Analysis
-
max time kernel
115s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
24-01-2023 20:16
General
-
Target
87a68d59a505ea17432de19240f49590.exe
-
Size
6KB
-
MD5
87a68d59a505ea17432de19240f49590
-
SHA1
4b7d59eaff27ad9d1454446977b938d3b2c8b29a
-
SHA256
3a1040de1d848bcc5564bf5d45188bbd0e69bbb43f9f6ab489d61259d843ddf8
-
SHA512
ec0fb3316d4d8cfe5d245f44f123834df704a096837f49d235a5a577b0012cc8470135287ed171019c881f71522d9177fb3e19fddf132e3ebba860555e79d95a
-
SSDEEP
48:6vBII9IyeZAvPloQISLlOS6UXrg6Llf+NQz6VVjmEv04AWfch3HRCZnr10qBHs3U:Aec991gogZRRmxYcY0kGIp2LdzNt
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 11 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 16 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\87a68d59a505ea17432de19240f49590.exe"C:\Users\Admin\AppData\Local\Temp\87a68d59a505ea17432de19240f49590.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\file1.exe"C:\ProgramData\file1.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BridgeWin\vPDfI9lKtfPEUBD9cj.vbe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\BridgeWin\kBRJ5zb6pFGWil.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\BridgeWin\containerRuntime.exe"C:\BridgeWin\containerRuntime.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeWin\containerRuntime.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\Dictionaries\csrss.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeWin\csrss.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\1.3.36.71\csrss.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\wininit.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\winlogon.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ULB67XHWZs.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
C:\Program Files\Windows NT\TableTextService\System.exe"C:\Program Files\Windows NT\TableTextService\System.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\System.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\System.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ProgramData\file2.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comCHCP 8663⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit3⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.71\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.71\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.71\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\Dictionaries\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\Dictionaries\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\Dictionaries\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\BridgeWin\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\BridgeWin\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\BridgeWin\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Application Data\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Pictures\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Pictures\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Pictures\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\Offline Web Pages\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Offline Web Pages\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\TableTextService\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\BridgeWin\containerRuntime.exeFilesize
931KB
MD5799a6791f1c0d38cafb78ec0a88cedf0
SHA1a33bde29181e1700dd1953191c3ab9830a0f55e9
SHA2560686f7db99c055dcc07c91a3815992540a55bd44e2736d64f4be4683e63909a2
SHA512c36f41cc67c7528ae6d9a4762e95e21f1ad3b59fb1fad8db1a897032da9458ec341cc20b4bc063ddb2b6dc15c35b0142ca7a01eff98e969c552348f13ab0d44d
-
C:\BridgeWin\containerRuntime.exeFilesize
931KB
MD5799a6791f1c0d38cafb78ec0a88cedf0
SHA1a33bde29181e1700dd1953191c3ab9830a0f55e9
SHA2560686f7db99c055dcc07c91a3815992540a55bd44e2736d64f4be4683e63909a2
SHA512c36f41cc67c7528ae6d9a4762e95e21f1ad3b59fb1fad8db1a897032da9458ec341cc20b4bc063ddb2b6dc15c35b0142ca7a01eff98e969c552348f13ab0d44d
-
C:\BridgeWin\kBRJ5zb6pFGWil.batFilesize
35B
MD5064d44ddf49217a25ad5ec14b334e0f8
SHA1092f4a63df14672e90e8001a9bb6000315fb29d6
SHA256a1962a0cd9c290da9a9d7bb34828fae854a8994127fcbe219e4d6a7b499274c4
SHA512342448a993e8f8713918fe64c15f1c117ee1dd5e80de3ea78a026802895733b5024169ea9daf2eaf102005b27a6b48772b6122d28875d686d305cfd412c17acb
-
C:\BridgeWin\vPDfI9lKtfPEUBD9cj.vbeFilesize
200B
MD5c33c80ec8b8c3cdef3f528ea621be889
SHA110b010cc2b37daf6fd01031c4d2af8d684cc6953
SHA256a2492c835a66b1e833bfebfa669e8366d66ae7ac9b6aedf35adf5c24b2bd6fdc
SHA512d947f93f0f86d1c02b791c932febe41b2c0e58cc3842ca361d006ad79cffff3b0313be31eaaaa8610216ae936b1a24e680d97e0ad7da0ccf28f6804e63a156af
-
C:\Program Files\Windows NT\TableTextService\System.exeFilesize
931KB
MD5799a6791f1c0d38cafb78ec0a88cedf0
SHA1a33bde29181e1700dd1953191c3ab9830a0f55e9
SHA2560686f7db99c055dcc07c91a3815992540a55bd44e2736d64f4be4683e63909a2
SHA512c36f41cc67c7528ae6d9a4762e95e21f1ad3b59fb1fad8db1a897032da9458ec341cc20b4bc063ddb2b6dc15c35b0142ca7a01eff98e969c552348f13ab0d44d
-
C:\Program Files\Windows NT\TableTextService\System.exeFilesize
931KB
MD5799a6791f1c0d38cafb78ec0a88cedf0
SHA1a33bde29181e1700dd1953191c3ab9830a0f55e9
SHA2560686f7db99c055dcc07c91a3815992540a55bd44e2736d64f4be4683e63909a2
SHA512c36f41cc67c7528ae6d9a4762e95e21f1ad3b59fb1fad8db1a897032da9458ec341cc20b4bc063ddb2b6dc15c35b0142ca7a01eff98e969c552348f13ab0d44d
-
C:\ProgramData\file1.exeFilesize
1.2MB
MD53e821d4b4af33a23f64c69db57770955
SHA1019742e345c39bd10f6c9bc4c1af4c2e94a5fca0
SHA2565ad5f24becf8b8653b7708edc35779128eb8cc84ddebf362121c603fd2caed04
SHA5126e7f8ea74092bbb4659f24ec629e1483fb95cf682f5eda65300cc38369848cd60512ce79cd7aa5ae70d09fba420e8de6be3841306cf3302317a69d143c114160
-
C:\ProgramData\file1.exeFilesize
1.2MB
MD53e821d4b4af33a23f64c69db57770955
SHA1019742e345c39bd10f6c9bc4c1af4c2e94a5fca0
SHA2565ad5f24becf8b8653b7708edc35779128eb8cc84ddebf362121c603fd2caed04
SHA5126e7f8ea74092bbb4659f24ec629e1483fb95cf682f5eda65300cc38369848cd60512ce79cd7aa5ae70d09fba420e8de6be3841306cf3302317a69d143c114160
-
C:\ProgramData\file2.batFilesize
13KB
MD58bb47bc15412d726a038cff591aa5933
SHA18768216458761909c94bf544e1acd250099a4465
SHA256bb279a32dd1bc418a72d80553859d64f2f0fceb3e5c40c8c09e9bdbf4080710b
SHA51256251138791ab720dd835e3a7903f93a8b3a8553384d406a52f32ea854951beeb4286f42cc483b7f5d6b4398bd2d1fab8f4b9a3891c57e65116efe6ec6fe3a17
-
C:\Users\Admin\AppData\Local\Temp\ULB67XHWZs.batFilesize
220B
MD501c16bdcdc1a037fbdbaeae8268bbc62
SHA18477a15e7f1de628293bb3da893ea46cb4f6560f
SHA256c53764b3ed64301deba2077a0eb2144768e45a80b84c9f2cb515b35faa5d93bc
SHA51248184684a5d217c01e6f8f436de1aeb2c4f3ab789810004b77862e2c36f7390d37ca6fe33033182e6848ed95de6d6bb8e4de348e79dacb237a44f658d6c2ff23
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5461b0e8cf291801beb8252bf4221e59d
SHA1a2f9091e33777e054b6fd77f38d900f92e36b6cd
SHA2560b74ec42e3ba05a1f2eb88145a338c25d753285f76b834f05db5a3f966768ff0
SHA512dddd1db7a8ba96f53171235211cd64fb667f37ef3d07d4d8467beb3e2dfcd0ed388f9bd448a5bc189ed08dac86e17f6976b9d50aaaa8b3824753de520605677a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5461b0e8cf291801beb8252bf4221e59d
SHA1a2f9091e33777e054b6fd77f38d900f92e36b6cd
SHA2560b74ec42e3ba05a1f2eb88145a338c25d753285f76b834f05db5a3f966768ff0
SHA512dddd1db7a8ba96f53171235211cd64fb667f37ef3d07d4d8467beb3e2dfcd0ed388f9bd448a5bc189ed08dac86e17f6976b9d50aaaa8b3824753de520605677a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5bce403114686fdb379b327b0be9ad0b9
SHA1e45fe240543878b2fa163cf40a0173983f68c46e
SHA256d1d1e50dcd90c4b90d0889f82cf629353423053619013c26fa6d953d826312d8
SHA51286dd195c494aef82bfce74e3815efa3d5147d35c00c9e8b29bf91c2854ad2781bb204013c5ddbd0409484946a6fbf12f22120c63dd3abe599e74f3bcdef55d4a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5bce403114686fdb379b327b0be9ad0b9
SHA1e45fe240543878b2fa163cf40a0173983f68c46e
SHA256d1d1e50dcd90c4b90d0889f82cf629353423053619013c26fa6d953d826312d8
SHA51286dd195c494aef82bfce74e3815efa3d5147d35c00c9e8b29bf91c2854ad2781bb204013c5ddbd0409484946a6fbf12f22120c63dd3abe599e74f3bcdef55d4a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5bce403114686fdb379b327b0be9ad0b9
SHA1e45fe240543878b2fa163cf40a0173983f68c46e
SHA256d1d1e50dcd90c4b90d0889f82cf629353423053619013c26fa6d953d826312d8
SHA51286dd195c494aef82bfce74e3815efa3d5147d35c00c9e8b29bf91c2854ad2781bb204013c5ddbd0409484946a6fbf12f22120c63dd3abe599e74f3bcdef55d4a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5461b0e8cf291801beb8252bf4221e59d
SHA1a2f9091e33777e054b6fd77f38d900f92e36b6cd
SHA2560b74ec42e3ba05a1f2eb88145a338c25d753285f76b834f05db5a3f966768ff0
SHA512dddd1db7a8ba96f53171235211cd64fb667f37ef3d07d4d8467beb3e2dfcd0ed388f9bd448a5bc189ed08dac86e17f6976b9d50aaaa8b3824753de520605677a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5bce403114686fdb379b327b0be9ad0b9
SHA1e45fe240543878b2fa163cf40a0173983f68c46e
SHA256d1d1e50dcd90c4b90d0889f82cf629353423053619013c26fa6d953d826312d8
SHA51286dd195c494aef82bfce74e3815efa3d5147d35c00c9e8b29bf91c2854ad2781bb204013c5ddbd0409484946a6fbf12f22120c63dd3abe599e74f3bcdef55d4a
-
\BridgeWin\containerRuntime.exeFilesize
931KB
MD5799a6791f1c0d38cafb78ec0a88cedf0
SHA1a33bde29181e1700dd1953191c3ab9830a0f55e9
SHA2560686f7db99c055dcc07c91a3815992540a55bd44e2736d64f4be4683e63909a2
SHA512c36f41cc67c7528ae6d9a4762e95e21f1ad3b59fb1fad8db1a897032da9458ec341cc20b4bc063ddb2b6dc15c35b0142ca7a01eff98e969c552348f13ab0d44d
-
\BridgeWin\containerRuntime.exeFilesize
931KB
MD5799a6791f1c0d38cafb78ec0a88cedf0
SHA1a33bde29181e1700dd1953191c3ab9830a0f55e9
SHA2560686f7db99c055dcc07c91a3815992540a55bd44e2736d64f4be4683e63909a2
SHA512c36f41cc67c7528ae6d9a4762e95e21f1ad3b59fb1fad8db1a897032da9458ec341cc20b4bc063ddb2b6dc15c35b0142ca7a01eff98e969c552348f13ab0d44d
-
\ProgramData\file1.exeFilesize
1.2MB
MD53e821d4b4af33a23f64c69db57770955
SHA1019742e345c39bd10f6c9bc4c1af4c2e94a5fca0
SHA2565ad5f24becf8b8653b7708edc35779128eb8cc84ddebf362121c603fd2caed04
SHA5126e7f8ea74092bbb4659f24ec629e1483fb95cf682f5eda65300cc38369848cd60512ce79cd7aa5ae70d09fba420e8de6be3841306cf3302317a69d143c114160
-
memory/272-69-0x0000000000000000-mapping.dmp
-
memory/436-67-0x0000000000000000-mapping.dmp
-
memory/456-141-0x000000001B850000-0x000000001BB4F000-memory.dmpFilesize
3.0MB
-
memory/456-107-0x000007FEEAD10000-0x000007FEEB733000-memory.dmpFilesize
10.1MB
-
memory/456-120-0x000007FEE9260000-0x000007FEE9DBD000-memory.dmpFilesize
11.4MB
-
memory/456-123-0x00000000028F4000-0x00000000028F7000-memory.dmpFilesize
12KB
-
memory/456-81-0x0000000000000000-mapping.dmp
-
memory/456-155-0x00000000028F4000-0x00000000028F7000-memory.dmpFilesize
12KB
-
memory/456-156-0x00000000028FB000-0x000000000291A000-memory.dmpFilesize
124KB
-
memory/456-147-0x00000000028FB000-0x000000000291A000-memory.dmpFilesize
124KB
-
memory/568-108-0x000007FEEAD10000-0x000007FEEB733000-memory.dmpFilesize
10.1MB
-
memory/568-86-0x000007FEFB9B1000-0x000007FEFB9B3000-memory.dmpFilesize
8KB
-
memory/568-151-0x00000000024BB000-0x00000000024DA000-memory.dmpFilesize
124KB
-
memory/568-130-0x000007FEE9260000-0x000007FEE9DBD000-memory.dmpFilesize
11.4MB
-
memory/568-169-0x00000000024BB000-0x00000000024DA000-memory.dmpFilesize
124KB
-
memory/568-122-0x00000000024B4000-0x00000000024B7000-memory.dmpFilesize
12KB
-
memory/568-79-0x0000000000000000-mapping.dmp
-
memory/568-143-0x000000001B750000-0x000000001BA4F000-memory.dmpFilesize
3.0MB
-
memory/568-160-0x00000000024B4000-0x00000000024B7000-memory.dmpFilesize
12KB
-
memory/836-163-0x000000000290B000-0x000000000292A000-memory.dmpFilesize
124KB
-
memory/836-131-0x000007FEE9260000-0x000007FEE9DBD000-memory.dmpFilesize
11.4MB
-
memory/836-150-0x000000000290B000-0x000000000292A000-memory.dmpFilesize
124KB
-
memory/836-127-0x0000000002904000-0x0000000002907000-memory.dmpFilesize
12KB
-
memory/836-110-0x000007FEEAD10000-0x000007FEEB733000-memory.dmpFilesize
10.1MB
-
memory/836-159-0x0000000002904000-0x0000000002907000-memory.dmpFilesize
12KB
-
memory/836-84-0x0000000000000000-mapping.dmp
-
memory/836-145-0x000000001B7B0000-0x000000001BAAF000-memory.dmpFilesize
3.0MB
-
memory/852-142-0x000000001B8A0000-0x000000001BB9F000-memory.dmpFilesize
3.0MB
-
memory/852-109-0x000007FEEAD10000-0x000007FEEB733000-memory.dmpFilesize
10.1MB
-
memory/852-129-0x00000000028D4000-0x00000000028D7000-memory.dmpFilesize
12KB
-
memory/852-80-0x0000000000000000-mapping.dmp
-
memory/852-132-0x000007FEE9260000-0x000007FEE9DBD000-memory.dmpFilesize
11.4MB
-
memory/852-167-0x00000000028D4000-0x00000000028D7000-memory.dmpFilesize
12KB
-
memory/852-152-0x00000000028DB000-0x00000000028FA000-memory.dmpFilesize
124KB
-
memory/852-168-0x00000000028DB000-0x00000000028FA000-memory.dmpFilesize
124KB
-
memory/1016-77-0x00000000003D0000-0x00000000003DC000-memory.dmpFilesize
48KB
-
memory/1016-76-0x00000000003C0000-0x00000000003CC000-memory.dmpFilesize
48KB
-
memory/1016-75-0x0000000001150000-0x0000000001240000-memory.dmpFilesize
960KB
-
memory/1016-73-0x0000000000000000-mapping.dmp
-
memory/1112-64-0x0000000000000000-mapping.dmp
-
memory/1364-87-0x0000000000000000-mapping.dmp
-
memory/1364-114-0x000007FEEAD10000-0x000007FEEB733000-memory.dmpFilesize
10.1MB
-
memory/1364-144-0x000000001B7D0000-0x000000001BACF000-memory.dmpFilesize
3.0MB
-
memory/1364-124-0x0000000002774000-0x0000000002777000-memory.dmpFilesize
12KB
-
memory/1364-135-0x000007FEE9260000-0x000007FEE9DBD000-memory.dmpFilesize
11.4MB
-
memory/1364-153-0x000000000277B000-0x000000000279A000-memory.dmpFilesize
124KB
-
memory/1364-157-0x0000000002774000-0x0000000002777000-memory.dmpFilesize
12KB
-
memory/1364-158-0x000000000277B000-0x000000000279A000-memory.dmpFilesize
124KB
-
memory/1368-78-0x0000000000000000-mapping.dmp
-
memory/1368-119-0x000007FEE9260000-0x000007FEE9DBD000-memory.dmpFilesize
11.4MB
-
memory/1368-121-0x0000000002484000-0x0000000002487000-memory.dmpFilesize
12KB
-
memory/1368-171-0x000000000248B000-0x00000000024AA000-memory.dmpFilesize
124KB
-
memory/1368-96-0x000007FEEAD10000-0x000007FEEB733000-memory.dmpFilesize
10.1MB
-
memory/1368-148-0x000000000248B000-0x00000000024AA000-memory.dmpFilesize
124KB
-
memory/1368-140-0x000000001B720000-0x000000001BA1F000-memory.dmpFilesize
3.0MB
-
memory/1368-162-0x0000000002484000-0x0000000002487000-memory.dmpFilesize
12KB
-
memory/1388-61-0x0000000000000000-mapping.dmp
-
memory/1416-112-0x000007FEEAD10000-0x000007FEEB733000-memory.dmpFilesize
10.1MB
-
memory/1416-170-0x0000000002344000-0x0000000002347000-memory.dmpFilesize
12KB
-
memory/1416-138-0x000000001B830000-0x000000001BB2F000-memory.dmpFilesize
3.0MB
-
memory/1416-133-0x000007FEE9260000-0x000007FEE9DBD000-memory.dmpFilesize
11.4MB
-
memory/1416-172-0x000000000234B000-0x000000000236A000-memory.dmpFilesize
124KB
-
memory/1416-83-0x0000000000000000-mapping.dmp
-
memory/1416-149-0x000000000234B000-0x000000000236A000-memory.dmpFilesize
124KB
-
memory/1416-128-0x0000000002344000-0x0000000002347000-memory.dmpFilesize
12KB
-
memory/1504-57-0x0000000000000000-mapping.dmp
-
memory/1612-146-0x00000000022DB000-0x00000000022FA000-memory.dmpFilesize
124KB
-
memory/1612-164-0x00000000022DB000-0x00000000022FA000-memory.dmpFilesize
124KB
-
memory/1612-111-0x000007FEEAD10000-0x000007FEEB733000-memory.dmpFilesize
10.1MB
-
memory/1612-137-0x000000001B760000-0x000000001BA5F000-memory.dmpFilesize
3.0MB
-
memory/1612-82-0x0000000000000000-mapping.dmp
-
memory/1612-134-0x000007FEE9260000-0x000007FEE9DBD000-memory.dmpFilesize
11.4MB
-
memory/1612-161-0x00000000022D4000-0x00000000022D7000-memory.dmpFilesize
12KB
-
memory/1612-126-0x00000000022D4000-0x00000000022D7000-memory.dmpFilesize
12KB
-
memory/1652-154-0x000000000261B000-0x000000000263A000-memory.dmpFilesize
124KB
-
memory/1652-139-0x000000001B870000-0x000000001BB6F000-memory.dmpFilesize
3.0MB
-
memory/1652-113-0x000007FEEAD10000-0x000007FEEB733000-memory.dmpFilesize
10.1MB
-
memory/1652-136-0x000007FEE9260000-0x000007FEE9DBD000-memory.dmpFilesize
11.4MB
-
memory/1652-125-0x0000000002614000-0x0000000002617000-memory.dmpFilesize
12KB
-
memory/1652-85-0x0000000000000000-mapping.dmp
-
memory/1652-166-0x000000000261B000-0x000000000263A000-memory.dmpFilesize
124KB
-
memory/1652-165-0x0000000002614000-0x0000000002617000-memory.dmpFilesize
12KB
-
memory/1712-66-0x0000000000000000-mapping.dmp
-
memory/1916-54-0x0000000000060000-0x0000000000068000-memory.dmpFilesize
32KB
-
memory/1916-55-0x0000000075A81000-0x0000000075A83000-memory.dmpFilesize
8KB
-
memory/2128-91-0x0000000000000000-mapping.dmp
-
memory/2396-106-0x0000000000000000-mapping.dmp
-
memory/2496-116-0x0000000000000000-mapping.dmp
-
memory/2496-118-0x0000000000C00000-0x0000000000CF0000-memory.dmpFilesize
960KB