Analysis
-
max time kernel
39s -
max time network
61s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
28-01-2023 10:19
General
-
Target
Big Dildo Riding.scr
-
Size
3.4MB
-
MD5
ed6ea767354e940d79e591d21d8e1bbd
-
SHA1
d07011f13100f7578506f45630cfdb73286a3e44
-
SHA256
be790ab14ba841b5a5ae4fb7853924f33be7577b35a5565ca31fcd399b1ad8f8
-
SHA512
b653626e2d42d76d6daa48ecf779e053ab3bff1781c54519fe70f47bd97a03fcce3eed5dacb01edbae655b588ad4be138b2df29e604ddfd2cc0ff4f80b8da569
-
SSDEEP
49152:EbA37QXuXj2m0oENBxCFk+M0/V5Z7dTMjPvxQp0VR4NOjtSskvRIaqiZd:EbXXuiyENBE209BqnOmeMjYsqR7d
Malware Config
Signatures
-
DcRat 56 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 18 IoCs
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 9 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 36 IoCs
-
Drops file in Program Files directory 19 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Big Dildo Riding.scr"C:\Users\Admin\AppData\Local\Temp\Big Dildo Riding.scr" /S1⤵
- DcRat
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\SurrogateagentsavesDll\rh7k9gt.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\SurrogateagentsavesDll\2nvHsNHUhqkINTDaJO.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\SurrogateagentsavesDll\webbroker.exe"C:\SurrogateagentsavesDll\webbroker.exe"4⤵
- DcRat
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\SurrogateagentsavesDll\webbroker.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\smss.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\SurrogateagentsavesDll\webbroker.exe"C:\SurrogateagentsavesDll\webbroker.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\SurrogateagentsavesDll\webbroker.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\taskhostw.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\dllhost.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchUI.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\conhost.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\explorer.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8gvyepI0e2.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
C:\SurrogateagentsavesDll\webbroker.exe"C:\SurrogateagentsavesDll\webbroker.exe"7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\SurrogateagentsavesDll\webbroker.exe'8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\SurrogateagentsavesDll\ShellExperienceHost.exe'8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe'8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\en-US\fontdrvhost.exe'8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\defaults\pref\csrss.exe'8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\ShellExperienceHost.exe'8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\wininit.exe'8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Default User\dwm.exe"C:\Users\Default User\dwm.exe"8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\142fb093-5f70-4115-b78a-b86e033682fc.vbs"9⤵
-
C:\Users\Default User\dwm.exe"C:\Users\Default User\dwm.exe"10⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84e323c6-ec07-495a-add4-b8de51acb977.vbs"11⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b93a6fe2-fe29-47bd-8e7e-0303e4f626b5.vbs"11⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c752945-814d-46fe-ba83-22a26ddf0926.vbs"9⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\ShellExperienceHost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\ShellExperienceHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\taskhostw.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchUI.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchUI.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchUI.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\odt\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\SurrogateagentsavesDll\ShellExperienceHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\SurrogateagentsavesDll\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\SurrogateagentsavesDll\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\en-US\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\en-US\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\odt\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\SurrogateagentsavesDll\2nvHsNHUhqkINTDaJO.batFilesize
41B
MD5d9fbba17a660eee76f5e6556e7f00ccc
SHA15e40c6de4f9a1d2dae42a33902120af6c561f631
SHA256bed8275c849c71818fa90791dd5b71514a46a82990a7e04a3092dc7c761d1f62
SHA512c3f484fbe0b3461335b6aa6fe8ec509044e853edf15a514e3d2d33bd5370d9566b21f03cc0e949ec9a6a91c2abeb7f30dc741b33522548b75c056384f1344955
-
C:\SurrogateagentsavesDll\rh7k9gt.vbeFilesize
217B
MD5243fd9d2bb97513854d1025a6727a5e4
SHA1ab45973af5a26c54821b6897043958ecbf5683b3
SHA25638a0c3d04ec79e01ecc452d0afb95ac1f419472d9abbd9ebde4b30b94da6509b
SHA512da630c8c29ba43e8929ec89ba525930cceca5f580d338ca8337dc1be9cb41fe11ba7c7f4ab658407552b7d5ce2929fd56f86739bd76124e35a0110d407c6faeb
-
C:\SurrogateagentsavesDll\webbroker.exeFilesize
2.6MB
MD5b1364fea5ff9a5f9d5e4f63374b926fc
SHA1a837da0330a19c84bd2aaef52125f9cf98dc6f95
SHA256cf3dc60ee782af378f4ad7651deb5ac6229c9073e47973f0732a761fa06fc5ce
SHA512bb71608ebdb9a15ad0bc46226f3d0354bcd8659e088b723a29bb77e128ffe4bdfdb7bec859f3a8b9552efd31561088778655da3f1cc2137eec8707535bb21ecf
-
C:\SurrogateagentsavesDll\webbroker.exeFilesize
2.6MB
MD5b1364fea5ff9a5f9d5e4f63374b926fc
SHA1a837da0330a19c84bd2aaef52125f9cf98dc6f95
SHA256cf3dc60ee782af378f4ad7651deb5ac6229c9073e47973f0732a761fa06fc5ce
SHA512bb71608ebdb9a15ad0bc46226f3d0354bcd8659e088b723a29bb77e128ffe4bdfdb7bec859f3a8b9552efd31561088778655da3f1cc2137eec8707535bb21ecf
-
C:\SurrogateagentsavesDll\webbroker.exeFilesize
2.6MB
MD5b1364fea5ff9a5f9d5e4f63374b926fc
SHA1a837da0330a19c84bd2aaef52125f9cf98dc6f95
SHA256cf3dc60ee782af378f4ad7651deb5ac6229c9073e47973f0732a761fa06fc5ce
SHA512bb71608ebdb9a15ad0bc46226f3d0354bcd8659e088b723a29bb77e128ffe4bdfdb7bec859f3a8b9552efd31561088778655da3f1cc2137eec8707535bb21ecf
-
C:\SurrogateagentsavesDll\webbroker.exeFilesize
2.6MB
MD5b1364fea5ff9a5f9d5e4f63374b926fc
SHA1a837da0330a19c84bd2aaef52125f9cf98dc6f95
SHA256cf3dc60ee782af378f4ad7651deb5ac6229c9073e47973f0732a761fa06fc5ce
SHA512bb71608ebdb9a15ad0bc46226f3d0354bcd8659e088b723a29bb77e128ffe4bdfdb7bec859f3a8b9552efd31561088778655da3f1cc2137eec8707535bb21ecf
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.logFilesize
1KB
MD508f43da77650c7ac78c89d4428532545
SHA1cd4bd631bcca0015e3c3292d290eb0990593adcd
SHA256e74f9cc1393d6a564ad1febad86452c11909a0c21e2a2433c18063d0dc41a18c
SHA51249a5f7dd2836bd0fb53388e253ad333c20a8eb2f08d1f762101c75159b74aed21e6fe73f03dc558387ee1284637876dcf6c79062a191bb57490e5e58e6afff2a
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\webbroker.exe.logFilesize
1KB
MD5430a3e587f99c7640a58a042ce63bdd6
SHA15d11d6b74e56cf622796971b8f57f57ca37592db
SHA256a087c10187c77ec487d0dcce45d36d5b1ff44f063aba489a17937f041de70bf7
SHA5120b2422fceade7f32cabf29cbb658663ec6f05c977435f66d1bd80c99ae0043e0d95f1bfafa4ec4fe84bc77a1a3b45bf38e84ce8737a6cf2b25bad4e37af0797d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD52999fccb1e5299ac1869258db61d4a8b
SHA190e33966fb1e6a088ed3d75f1bda9c460064ac1f
SHA2565c8e02dc3bc4750c1824014046aa9ef0e8953dbf3629dad4b21636046c7f8391
SHA51283bb3861f46131bfc57803f931d7e830c8457ed26d12a2b5eb561e26b0b5b4b44e22fe7edac5d47beb4df4191fd228eda1ad7701481e373dabce358b31e89072
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5cf9cf2ae1df58e48a17b3374c1cfa9bf
SHA1ebc49fc4697c1f8d4db6a2b83d2b25e378987249
SHA256bf28183a9fd826c3b19b2b53524f17e5faacabaf08146ab3dd2fbf5b05161913
SHA512c4532e0205d42e5ca16fa9ba6f31079c2a0d5893f8d3005f282e4b56f45381ce05770f8d9604f1ba2c3a7dcdd91820ae781b09f4cbdaabd13eaa935dc76373e9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5952de0e1863ea41e91dfdcc5c617e265
SHA1d5bd48764ed69b44399d3aceaa68f5b287351936
SHA2563904e58d4474c0ab207eab3ea6a9c42b64842708a302bb7e7fbb44b74437d10e
SHA512df52936dfcdf21e3e709b747d5acbfb0415e4cdfddb5e2bcbd7bc0ae02c272af821172eaace9d0f81ff1945281bb39f2f04062259fed5b52aec43dc48aa796d5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5952de0e1863ea41e91dfdcc5c617e265
SHA1d5bd48764ed69b44399d3aceaa68f5b287351936
SHA2563904e58d4474c0ab207eab3ea6a9c42b64842708a302bb7e7fbb44b74437d10e
SHA512df52936dfcdf21e3e709b747d5acbfb0415e4cdfddb5e2bcbd7bc0ae02c272af821172eaace9d0f81ff1945281bb39f2f04062259fed5b52aec43dc48aa796d5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD50b011a14a76f6a71a72d239caf569eb9
SHA19b44f4865aa4553eb055e213cbbcc3e53a7701e3
SHA256064ff16bb81de61826f351ea9dd334152d98f2e656b670b0a6ef71c9a511aa3d
SHA5121192dc5a638f1172a0469d5c8110d8a999c804c56b0f5dc863388d7c2298d40855137b6d582f710aa484e2a6b5cc45aab27935ae9189d30a427a0a9cfaee0d2e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b52be68cd39e102e5415a385c0134acd
SHA1fdc98a22434e284faaae831d6fd7580cb8d5a07f
SHA25634f236c583772f8dce78b4dde29d6e77b7216dea787941c6b43ada1a9b82a976
SHA512a697c2a6881b0a58dfeac7df7d399ee9847ce87ec8fd8f02870c27c564cf7d68f4baa9a85e14f8cb6b87eb44f3bfa2f0dbd60f34fc49c01a8fcd6108db05c57a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD53074183ce7744629fa68fd1cb9b1e127
SHA196b8f7a50dbe2556cc0ac7109de4e6ed1fdbb755
SHA2561d30635f050c0e39bfa6ae677aee1de577c16f043960b6f71e0cc8558d268b8f
SHA512e35800720dc7769c8630928dcdb97718d14faf463cc8c23939279162c5d02a7d67c95002b67140b0506ebae14d48144b3cdce25f36bb399dcbc56acdf2cf83a0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD567b5c08a918ece6a74592076971ba157
SHA1ed890748a3dd25b21535ab5f75a198b150a4f86e
SHA256ab102516dfe7811253970157ae31d87a56be06ee22bab5c5e02a4ad0d055aec5
SHA512726fa41fe89b09be1608d58f6a0227ae3b9af648515d56832e710659f6cc830ca71fdfdcab417dc2beeda6b17d933a508aeb999b96e6ac02605edf98f04a47e6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD567b5c08a918ece6a74592076971ba157
SHA1ed890748a3dd25b21535ab5f75a198b150a4f86e
SHA256ab102516dfe7811253970157ae31d87a56be06ee22bab5c5e02a4ad0d055aec5
SHA512726fa41fe89b09be1608d58f6a0227ae3b9af648515d56832e710659f6cc830ca71fdfdcab417dc2beeda6b17d933a508aeb999b96e6ac02605edf98f04a47e6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b4fee1f03feb08c038f991dfb073d13c
SHA16cd00563cc325db4b237e7cf8c0086cdfddaf79d
SHA256a316d4e9dcee23709200eef8985463db55aeefab117ea375a2c4998ca1ecac66
SHA512094d6903595305add6984b576687ab73b69b4e15a10603bd19b0f6075b5ca66b78d5afeb7b370ca7a8fb1da2535dca3ce6ed4be3291b50997dec9f4e6a6848f7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58ee8a7720daaab7beab603315f3c407b
SHA1c19d9aa1a31f8f3608207f42a3dbfd689773c757
SHA256240934b068a225d52aac0c68e2060234d2ca2498e7331518462d71ed8d387157
SHA512f7c6395fa6adadaf9d214dee0a439c437fd48d1bb297e40708c14a8c6a07c210688c285411ab103ca290a7c704df9678f188a7c796d04a709d564f48fe5905f5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD551b27223e327ca9e2c267cc869b6f5b1
SHA1becbb554e2305e818331a7ba1e4703ffa12913f2
SHA256c7aa373bea9de4ae95d4d202e5834b37c2529f8b20b995ae4692f85c92f1dfad
SHA512f3e1da6fe772b0d1d37a7b613e50dd724f783a6e7651ecbab473b21a9c96d61aea806780816d550af4a3b38c0e70b0b0d1a6a9cff5cd7eacf3b9e4e791e9aaeb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58334085385767909de9ee36e49825447
SHA1aee36bef6bbc1117ef2e1ad63052cd3102e6eb5c
SHA256adb150da5129091c232ecae719e9482e14cb6dbe964c0242f5eaf38bed437049
SHA5125185b27daebd1e492fd865e792a4c716c9fccbc7ae9cf5f89d7ac5e931b9fc6d0928e5c931b4cd66c083f72451ac0c92dc3cfad19fa074a412df7e346c97c017
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58334085385767909de9ee36e49825447
SHA1aee36bef6bbc1117ef2e1ad63052cd3102e6eb5c
SHA256adb150da5129091c232ecae719e9482e14cb6dbe964c0242f5eaf38bed437049
SHA5125185b27daebd1e492fd865e792a4c716c9fccbc7ae9cf5f89d7ac5e931b9fc6d0928e5c931b4cd66c083f72451ac0c92dc3cfad19fa074a412df7e346c97c017
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5dd0153fbfe9da4a805457d8bc7c370e5
SHA11d4e86da243d1d763bba1d8ace4a3f575f11ab09
SHA256aa4771af425d6c100eb9fced4da6a212475a9778afefdd318c84e8a7a9df6add
SHA5125f121a5a994f1d60d62bc298cd2598a9de6fcfdc1218dcc861759d2b434b6853ac193d256318cb972af5ba7a843eea15bc2c641cf6529fea14eb15715b8e78ab
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5dd0153fbfe9da4a805457d8bc7c370e5
SHA11d4e86da243d1d763bba1d8ace4a3f575f11ab09
SHA256aa4771af425d6c100eb9fced4da6a212475a9778afefdd318c84e8a7a9df6add
SHA5125f121a5a994f1d60d62bc298cd2598a9de6fcfdc1218dcc861759d2b434b6853ac193d256318cb972af5ba7a843eea15bc2c641cf6529fea14eb15715b8e78ab
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD59374fbdd7d880dbd5a48de896a321a11
SHA1719d7af17e9f61af6b066b88e476970cdba6f3ed
SHA2568fbe1a7102c43b50f80c6e864ff5787d29ea429d1ed54f72e1e507ff454c9ca0
SHA512da59906f97f15e600edfe46f5beb3a4dda4ab7984de4e461aaf3cc72a8feb1a5ef342b379d012e58c5f171f851b312402ac929a3bb267d0b930f8789d30e4d91
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD59374fbdd7d880dbd5a48de896a321a11
SHA1719d7af17e9f61af6b066b88e476970cdba6f3ed
SHA2568fbe1a7102c43b50f80c6e864ff5787d29ea429d1ed54f72e1e507ff454c9ca0
SHA512da59906f97f15e600edfe46f5beb3a4dda4ab7984de4e461aaf3cc72a8feb1a5ef342b379d012e58c5f171f851b312402ac929a3bb267d0b930f8789d30e4d91
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD52ecf11e3627426017bd9ab28a11767c9
SHA17d0cdc170d55193139c8b91efb0dc2bae1d0284c
SHA256be06467f31e359bd0c3ccaba4acd3c4412f6ec83aafb206041bffc2e14852f36
SHA512d33dc5cca0deca22b467ab9a5e5bac5ac72d1d764c92df7312d752a3fa1dbfe250322c04e045eab983218199ef0cc13406bcb909cc9ba85bca14657ef03741a0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD52ecf11e3627426017bd9ab28a11767c9
SHA17d0cdc170d55193139c8b91efb0dc2bae1d0284c
SHA256be06467f31e359bd0c3ccaba4acd3c4412f6ec83aafb206041bffc2e14852f36
SHA512d33dc5cca0deca22b467ab9a5e5bac5ac72d1d764c92df7312d752a3fa1dbfe250322c04e045eab983218199ef0cc13406bcb909cc9ba85bca14657ef03741a0
-
C:\Users\Admin\AppData\Local\Temp\142fb093-5f70-4115-b78a-b86e033682fc.vbsFilesize
705B
MD5f1624fc50d20ecac6e67da4bf601c5e7
SHA162b0014e6c02921860e7206de6feb2709f37379a
SHA25606080c93e33ec95ca04620884f3f842b21f15b15846c27c060c67c4bef97507b
SHA51284c0e4a2e37063ac329930fda40c6fa5a69d389089c2af80eec2690431c01b07e2f55283ca5cdf070bbbca8ab4e6ba3dd03341fec21397a845a0aa5fcdef1aa8
-
C:\Users\Admin\AppData\Local\Temp\6c752945-814d-46fe-ba83-22a26ddf0926.vbsFilesize
481B
MD5c458a63f877db762a6cb091db38e4c0f
SHA14ee716c8859bda8a799c1062688cf79ebf7f5266
SHA2561be5047c6e58b4dfec983152461d6ab1e5bd33360bb299c3866cc57d915fbaae
SHA512cdd145b12b11f49dc1c141910733b33757a2962f2384a37732aa8629fb1100cf5c686569f4e5d094e594d1f983a9c0e53b67f067384da709b383487e98fa62d5
-
C:\Users\Admin\AppData\Local\Temp\84e323c6-ec07-495a-add4-b8de51acb977.vbsFilesize
705B
MD5c0126685618dd1ef0ba714d096254419
SHA1d20242757952a64cb9eba35f9ca8403f79fae73b
SHA256a72a04159feae187e0452b3f6d218c2226d39656c1d22c9b12bd9f326e1eaa15
SHA51243a229e32f2d9644bf894056c45f25fc55f2c105ec48e38db286f37f039c9025cd94c1a3f9cfd0e9d12ddc4758a9b3ab2d29dbac2e912d915998da33c3b7a90f
-
C:\Users\Admin\AppData\Local\Temp\8gvyepI0e2.batFilesize
204B
MD5cf8d3667ebbcf5642ad21dd7fedc9aae
SHA1d0a186dec55973d1be47ce82e73c4bc8199b1297
SHA256f19c63210c1ef6723a879d2955f9d461a862c8f6ff3042a6b0f9aabba848ce79
SHA512a494274cc659a8c760d7cd589b888000cdc9780c109204bd3f1ac27dd56ece427cacac6e21185570c5e3d910afb2314f096fb221251ba167b9298cd75ddd958f
-
C:\Users\Admin\AppData\Local\Temp\b93a6fe2-fe29-47bd-8e7e-0303e4f626b5.vbsFilesize
481B
MD5c458a63f877db762a6cb091db38e4c0f
SHA14ee716c8859bda8a799c1062688cf79ebf7f5266
SHA2561be5047c6e58b4dfec983152461d6ab1e5bd33360bb299c3866cc57d915fbaae
SHA512cdd145b12b11f49dc1c141910733b33757a2962f2384a37732aa8629fb1100cf5c686569f4e5d094e594d1f983a9c0e53b67f067384da709b383487e98fa62d5
-
C:\Users\Admin\AppData\Local\Temp\ca9e9ecc758009c9e5e88c36a3cad9405dc138f1.exeFilesize
2.6MB
MD5b1364fea5ff9a5f9d5e4f63374b926fc
SHA1a837da0330a19c84bd2aaef52125f9cf98dc6f95
SHA256cf3dc60ee782af378f4ad7651deb5ac6229c9073e47973f0732a761fa06fc5ce
SHA512bb71608ebdb9a15ad0bc46226f3d0354bcd8659e088b723a29bb77e128ffe4bdfdb7bec859f3a8b9552efd31561088778655da3f1cc2137eec8707535bb21ecf
-
C:\Users\Default User\dwm.exeFilesize
2.6MB
MD5b1364fea5ff9a5f9d5e4f63374b926fc
SHA1a837da0330a19c84bd2aaef52125f9cf98dc6f95
SHA256cf3dc60ee782af378f4ad7651deb5ac6229c9073e47973f0732a761fa06fc5ce
SHA512bb71608ebdb9a15ad0bc46226f3d0354bcd8659e088b723a29bb77e128ffe4bdfdb7bec859f3a8b9552efd31561088778655da3f1cc2137eec8707535bb21ecf
-
C:\Users\Default\dwm.exeFilesize
2.6MB
MD5b1364fea5ff9a5f9d5e4f63374b926fc
SHA1a837da0330a19c84bd2aaef52125f9cf98dc6f95
SHA256cf3dc60ee782af378f4ad7651deb5ac6229c9073e47973f0732a761fa06fc5ce
SHA512bb71608ebdb9a15ad0bc46226f3d0354bcd8659e088b723a29bb77e128ffe4bdfdb7bec859f3a8b9552efd31561088778655da3f1cc2137eec8707535bb21ecf
-
C:\Users\Default\dwm.exeFilesize
2.6MB
MD5b1364fea5ff9a5f9d5e4f63374b926fc
SHA1a837da0330a19c84bd2aaef52125f9cf98dc6f95
SHA256cf3dc60ee782af378f4ad7651deb5ac6229c9073e47973f0732a761fa06fc5ce
SHA512bb71608ebdb9a15ad0bc46226f3d0354bcd8659e088b723a29bb77e128ffe4bdfdb7bec859f3a8b9552efd31561088778655da3f1cc2137eec8707535bb21ecf
-
memory/304-661-0x0000000000000000-mapping.dmp
-
memory/640-663-0x0000000000000000-mapping.dmp
-
memory/864-669-0x0000000000000000-mapping.dmp
-
memory/1248-724-0x00000000028E0000-0x00000000028F2000-memory.dmpFilesize
72KB
-
memory/1248-693-0x0000000000000000-mapping.dmp
-
memory/1268-1056-0x0000000000000000-mapping.dmp
-
memory/1732-665-0x0000000000000000-mapping.dmp
-
memory/1964-401-0x0000000000000000-mapping.dmp
-
memory/2164-666-0x0000000000000000-mapping.dmp
-
memory/2188-664-0x0000000000000000-mapping.dmp
-
memory/2260-402-0x0000000000000000-mapping.dmp
-
memory/2416-655-0x0000000000000000-mapping.dmp
-
memory/2416-657-0x0000000000A30000-0x0000000000A42000-memory.dmpFilesize
72KB
-
memory/2660-1050-0x0000000000000000-mapping.dmp
-
memory/2660-1053-0x0000000000DB0000-0x0000000000DC2000-memory.dmpFilesize
72KB
-
memory/2660-1054-0x000000001B120000-0x000000001B176000-memory.dmpFilesize
344KB
-
memory/2660-1055-0x0000000000DE0000-0x0000000000DF2000-memory.dmpFilesize
72KB
-
memory/2748-156-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-142-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-174-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-175-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-176-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-177-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-178-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-116-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-117-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-118-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-172-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-171-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-120-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-121-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-170-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-169-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-123-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-124-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-125-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-126-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-127-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-128-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-129-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-130-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-131-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-132-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-133-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-134-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-135-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-136-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-137-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-138-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-139-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-140-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-168-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-141-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-173-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-143-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-144-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-167-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-165-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-145-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-146-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-148-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-147-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-149-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-166-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-150-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-164-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-163-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-162-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-151-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-161-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-160-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-159-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-158-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-157-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-115-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-155-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-154-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-153-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2748-152-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/2756-485-0x0000000000000000-mapping.dmp
-
memory/3028-296-0x0000000000000000-mapping.dmp
-
memory/3116-673-0x0000000000000000-mapping.dmp
-
memory/3288-406-0x0000000000000000-mapping.dmp
-
memory/3332-404-0x0000000000000000-mapping.dmp
-
memory/3520-659-0x0000000000000000-mapping.dmp
-
memory/3732-1058-0x0000000000000000-mapping.dmp
-
memory/3752-403-0x0000000000000000-mapping.dmp
-
memory/3952-283-0x000000001BBE0000-0x000000001BC30000-memory.dmpFilesize
320KB
-
memory/3952-290-0x000000001B570000-0x000000001B57A000-memory.dmpFilesize
40KB
-
memory/3952-278-0x0000000000000000-mapping.dmp
-
memory/3952-281-0x0000000000720000-0x00000000009C2000-memory.dmpFilesize
2.6MB
-
memory/3952-292-0x000000001BBD0000-0x000000001BBDC000-memory.dmpFilesize
48KB
-
memory/3952-282-0x0000000001230000-0x000000000124C000-memory.dmpFilesize
112KB
-
memory/3952-284-0x0000000002C30000-0x0000000002C46000-memory.dmpFilesize
88KB
-
memory/3952-291-0x000000001BBC0000-0x000000001BBCE000-memory.dmpFilesize
56KB
-
memory/3952-285-0x0000000002B00000-0x0000000002B12000-memory.dmpFilesize
72KB
-
memory/3952-289-0x000000001C360000-0x000000001C886000-memory.dmpFilesize
5.1MB
-
memory/3952-293-0x000000001BC80000-0x000000001BC8A000-memory.dmpFilesize
40KB
-
memory/3952-286-0x000000001BB90000-0x000000001BBA0000-memory.dmpFilesize
64KB
-
memory/3952-287-0x000000001BC30000-0x000000001BC86000-memory.dmpFilesize
344KB
-
memory/3952-288-0x0000000002C50000-0x0000000002C62000-memory.dmpFilesize
72KB
-
memory/3952-294-0x000000001BC90000-0x000000001BC9C000-memory.dmpFilesize
48KB
-
memory/4192-743-0x0000000000000000-mapping.dmp
-
memory/4224-753-0x0000000000000000-mapping.dmp
-
memory/4228-312-0x000001EC94B60000-0x000001EC94B82000-memory.dmpFilesize
136KB
-
memory/4228-317-0x000001ECAD610000-0x000001ECAD686000-memory.dmpFilesize
472KB
-
memory/4228-295-0x0000000000000000-mapping.dmp
-
memory/4280-405-0x0000000000000000-mapping.dmp
-
memory/4300-658-0x0000000000000000-mapping.dmp
-
memory/4376-297-0x0000000000000000-mapping.dmp
-
memory/4412-660-0x0000000000000000-mapping.dmp
-
memory/4460-326-0x0000000000D40000-0x0000000000D52000-memory.dmpFilesize
72KB
-
memory/4460-298-0x0000000000000000-mapping.dmp
-
memory/4460-332-0x0000000002700000-0x0000000002712000-memory.dmpFilesize
72KB
-
memory/4472-662-0x0000000000000000-mapping.dmp
-
memory/4544-426-0x0000000000000000-mapping.dmp
-
memory/4892-407-0x0000000000000000-mapping.dmp
-
memory/5024-181-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5024-180-0x0000000077100000-0x000000007728E000-memory.dmpFilesize
1.6MB
-
memory/5024-179-0x0000000000000000-mapping.dmp
-
memory/5056-255-0x0000000000000000-mapping.dmp