

SHA512
7a667cd2124504968eedd989716901978d806f0bbd9b384eb4f33910c6e4e7670c3534aff1116b216a2d4f3f9de15ce6c40e3184ca9c808258b385bc5d2d737f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
dc59d5f28576c9212ddddd6668009ef7

SHA1
30ad631d947c99a62ec5f7327d1dd9841fd5713b

SHA256
51785024d8c9c030f85d6ccfa8e261e0849b85f3049194da891362dcdd841c7c

SHA512
7a667cd2124504968eedd989716901978d806f0bbd9b384eb4f33910c6e4e7670c3534aff1116b216a2d4f3f9de15ce6c40e3184ca9c808258b385bc5d2d737f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
dc59d5f28576c9212ddddd6668009ef7

SHA1
30ad631d947c99a62ec5f7327d1dd9841fd5713b

SHA256
51785024d8c9c030f85d6ccfa8e261e0849b85f3049194da891362dcdd841c7c

SHA512
7a667cd2124504968eedd989716901978d806f0bbd9b384eb4f33910c6e4e7670c3534aff1116b216a2d4f3f9de15ce6c40e3184ca9c808258b385bc5d2d737f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
dc59d5f28576c9212ddddd6668009ef7

SHA1
30ad631d947c99a62ec5f7327d1dd9841fd5713b

SHA256
51785024d8c9c030f85d6ccfa8e261e0849b85f3049194da891362dcdd841c7c

SHA512
7a667cd2124504968eedd989716901978d806f0bbd9b384eb4f33910c6e4e7670c3534aff1116b216a2d4f3f9de15ce6c40e3184ca9c808258b385bc5d2d737f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
dc59d5f28576c9212ddddd6668009ef7

SHA1
30ad631d947c99a62ec5f7327d1dd9841fd5713b

SHA256
51785024d8c9c030f85d6ccfa8e261e0849b85f3049194da891362dcdd841c7c

SHA512
7a667cd2124504968eedd989716901978d806f0bbd9b384eb4f33910c6e4e7670c3534aff1116b216a2d4f3f9de15ce6c40e3184ca9c808258b385bc5d2d737f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
dc59d5f28576c9212ddddd6668009ef7

SHA1
30ad631d947c99a62ec5f7327d1dd9841fd5713b

SHA256
51785024d8c9c030f85d6ccfa8e261e0849b85f3049194da891362dcdd841c7c

SHA512
7a667cd2124504968eedd989716901978d806f0bbd9b384eb4f33910c6e4e7670c3534aff1116b216a2d4f3f9de15ce6c40e3184ca9c808258b385bc5d2d737f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
dc59d5f28576c9212ddddd6668009ef7

SHA1
30ad631d947c99a62ec5f7327d1dd9841fd5713b

SHA256
51785024d8c9c030f85d6ccfa8e261e0849b85f3049194da891362dcdd841c7c

SHA512
7a667cd2124504968eedd989716901978d806f0bbd9b384eb4f33910c6e4e7670c3534aff1116b216a2d4f3f9de15ce6c40e3184ca9c808258b385bc5d2d737f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
dc59d5f28576c9212ddddd6668009ef7

SHA1
30ad631d947c99a62ec5f7327d1dd9841fd5713b

SHA256
51785024d8c9c030f85d6ccfa8e261e0849b85f3049194da891362dcdd841c7c

SHA512
7a667cd2124504968eedd989716901978d806f0bbd9b384eb4f33910c6e4e7670c3534aff1116b216a2d4f3f9de15ce6c40e3184ca9c808258b385bc5d2d737f

Download Submit
memory/692-129-0x0000000002444000-0x0000000002447000-memory.dmp

Filesize
12KB

Download
memory/692-164-0x0000000002444000-0x0000000002447000-memory.dmp

Filesize
12KB

Download
memory/692-167-0x000000000244B000-0x000000000246A000-memory.dmp

Filesize
124KB

Download
memory/692-142-0x000000001B9C0000-0x000000001BCBF000-memory.dmp

Filesize
3.0MB

Download
memory/692-72-0x0000000000000000-mapping.dmp

Download
memory/692-124-0x000007FEEDAA0000-0x000007FEEE5FD000-memory.dmp

Filesize
11.4MB

Download
memory/692-156-0x000000000244B000-0x000000000246A000-memory.dmp

Filesize
124KB

Download
memory/692-111-0x000007FEEB040000-0x000007FEEBA63000-memory.dmp

Filesize
10.1MB

Download
memory/848-64-0x0000000002270000-0x0000000002278000-memory.dmp

Filesize
32KB

Download
memory/848-58-0x0000000000610000-0x0000000000626000-memory.dmp

Filesize
88KB

Download
memory/848-55-0x00000000003C0000-0x00000000003CE000-memory.dmp

Filesize
56KB

Download
memory/848-54-0x00000000008D0000-0x0000000000B5E000-memory.dmp

Filesize
2.6MB

Download
memory/848-56-0x0000000000570000-0x000000000058C000-memory.dmp

Filesize
112KB

Download
memory/848-57-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/848-65-0x0000000002280000-0x000000000228C000-memory.dmp

Filesize
48KB

Download
memory/848-59-0x0000000000870000-0x00000000008C6000-memory.dmp

Filesize
344KB

Download
memory/848-63-0x0000000002260000-0x0000000002268000-memory.dmp

Filesize
32KB

Download
memory/848-62-0x0000000002250000-0x000000000225E000-memory.dmp

Filesize
56KB

Download
memory/848-61-0x00000000008C0000-0x00000000008CA000-memory.dmp

Filesize
40KB

Download
memory/848-60-0x0000000000630000-0x0000000000642000-memory.dmp

Filesize
72KB

Download
memory/952-121-0x000007FEEDAA0000-0x000007FEEE5FD000-memory.dmp

Filesize
11.4MB

Download
memory/952-161-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/952-146-0x000000001B930000-0x000000001BC2F000-memory.dmp

Filesize
3.0MB

Download
memory/952-81-0x0000000000000000-mapping.dmp

Download
memory/952-135-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/952-159-0x000000000288B000-0x00000000028AA000-memory.dmp

Filesize
124KB

Download
memory/952-113-0x000007FEEB040000-0x000007FEEBA63000-memory.dmp

Filesize
10.1MB

Download
memory/952-163-0x000000000288B000-0x00000000028AA000-memory.dmp

Filesize
124KB

Download
memory/1008-115-0x000007FEEB040000-0x000007FEEBA63000-memory.dmp

Filesize
10.1MB

Download
memory/1008-150-0x000000001B920000-0x000000001BC1F000-memory.dmp

Filesize
3.0MB

Download
memory/1008-119-0x000007FEEDAA0000-0x000007FEEE5FD000-memory.dmp

Filesize
11.4MB

Download
memory/1008-126-0x0000000001E20000-0x0000000001EA0000-memory.dmp

Filesize
512KB

Download
memory/1008-75-0x0000000000000000-mapping.dmp

Download
memory/1008-155-0x0000000001E20000-0x0000000001EA0000-memory.dmp

Filesize
512KB

Download
memory/1432-125-0x000007FEEDAA0000-0x000007FEEE5FD000-memory.dmp

Filesize
11.4MB

Download
memory/1432-152-0x000000001B970000-0x000000001BC6F000-memory.dmp

Filesize
3.0MB

Download
memory/1432-104-0x000007FEEB040000-0x000007FEEBA63000-memory.dmp

Filesize
10.1MB

Download
memory/1432-182-0x0000000001DB4000-0x0000000001DB7000-memory.dmp

Filesize
12KB

Download
memory/1432-68-0x0000000000000000-mapping.dmp

Download
memory/1432-181-0x0000000001DBB000-0x0000000001DDA000-memory.dmp

Filesize
124KB

Download
memory/1432-130-0x0000000001DB4000-0x0000000001DB7000-memory.dmp

Filesize
12KB

Download
memory/1500-109-0x000007FEEB040000-0x000007FEEBA63000-memory.dmp

Filesize
10.1MB

Download
memory/1500-144-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

Filesize
3.0MB

Download
memory/1500-66-0x0000000000000000-mapping.dmp

Download
memory/1500-173-0x00000000026EB000-0x000000000270A000-memory.dmp

Filesize
124KB

Download
memory/1500-172-0x00000000026E4000-0x00000000026E7000-memory.dmp

Filesize
12KB

Download
memory/1500-139-0x000007FEEDAA0000-0x000007FEEE5FD000-memory.dmp

Filesize
11.4MB

Download
memory/1500-136-0x00000000026E4000-0x00000000026E7000-memory.dmp

Filesize
12KB

Download
memory/1644-90-0x0000000000000000-mapping.dmp

Download
memory/1644-179-0x000000000273B000-0x000000000275A000-memory.dmp

Filesize
124KB

Download
memory/1644-180-0x0000000002734000-0x0000000002737000-memory.dmp

Filesize
12KB

Download
memory/1644-102-0x000007FEEB040000-0x000007FEEBA63000-memory.dmp

Filesize
10.1MB

Download
memory/1644-123-0x000007FEEDAA0000-0x000007FEEE5FD000-memory.dmp

Filesize
11.4MB

Download
memory/1644-148-0x000000001B890000-0x000000001BB8F000-memory.dmp

Filesize
3.0MB

Download
memory/1644-128-0x0000000002734000-0x0000000002737000-memory.dmp

Filesize
12KB

Download
memory/1648-80-0x000007FEEB040000-0x000007FEEBA63000-memory.dmp

Filesize
10.1MB

Download
memory/1648-166-0x00000000025EB000-0x000000000260A000-memory.dmp

Filesize
124KB

Download
memory/1648-73-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

Filesize
8KB

Download
memory/1648-127-0x00000000025E4000-0x00000000025E7000-memory.dmp

Filesize
12KB

Download
memory/1648-157-0x00000000025EB000-0x000000000260A000-memory.dmp

Filesize
124KB

Download
memory/1648-162-0x00000000025E4000-0x00000000025E7000-memory.dmp

Filesize
12KB

Download
memory/1648-122-0x000007FEEDAA0000-0x000007FEEE5FD000-memory.dmp

Filesize
11.4MB

Download
memory/1648-67-0x0000000000000000-mapping.dmp

Download
memory/1648-143-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/1732-170-0x000000000242B000-0x000000000244A000-memory.dmp

Filesize
124KB

Download
memory/1732-71-0x0000000000000000-mapping.dmp

Download
memory/1732-108-0x000007FEEB040000-0x000007FEEBA63000-memory.dmp

Filesize
10.1MB

Download
memory/1732-141-0x000007FEEDAA0000-0x000007FEEE5FD000-memory.dmp

Filesize
11.4MB

Download
memory/1732-169-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download
memory/1732-133-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download
memory/1732-158-0x000000000242B000-0x000000000244A000-memory.dmp

Filesize
124KB

Download
memory/1732-145-0x000000001B850000-0x000000001BB4F000-memory.dmp

Filesize
3.0MB

Download
memory/1740-175-0x0000000002874000-0x0000000002877000-memory.dmp

Filesize
12KB

Download
memory/1740-153-0x000000001B8A0000-0x000000001BB9F000-memory.dmp

Filesize
3.0MB

Download
memory/1740-70-0x0000000000000000-mapping.dmp

Download
memory/1740-116-0x000007FEEB040000-0x000007FEEBA63000-memory.dmp

Filesize
10.1MB

Download
memory/1740-138-0x000007FEEDAA0000-0x000007FEEE5FD000-memory.dmp

Filesize
11.4MB

Download
memory/1740-176-0x000000000287B000-0x000000000289A000-memory.dmp

Filesize
124KB

Download
memory/1740-134-0x0000000002874000-0x0000000002877000-memory.dmp

Filesize
12KB

Download
memory/1768-168-0x000000000267B000-0x000000000269A000-memory.dmp

Filesize
124KB

Download
memory/1768-69-0x0000000000000000-mapping.dmp

Download
memory/1768-110-0x000007FEEB040000-0x000007FEEBA63000-memory.dmp

Filesize
10.1MB

Download
memory/1768-154-0x0000000002674000-0x0000000002677000-memory.dmp

Filesize
12KB

Download
memory/1768-118-0x000007FEEDAA0000-0x000007FEEE5FD000-memory.dmp

Filesize
11.4MB

Download
memory/1768-160-0x000000000267B000-0x000000000269A000-memory.dmp

Filesize
124KB

Download
memory/1768-147-0x000000001B7D0000-0x000000001BACF000-memory.dmp

Filesize
3.0MB

Download
memory/1768-120-0x0000000002674000-0x0000000002677000-memory.dmp

Filesize
12KB

Download
memory/1768-165-0x0000000002674000-0x0000000002677000-memory.dmp

Filesize
12KB

Download
memory/1916-178-0x000000000200B000-0x000000000202A000-memory.dmp

Filesize
124KB

Download
memory/1916-76-0x0000000000000000-mapping.dmp

Download
memory/1916-114-0x000007FEEB040000-0x000007FEEBA63000-memory.dmp

Filesize
10.1MB

Download
memory/1916-137-0x000007FEEDAA0000-0x000007FEEE5FD000-memory.dmp

Filesize
11.4MB

Download
memory/1916-149-0x000000001B8D0000-0x000000001BBCF000-memory.dmp

Filesize
3.0MB

Download
memory/1916-177-0x0000000002004000-0x0000000002007000-memory.dmp

Filesize
12KB

Download
memory/1916-131-0x0000000002004000-0x0000000002007000-memory.dmp

Filesize
12KB

Download
memory/1968-174-0x000000000281B000-0x000000000283A000-memory.dmp

Filesize
124KB

Download
memory/1968-171-0x0000000002814000-0x0000000002817000-memory.dmp

Filesize
12KB

Download
memory/1968-140-0x000007FEEDAA0000-0x000007FEEE5FD000-memory.dmp

Filesize
11.4MB

Download
memory/1968-151-0x000000001B990000-0x000000001BC8F000-memory.dmp

Filesize
3.0MB

Download
memory/1968-132-0x0000000002814000-0x0000000002817000-memory.dmp

Filesize
12KB

Download
memory/1968-85-0x0000000000000000-mapping.dmp

Download
memory/1968-117-0x000007FEEB040000-0x000007FEEBA63000-memory.dmp

Filesize
10.1MB

Download
memory/2100-107-0x0000000001200000-0x000000000148E000-memory.dmp

Filesize
2.6MB

Download
memory/2100-103-0x0000000000000000-mapping.dmp

Download
memory/2100-112-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/2812-183-0x0000000000000000-mapping.dmp

Download
memory/2868-185-0x0000000000000000-mapping.dmp

Download