Resubmissions

21-11-2024 22:31

241121-2fewhasrfn 10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 22:31

General

  • Target

    59b9f54f927431d2cf31d3aa202a0843.exe

  • Size

    2.2MB

  • MD5

    59b9f54f927431d2cf31d3aa202a0843

  • SHA1

    b23d214605133dc8e930f9a9d473c7c7622b4b56

  • SHA256

    007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594

  • SHA512

    89106822646d8d412d5c956fd01ad37e4b1f34599497f8e362262f82d2d47f4460632019d6ec09da58c45d690ebd03f2812d5809743203be081702680bfb28f8

  • SSDEEP

    24576:9zyhnYISyKSBWpKCeCirC9CMz+052LEgPHQ944INbKK6uK5Ye6KBOO3op+kE9hk4:9zyt2DixLb4I5KKnK5zgdlKWky

Malware Config

Signatures

  • DcRat 43 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Modifies WinLogon for persistence 2 TTPs 14 IoCs
  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 28 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 30 IoCs
  • Drops file in Windows directory 10 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\59b9f54f927431d2cf31d3aa202a0843.exe
    "C:\Users\Admin\AppData\Local\Temp\59b9f54f927431d2cf31d3aa202a0843.exe"
    1⤵
    • DcRat
    • Modifies WinLogon for persistence
    • UAC bypass
    • Drops file in Drivers directory
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2196
    • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe
      "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2960
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33119683-9821-4246-9c47-e8499529bef2.vbs"
        3⤵
          PID:1484
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42c731b7-cd6c-406d-aaff-5a1786c19ba1.vbs"
          3⤵
            PID:2128
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "59b9f54f927431d2cf31d3aa202a08435" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\59b9f54f927431d2cf31d3aa202a0843.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2612
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "59b9f54f927431d2cf31d3aa202a0843" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\59b9f54f927431d2cf31d3aa202a0843.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2560
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "59b9f54f927431d2cf31d3aa202a08435" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\59b9f54f927431d2cf31d3aa202a0843.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2588
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\explorer.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2204
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\explorer.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3036
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\explorer.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1612
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\sppsvc.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2860
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2892
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2884
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3048
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3052
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:284
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\smss.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1736
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Cursors\smss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2616
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\Cursors\smss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1884
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\audiodg.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:748
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1452
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1848
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\spoolsv.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1996
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2036
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2032
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\csrss.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1684
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\csrss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1408
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\csrss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1724
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\es-ES\sppsvc.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2536
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\es-ES\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2312
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\es-ES\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2200
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:796
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2148
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1876
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "59b9f54f927431d2cf31d3aa202a08435" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\59b9f54f927431d2cf31d3aa202a0843.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1596
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "59b9f54f927431d2cf31d3aa202a0843" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\59b9f54f927431d2cf31d3aa202a0843.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1512
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "59b9f54f927431d2cf31d3aa202a08435" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\59b9f54f927431d2cf31d3aa202a0843.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:672
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1672
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1652
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:908
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:936
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2804
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1476
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2304
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1000
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2144
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:908
      • C:\Windows\system32\wbem\WmiApSrv.exe
        C:\Windows\system32\wbem\WmiApSrv.exe
        1⤵
          PID:1772

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Microsoft Visual Studio 8\59b9f54f927431d2cf31d3aa202a0843.exe

          Filesize

          2.2MB

          MD5

          2df8e84d76c517286f65d40f69844ace

          SHA1

          cbbc28aaa8862b7d4182c04f82ebf33f589dd852

          SHA256

          58d1f18b8cea469dc4515783d33b6c3b78865043552fd10ee6e19f936b2e02de

          SHA512

          862c8168acc4e35760598891e54037b4179779d5a9e805136075a03c15d21a252e1b13b61caa569c6971b87370d5890d53ce33a2af64313fe0a3d79f3c122ac3

        • C:\Program Files\Reference Assemblies\RCXED51.tmp

          Filesize

          2.2MB

          MD5

          54b48d7611fb49892fd9f36e6c9eb58c

          SHA1

          ca6e1ff091ea3624afd344751886e9b4e655a6f3

          SHA256

          f8fd70996226e10c0e26187249fc0e156c5d5141f6db19e2cf070b75d0e800c8

          SHA512

          52312fb241f9c9a3e1978e64127e574e35130b052081ead8eeb3bc9361825738cab14d172e3651effc7b97615cfec9ca565726decb3b721c1754c4f7a84ae754

        • C:\Users\Admin\AppData\Local\Temp\33119683-9821-4246-9c47-e8499529bef2.vbs

          Filesize

          746B

          MD5

          7e63ffc2c1d7d5a9ef139b7de6198331

          SHA1

          204256492393f60a959cc50f70ceff83b4e4ef6f

          SHA256

          810f2725922559e87fad92ce8438bca28641f61b036de3d38ee68dd7c71137b9

          SHA512

          8b4e51adfb84c349ddef121587da60d45eac911741a4b938f9ca8456f59cbba51413300672ccac976115457553f8408b98558ffa337a0af090d45a54ae9539ca

        • C:\Users\Admin\AppData\Local\Temp\42c731b7-cd6c-406d-aaff-5a1786c19ba1.vbs

          Filesize

          522B

          MD5

          408655c8ae8b8b144503095766dc70a3

          SHA1

          19ed084d193c73038f44f096eadfff18a38eff19

          SHA256

          dbec708aa8b23e5123daaad3506d2d7657c8b868f7a07f7ff9bd4cc44a19c6a6

          SHA512

          66a69afa40ff22f4422dd42ff00de58135a09adb20497cfe784e43c33101720c60addf1c3dc72895007afaf7408700fbfbe12178be1711d1fc1bb2af931df546

        • C:\Windows\Cursors\smss.exe

          Filesize

          2.2MB

          MD5

          59b9f54f927431d2cf31d3aa202a0843

          SHA1

          b23d214605133dc8e930f9a9d473c7c7622b4b56

          SHA256

          007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594

          SHA512

          89106822646d8d412d5c956fd01ad37e4b1f34599497f8e362262f82d2d47f4460632019d6ec09da58c45d690ebd03f2812d5809743203be081702680bfb28f8

        • C:\Windows\DigitalLocker\es-ES\sppsvc.exe

          Filesize

          2.2MB

          MD5

          06bd9cd8dc19f7c395e894e0ea5a8881

          SHA1

          80b018712b9105a4d1bd5fa8ca55598c43b4c4d3

          SHA256

          8dda218c256b388ce046e49b408b6e2f965bf5bfbcf660741bb3c8183e23ed76

          SHA512

          aef14cc9991c7401d236540dace19f7ef18f1db7092e0730ec37d56b3be2f427b082ed34dc7f528529eec5ce77f91504e0848b229b040ddb3c8401bc40caaf74

        • memory/2196-19-0x0000000000C80000-0x0000000000C8C000-memory.dmp

          Filesize

          48KB

        • memory/2196-24-0x0000000000CD0000-0x0000000000CD8000-memory.dmp

          Filesize

          32KB

        • memory/2196-8-0x0000000000B30000-0x0000000000B46000-memory.dmp

          Filesize

          88KB

        • memory/2196-9-0x0000000000B50000-0x0000000000B5C000-memory.dmp

          Filesize

          48KB

        • memory/2196-10-0x0000000000B60000-0x0000000000B68000-memory.dmp

          Filesize

          32KB

        • memory/2196-11-0x0000000000C00000-0x0000000000C10000-memory.dmp

          Filesize

          64KB

        • memory/2196-12-0x0000000000B70000-0x0000000000B7A000-memory.dmp

          Filesize

          40KB

        • memory/2196-13-0x0000000000C10000-0x0000000000C1C000-memory.dmp

          Filesize

          48KB

        • memory/2196-14-0x0000000000C20000-0x0000000000C28000-memory.dmp

          Filesize

          32KB

        • memory/2196-15-0x0000000000C30000-0x0000000000C3C000-memory.dmp

          Filesize

          48KB

        • memory/2196-16-0x0000000000C40000-0x0000000000C48000-memory.dmp

          Filesize

          32KB

        • memory/2196-18-0x0000000000C50000-0x0000000000C62000-memory.dmp

          Filesize

          72KB

        • memory/2196-0-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

          Filesize

          4KB

        • memory/2196-20-0x0000000000C90000-0x0000000000C9C000-memory.dmp

          Filesize

          48KB

        • memory/2196-21-0x0000000000CA0000-0x0000000000CAC000-memory.dmp

          Filesize

          48KB

        • memory/2196-22-0x0000000000CB0000-0x0000000000CBA000-memory.dmp

          Filesize

          40KB

        • memory/2196-23-0x0000000000CC0000-0x0000000000CCE000-memory.dmp

          Filesize

          56KB

        • memory/2196-7-0x0000000000B20000-0x0000000000B30000-memory.dmp

          Filesize

          64KB

        • memory/2196-25-0x0000000000CE0000-0x0000000000CEE000-memory.dmp

          Filesize

          56KB

        • memory/2196-26-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

          Filesize

          48KB

        • memory/2196-27-0x0000000000D80000-0x0000000000D88000-memory.dmp

          Filesize

          32KB

        • memory/2196-28-0x0000000000D90000-0x0000000000D9C000-memory.dmp

          Filesize

          48KB

        • memory/2196-29-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

          Filesize

          9.9MB

        • memory/2196-6-0x0000000000400000-0x0000000000408000-memory.dmp

          Filesize

          32KB

        • memory/2196-5-0x00000000003E0000-0x00000000003FC000-memory.dmp

          Filesize

          112KB

        • memory/2196-4-0x00000000003D0000-0x00000000003DE000-memory.dmp

          Filesize

          56KB

        • memory/2196-184-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

          Filesize

          4KB

        • memory/2196-3-0x00000000003C0000-0x00000000003CE000-memory.dmp

          Filesize

          56KB

        • memory/2196-209-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

          Filesize

          9.9MB

        • memory/2196-230-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

          Filesize

          9.9MB

        • memory/2196-1-0x0000000000DE0000-0x000000000100E000-memory.dmp

          Filesize

          2.2MB

        • memory/2196-2-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

          Filesize

          9.9MB

        • memory/2960-229-0x00000000000E0000-0x000000000030E000-memory.dmp

          Filesize

          2.2MB