Analysis

  • max time kernel
    93s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-01-2025 10:31

General

  • Target

    d1793da857eca536d0d06e1bdfa657ab.exe

  • Size

    2.7MB

  • MD5

    d1793da857eca536d0d06e1bdfa657ab

  • SHA1

    bb07044f5867554c74063d4c9509248657322040

  • SHA256

    60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2

  • SHA512

    8d35eab524e898a14e17185c64e092c56e310f15e3cd2e0bfd533b15c55b78078dfc2dbaeba3d3a5027a96967fca11cf3c60a4fb859e5ecee28addda04238e4b

  • SSDEEP

    49152:yqyJUSQelMhlk1w19BlUobhENGZXxRWi0UAuqYqqnc:PyJlQgGk1wPko1oO30UA7Yqq

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Drops file in Program Files directory 35 IoCs
  • Drops file in Windows directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\d1793da857eca536d0d06e1bdfa657ab.exe
    "C:\Users\Admin\AppData\Local\Temp\d1793da857eca536d0d06e1bdfa657ab.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4484
    • C:\Windows\PolicyDefinitions\wininit.exe
      "C:\Windows\PolicyDefinitions\wininit.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:1396
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default\RuntimeBroker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4732
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1332
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2788
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3896
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2832
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:5012
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3848
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3620
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4464
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Music\dwm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3652
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Music\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2684
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Music\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3428
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\sihost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3940
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\sihost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2292
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\sihost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2328
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2628
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2200
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4944
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3212
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4436
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3672
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\ServiceProfiles\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3040
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1476
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\ServiceProfiles\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:216
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\unsecapp.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2800
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\unsecapp.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4116
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\unsecapp.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1924
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\System\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3540
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4032
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\System\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1812
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1528
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2992
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3504
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\PolicyDefinitions\wininit.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4712
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4424
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2616
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3164
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4600
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2996
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\en-US\OfficeClickToRun.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3760
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3284
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4668
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Oracle\StartMenuExperienceHost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4028
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4576
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Oracle\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3100
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\SearchApp.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1624
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Admin\SearchApp.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4104
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\SearchApp.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1048
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2640
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4108
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Google\Update\unsecapp.exe

    Filesize

    2.7MB

    MD5

    1c92fd173b2fe45f26ff083c7127533c

    SHA1

    aeec4714cc9e88fdf4ae961cfeb947ad0ae5b18d

    SHA256

    9dcef7952749bf8735cbca004635a7b3110cb3638f360ebf823a983c09f23bbc

    SHA512

    44ebc6da73ba86bf776350bceacc1d3c4342e7bae2dc7e3ae8cc4161821bb744cf6e6585950a1b1536498049439d713e7736c050dd1057cba8e2cdeb99bf1b96

  • C:\Program Files (x86)\Windows Media Player\Skins\sihost.exe

    Filesize

    2.7MB

    MD5

    d1793da857eca536d0d06e1bdfa657ab

    SHA1

    bb07044f5867554c74063d4c9509248657322040

    SHA256

    60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2

    SHA512

    8d35eab524e898a14e17185c64e092c56e310f15e3cd2e0bfd533b15c55b78078dfc2dbaeba3d3a5027a96967fca11cf3c60a4fb859e5ecee28addda04238e4b

  • C:\Program Files\Windows NT\Accessories\en-US\OfficeClickToRun.exe

    Filesize

    2.7MB

    MD5

    ca8abc09395a2e03a028ee6a5ce4d444

    SHA1

    430ed9a12f61ada726b69f2c7c606a2c2c2a29dd

    SHA256

    e5d5cedb68b6c1db028771b6aeeb95fbd09e4ccd139592c212ec2487e872c657

    SHA512

    e9e9a6a24429f3fa95de1eb8ce06963bb551a639b039d70d724f376e5653d36d573a238ea5a6faf68a639cf63d6cad133557387181dc5de9186301a7b5e5f330

  • C:\Program Files\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe

    Filesize

    2.7MB

    MD5

    62f03cecbfc3cd7f4d13aa92c571b744

    SHA1

    ff4935926948d893dd0954dac815a0adfc444a86

    SHA256

    eb33222c177d43273d92466f131c65ab62b371d3a76e8fa9801dfc43f4a1d0c2

    SHA512

    c7b37f2da01d67fb463145e30e3c62965deb4a9992a0ff4dbf76ef29efb89a0f91460a23ec0706722f3cc84a588a1597194be075f725467719da3cc6047c1663

  • C:\Users\Admin\Music\dwm.exe

    Filesize

    2.7MB

    MD5

    fabc0bcc88ce064a55364038af4a5a81

    SHA1

    7666d127ba980b19bfb519a2a5d66275f0672096

    SHA256

    079d32fca34af0567d051cfe05329e09921cf958edd15bd63972896bbd2e607f

    SHA512

    9e80bb5eb6b5d70d109df0096a6d67ab526f375968f2219ce85a183f8193ca8cde8f6e60d62ed0a47c1430b9268fcb9cf8ae0e834bd262627bd39d3a3da1fdce

  • C:\Users\Default\RuntimeBroker.exe

    Filesize

    2.7MB

    MD5

    8b4dac487a24a738f5e618cf5945380a

    SHA1

    146c1bd5b38cb2d28e8715146a8e7dcdf7ee75c4

    SHA256

    01bb36d372caaf5dc7e00bff10d6a81a634ee3cf981e6cb5dad549e1de96e913

    SHA512

    a5cb23aef1a604e0d79aaeb27f56dc884e8e2a16413ca011eaded465671b2d69e17dbbe67bdd7d54769d4dff0e387b72e550241c6454afcbc8e1ccbda508d98c

  • C:\Windows\PolicyDefinitions\wininit.exe

    Filesize

    2.7MB

    MD5

    879c2132a0ef9ec3cd32f9886e89e7d5

    SHA1

    ddba003b1702c8bb42745344815c123a545b5aaa

    SHA256

    995d46d9da40eb5c5ae5256571a0d87a043c395652404cceea2c7548ac4379c6

    SHA512

    b5b3ef30b9af71cafc1418fb540f1291ce6ae4c816f6b5c1c58e22d514e95b4fab1dfce02b46172bf02d47cb6991954c684ea621668b57afc5b362a2a6689510

  • memory/1396-312-0x000000001B680000-0x000000001B692000-memory.dmp

    Filesize

    72KB

  • memory/1396-310-0x00000000007F0000-0x0000000000AA4000-memory.dmp

    Filesize

    2.7MB

  • memory/4484-9-0x000000001B320000-0x000000001B328000-memory.dmp

    Filesize

    32KB

  • memory/4484-10-0x000000001B340000-0x000000001B34A000-memory.dmp

    Filesize

    40KB

  • memory/4484-11-0x000000001B9B0000-0x000000001BA06000-memory.dmp

    Filesize

    344KB

  • memory/4484-12-0x000000001B330000-0x000000001B338000-memory.dmp

    Filesize

    32KB

  • memory/4484-13-0x000000001BB00000-0x000000001BB12000-memory.dmp

    Filesize

    72KB

  • memory/4484-14-0x000000001C040000-0x000000001C568000-memory.dmp

    Filesize

    5.2MB

  • memory/4484-20-0x000000001BA70000-0x000000001BA7A000-memory.dmp

    Filesize

    40KB

  • memory/4484-16-0x000000001BA30000-0x000000001BA38000-memory.dmp

    Filesize

    32KB

  • memory/4484-15-0x000000001BA20000-0x000000001BA28000-memory.dmp

    Filesize

    32KB

  • memory/4484-19-0x000000001BA60000-0x000000001BA6C000-memory.dmp

    Filesize

    48KB

  • memory/4484-21-0x000000001BA80000-0x000000001BA8C000-memory.dmp

    Filesize

    48KB

  • memory/4484-18-0x000000001BA50000-0x000000001BA5E000-memory.dmp

    Filesize

    56KB

  • memory/4484-17-0x000000001BA40000-0x000000001BA4C000-memory.dmp

    Filesize

    48KB

  • memory/4484-7-0x0000000002810000-0x0000000002820000-memory.dmp

    Filesize

    64KB

  • memory/4484-0-0x00007FFBFD203000-0x00007FFBFD205000-memory.dmp

    Filesize

    8KB

  • memory/4484-8-0x000000001B300000-0x000000001B316000-memory.dmp

    Filesize

    88KB

  • memory/4484-6-0x0000000002790000-0x0000000002798000-memory.dmp

    Filesize

    32KB

  • memory/4484-178-0x00007FFBFD203000-0x00007FFBFD205000-memory.dmp

    Filesize

    8KB

  • memory/4484-5-0x000000001B350000-0x000000001B3A0000-memory.dmp

    Filesize

    320KB

  • memory/4484-4-0x00000000027F0000-0x000000000280C000-memory.dmp

    Filesize

    112KB

  • memory/4484-194-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

    Filesize

    10.8MB

  • memory/4484-3-0x0000000000D80000-0x0000000000D8E000-memory.dmp

    Filesize

    56KB

  • memory/4484-2-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

    Filesize

    10.8MB

  • memory/4484-311-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

    Filesize

    10.8MB

  • memory/4484-1-0x0000000000400000-0x00000000006B4000-memory.dmp

    Filesize

    2.7MB