dcrat | f3aa2b23a67f4dbcce9fff7bb084e70127e3e0c4f2ab0f605487c570a7408960

Analysis

max time kernel
129s
max time network
154s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
Size

1.6MB
MD5

072d2202b56c22e2f03d6d9f20daf3d4
SHA1

0ab55b346a913174a29e2fdc4f27e9d75894706e
SHA256

6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e
SHA512

c641638b944a9c57f1127a67a5afbf961498e72900fad69d720b778922823434baf8d2843333d761ae6f5516a3d03427a550d0a4b9eabb39ee7dd102d681e47e
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral21/memory/296-1-0x0000000001120000-0x00000000012C2000-memory.dmp	dcrat
behavioral21/files/0x00050000000194ee-25.dat	dcrat
behavioral21/files/0x0007000000019dde-58.dat	dcrat
behavioral21/memory/1280-156-0x0000000000EF0000-0x0000000001092000-memory.dmp	dcrat
behavioral21/memory/2568-231-0x00000000011F0000-0x0000000001392000-memory.dmp	dcrat
behavioral21/memory/1884-243-0x00000000001B0000-0x0000000000352000-memory.dmp	dcrat
behavioral21/memory/2288-255-0x0000000001240000-0x00000000013E2000-memory.dmp	dcrat
behavioral21/memory/2072-278-0x0000000001310000-0x00000000014B2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2268	powershell.exe
2508	powershell.exe
2348	powershell.exe
2224	powershell.exe
2684	powershell.exe
2568	powershell.exe
2412	powershell.exe
2408	powershell.exe
956	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
1280	wininit.exe
2300	wininit.exe
2748	wininit.exe
2348	wininit.exe
2568	wininit.exe
1884	wininit.exe
2288	wininit.exe
2676	wininit.exe
2072	wininit.exe
2628	wininit.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
File created	C:\Program Files\Internet Explorer\csrss.exe	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
File opened for modification	C:\Program Files\MSBuild\RCXE82F.tmp	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\RCXF11D.tmp	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\RCXF11E.tmp	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
File opened for modification	C:\Program Files\Internet Explorer\csrss.exe	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
File created	C:\Program Files\MSBuild\7a0fd90576e088	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
File opened for modification	C:\Program Files\MSBuild\RCXE830.tmp	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXEAA2.tmp	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
File opened for modification	C:\Program Files\Internet Explorer\RCXF526.tmp	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
File opened for modification	C:\Program Files\Internet Explorer\RCXF527.tmp	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
File opened for modification	C:\Program Files\MSBuild\explorer.exe	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\cc11b995f2a76d	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
File created	C:\Program Files\Internet Explorer\de-DE\csrss.exe	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
File created	C:\Program Files\Internet Explorer\de-DE\886983d96e3d3e	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
File created	C:\Program Files\Internet Explorer\886983d96e3d3e	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
File created	C:\Program Files\MSBuild\explorer.exe	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXEA34.tmp	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\csrss.exe	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
852	schtasks.exe
1744	schtasks.exe
2752	schtasks.exe
3016	schtasks.exe
3028	schtasks.exe
1844	schtasks.exe
2444	schtasks.exe
1484	schtasks.exe
1848	schtasks.exe
2964	schtasks.exe
1988	schtasks.exe
1820	schtasks.exe
2428	schtasks.exe
2756	schtasks.exe
2816	schtasks.exe
1628	schtasks.exe
1752	schtasks.exe
2376	schtasks.exe
2720	schtasks.exe
2900	schtasks.exe
2968	schtasks.exe
2432	schtasks.exe
2072	schtasks.exe
796	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
2508	powershell.exe
956	powershell.exe
2684	powershell.exe
2348	powershell.exe
2224	powershell.exe
2268	powershell.exe
2568	powershell.exe
2408	powershell.exe
2412	powershell.exe
1280	wininit.exe
2300	wininit.exe
2748	wininit.exe
2348	wininit.exe
2568	wininit.exe
1884	wininit.exe
2288	wininit.exe
2676	wininit.exe
2072	wininit.exe
2628	wininit.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	1280	wininit.exe
Token: SeDebugPrivilege	2300	wininit.exe
Token: SeDebugPrivilege	2748	wininit.exe
Token: SeDebugPrivilege	2348	wininit.exe
Token: SeDebugPrivilege	2568	wininit.exe
Token: SeDebugPrivilege	1884	wininit.exe
Token: SeDebugPrivilege	2288	wininit.exe
Token: SeDebugPrivilege	2676	wininit.exe
Token: SeDebugPrivilege	2072	wininit.exe
Token: SeDebugPrivilege	2628	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 296 wrote to memory of 2684	296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	56
PID 296 wrote to memory of 2684	296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	56
PID 296 wrote to memory of 2684	296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	56
PID 296 wrote to memory of 2224	296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	57
PID 296 wrote to memory of 2224	296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	57
PID 296 wrote to memory of 2224	296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	57
PID 296 wrote to memory of 956	296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	59
PID 296 wrote to memory of 956	296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	59
PID 296 wrote to memory of 956	296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	59
PID 296 wrote to memory of 2408	296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	60
PID 296 wrote to memory of 2408	296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	60
PID 296 wrote to memory of 2408	296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	60
PID 296 wrote to memory of 2412	296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	62
PID 296 wrote to memory of 2412	296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	62
PID 296 wrote to memory of 2412	296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	62
PID 296 wrote to memory of 2348	296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	64
PID 296 wrote to memory of 2348	296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	64
PID 296 wrote to memory of 2348	296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	64
PID 296 wrote to memory of 2508	296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	65
PID 296 wrote to memory of 2508	296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	65
PID 296 wrote to memory of 2508	296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	65
PID 296 wrote to memory of 2568	296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	66
PID 296 wrote to memory of 2568	296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	66
PID 296 wrote to memory of 2568	296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	66
PID 296 wrote to memory of 2268	296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	67
PID 296 wrote to memory of 2268	296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	67
PID 296 wrote to memory of 2268	296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	67
PID 296 wrote to memory of 1280	296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	74
PID 296 wrote to memory of 1280	296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	74
PID 296 wrote to memory of 1280	296	6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe	74
PID 1280 wrote to memory of 580	1280	wininit.exe	75
PID 1280 wrote to memory of 580	1280	wininit.exe	75
PID 1280 wrote to memory of 580	1280	wininit.exe	75
PID 1280 wrote to memory of 2476	1280	wininit.exe	76
PID 1280 wrote to memory of 2476	1280	wininit.exe	76
PID 1280 wrote to memory of 2476	1280	wininit.exe	76
PID 580 wrote to memory of 2300	580	WScript.exe	77
PID 580 wrote to memory of 2300	580	WScript.exe	77
PID 580 wrote to memory of 2300	580	WScript.exe	77
PID 2300 wrote to memory of 1376	2300	wininit.exe	78
PID 2300 wrote to memory of 1376	2300	wininit.exe	78
PID 2300 wrote to memory of 1376	2300	wininit.exe	78
PID 2300 wrote to memory of 1708	2300	wininit.exe	79
PID 2300 wrote to memory of 1708	2300	wininit.exe	79
PID 2300 wrote to memory of 1708	2300	wininit.exe	79
PID 1376 wrote to memory of 2748	1376	WScript.exe	80
PID 1376 wrote to memory of 2748	1376	WScript.exe	80
PID 1376 wrote to memory of 2748	1376	WScript.exe	80
PID 2748 wrote to memory of 1620	2748	wininit.exe	81
PID 2748 wrote to memory of 1620	2748	wininit.exe	81
PID 2748 wrote to memory of 1620	2748	wininit.exe	81
PID 2748 wrote to memory of 1440	2748	wininit.exe	82
PID 2748 wrote to memory of 1440	2748	wininit.exe	82
PID 2748 wrote to memory of 1440	2748	wininit.exe	82
PID 1620 wrote to memory of 2348	1620	WScript.exe	83
PID 1620 wrote to memory of 2348	1620	WScript.exe	83
PID 1620 wrote to memory of 2348	1620	WScript.exe	83
PID 2348 wrote to memory of 2200	2348	wininit.exe	84
PID 2348 wrote to memory of 2200	2348	wininit.exe	84
PID 2348 wrote to memory of 2200	2348	wininit.exe	84
PID 2348 wrote to memory of 2768	2348	wininit.exe	85
PID 2348 wrote to memory of 2768	2348	wininit.exe	85
PID 2348 wrote to memory of 2768	2348	wininit.exe	85
PID 2200 wrote to memory of 2568	2200	WScript.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
"C:\Users\Admin\AppData\Local\Temp\6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\de-DE\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- C:\Users\Default User\wininit.exe
  "C:\Users\Default User\wininit.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8e9f827-0086-4c59-9c1c-61656df96598.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:580
  - - C:\Users\Default User\wininit.exe
      "C:\Users\Default User\wininit.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2300
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d922324-3d13-4b56-ab79-ccd314621c83.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1376
      - C:\Users\Default User\wininit.exe
        
        "C:\Users\Default User\wininit.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4fa13b61-32f7-47c6-b177-e4f9c86cec85.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Users\Default User\wininit.exe
        
        "C:\Users\Default User\wininit.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36b289d5-9786-4b0d-8cd8-955c0da5c5c1.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Users\Default User\wininit.exe
        
        "C:\Users\Default User\wininit.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35346576-d3e4-41c8-b9d9-66a0e6ee5356.vbs"
        11⤵
        
        PID:1848
        
        C:\Users\Default User\wininit.exe
        
        "C:\Users\Default User\wininit.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3ae124f-3d16-4656-9ce3-d5b2e94aa592.vbs"
        13⤵
        
        PID:1576
        
        C:\Users\Default User\wininit.exe
        
        "C:\Users\Default User\wininit.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\585c3a1d-67d4-43fc-82bc-d37ff066c5d6.vbs"
        15⤵
        
        PID:860
        
        C:\Users\Default User\wininit.exe
        
        "C:\Users\Default User\wininit.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2cf8c87-2537-48dc-87c7-79a4dc91e7b4.vbs"
        17⤵
        
        PID:3060
        
        C:\Users\Default User\wininit.exe
        
        "C:\Users\Default User\wininit.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46f38d72-3069-4f2f-8ece-59dba51a2aa7.vbs"
        19⤵
        
        PID:3068
        
        C:\Users\Default User\wininit.exe
        
        "C:\Users\Default User\wininit.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0b533a4-2acb-4791-810f-70b370b6592d.vbs"
        21⤵
        
        PID:2480
        
        C:\Users\Default User\wininit.exe
        
        "C:\Users\Default User\wininit.exe"
        22⤵
        
        PID:1360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d13bce0-9f5d-42e6-858a-6e990b407b01.vbs"
        23⤵
        
        PID:2800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9deb1dd5-d494-4efa-8c01-39dadeb0e2eb.vbs"
        23⤵
        
        PID:1796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49dce676-edf2-4711-aa66-71cd72955a75.vbs"
        21⤵
        
        PID:2612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8914b15-5469-446d-98db-e010eeff7c57.vbs"
        19⤵
        
        PID:1528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f913df01-cbbb-4e38-81a5-fe384cbb2117.vbs"
        17⤵
        
        PID:772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98d4d78e-dab8-4f68-a667-46ae9e2052d4.vbs"
        15⤵
        
        PID:2988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\905ae385-26a7-4d3b-b546-5166f6401d09.vbs"
        13⤵
        
        PID:1088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39173d46-977a-493e-a74a-c4219d7a6652.vbs"
        11⤵
        
        PID:2744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c406c521-6f9c-4aa1-9bba-21a8c81a4ec5.vbs"
        9⤵
        
        PID:2768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc48f6e3-568a-42da-a77a-e71e91c39844.vbs"
        7⤵
        
        PID:1440
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc704513-2fa0-4b6b-aa65-96c77db9bc06.vbs"
        5⤵
        
        PID:1708
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bfbb2e7-2645-4850-b50f-b6a4da8bcd2b.vbs"
    3⤵
    PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\explorer.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\MSBuild\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\de-DE\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e6" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e6" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe

Filesize
1.6MB

MD5
dc607668d25fa9eca625cbad8fbdda8c

SHA1
7c53043b327bc7b8f3198d6aa1679cf94be610bb

SHA256
161259c1935e8ae63e8bf48958d4d490fa79e9c345ea503949a5c89f0ccb33b8

SHA512
4847ecce13ee2db5c25e8ad5bfff96f42731004f14a21401e6d656dac30fe700adffad59478713fdb46a942205980dfad891597492ab867d609d19e2ef30380e

Download Submit
C:\Program Files\Internet Explorer\de-DE\csrss.exe

Filesize
1.6MB

MD5
072d2202b56c22e2f03d6d9f20daf3d4

SHA1
0ab55b346a913174a29e2fdc4f27e9d75894706e

SHA256
6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e

SHA512
c641638b944a9c57f1127a67a5afbf961498e72900fad69d720b778922823434baf8d2843333d761ae6f5516a3d03427a550d0a4b9eabb39ee7dd102d681e47e

Download Submit
C:\Users\Admin\AppData\Local\Temp\35346576-d3e4-41c8-b9d9-66a0e6ee5356.vbs

Filesize
709B

MD5
e3d2043b3dc6545e0717a066ae7506ea

SHA1
f067d6b3cd7e3f986fe9a20f144857e20d87cc0a

SHA256
9c78866f51c4dd569b60e524487adbaac27f0819ea9eb8377000cfbf8985eaa3

SHA512
789c8e6d49986d9b1f8b5e718a52ab1a03e90bd860c1d5783cda56b3eebf9a3644b750e2085c7eef5d244b1f3c4bc69de7ff2d185739b4b6ae2738ce65757b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\36b289d5-9786-4b0d-8cd8-955c0da5c5c1.vbs

Filesize
709B

MD5
7e444d55a48bb045c4dba724a7ec4c23

SHA1
532db43cf26581f7a3298c0b1e31b4a0244bc25a

SHA256
ae1e3e0e8e3b68624dcc541d71d9ab633c41b330d984698e6e3b1c17bece8331

SHA512
e61e2ffd3fd15210861d22f04a5511d2c18adad7f183b955c782ac67e57c36bbeb187fda53c234d19b772ab37a6d405bc4e4cdf366ea292fb897b3b9f3d5d27c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d13bce0-9f5d-42e6-858a-6e990b407b01.vbs

Filesize
709B

MD5
b9d84fccbd86eb02e98409d9de881dc5

SHA1
2a4f02bb8db3ba19bde6e4bba0ee520b89650af5

SHA256
8a07f5d8abff06fa50919a1118bc4afaf98101b514a568d1da6750420327c085

SHA512
5ee051d08a723053ed9e807f909a675f2d3e19995cbb6c830f5fcfcd05c04e366716ce6f76a198085305911e7c888be272c7131e80472eb637b0c931ebf286a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\46f38d72-3069-4f2f-8ece-59dba51a2aa7.vbs

Filesize
709B

MD5
8892019a403ea6712f48e3978cff6dab

SHA1
420b680b28b96ac7be2fc0a5cfdc8de7cb5c636d

SHA256
bb0fb44fa1b239b5e4ffe5b96b9aeb597da536b13473ff29f76b474235f4be1a

SHA512
8faad4fc66d25d31c091ecd1166926b83a8080c9275efad72dc18b267820d1cf3b9670a7dbd224a3f4d7fcaed1a3aba379a79907fc2cfbe27d41d99820803631

Download Submit
C:\Users\Admin\AppData\Local\Temp\4bfbb2e7-2645-4850-b50f-b6a4da8bcd2b.vbs

Filesize
485B

MD5
94d43c49b6b0424bd307bc1601a78101

SHA1
9a61f97ad6ff62ec9b9b92724403e91b92f594b2

SHA256
163fd21bfe160bb078f3d375f1705d323374c83c0fc0f0871725202deebfbb58

SHA512
9cbc648f2d7ad40f74a719ec3183c96dde5adb19fbc86e63d3d870208ccdffd6c3c431dfcab3f363b1835ba947dd373ca3f5b658fc2c969913dc24c3aef25e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fa13b61-32f7-47c6-b177-e4f9c86cec85.vbs

Filesize
709B

MD5
96c35f74828ded48116212d19ade8b46

SHA1
3061ad261e74ec15d81cea2191d3dc969167d757

SHA256
43ee65aad5da6085d5818d72432c5ad4cd034d9db1ce3a368dc06441f69fd80c

SHA512
d29b5929d0599db24a0b8c72cec81dff3f567f2ad71b7c9ba8a2151a79eb93e133f55afba91fdaa395c3ca930278ff4689d6bab92f44cd7801cc11dd79814c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\585c3a1d-67d4-43fc-82bc-d37ff066c5d6.vbs

Filesize
709B

MD5
e5a28f023d1b409a8670eae3c21f460b

SHA1
b116485d704814385d8aca9f4a323507deef2afe

SHA256
48ce1d55fc58005ef2b6796a4f04c13c8c43935e3989b247ffe620c58fb11cbe

SHA512
a7aa947001de234d6dbb0dad53199e1215c4204a4047961192b8b1d57743308972263e776c939e5ce3351a9f26bdf4273f0804fb7b2d53245d320526e1f54cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d922324-3d13-4b56-ab79-ccd314621c83.vbs

Filesize
709B

MD5
b93078e9466ea45bcefe39b90fb3ff13

SHA1
adec475b6bd7d2e63003fd892e73932b391e23de

SHA256
761b5d00ea3aaefb2adf74eac5debd1cc80d366bc4c531dfaeb977258de96815

SHA512
546487e8678de3ebb1bf11a697e64083bbd6b556fad96e6c671bb1d812d42be65f02016a0728e35ed2415ac951d42e5ecf95e32ec17283cca9801b5524ab2b47

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0b533a4-2acb-4791-810f-70b370b6592d.vbs

Filesize
709B

MD5
282b04cb64e6331faf0276f4d7057f5e

SHA1
4c7ffd308359f917eb159b8fc3744281b79d8dc0

SHA256
fc15792ae3827ccee5f2576c5f2f7b96b16d75cca95e98f4ffabbb59eae1cdf8

SHA512
0497268e6c118040b2e30433777bd989dcd33b339e94dd115fa79dce60b05f9bd87a1a4df4dcc0b8df8a18669a77201ac53aca72f3b4a2f917fb39690b6027a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3ae124f-3d16-4656-9ce3-d5b2e94aa592.vbs

Filesize
709B

MD5
ba623bfaa6d7f61345b0144652633f28

SHA1
f0d7795e075f8cb19219198b5a1fb64ea0fd2ca7

SHA256
059f0d32539eb21c6a4881f18ff4593ae7b4ab25e49ce995145c62209f8a9d86

SHA512
288d894ed3527751053430fd592fee742fd4d92c47765219aac9dda3289452a61c77a9570c0fceac97867ef682d1cc915cabc1f5e5b2b42cf48e5b1c9aa7d569

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2cf8c87-2537-48dc-87c7-79a4dc91e7b4.vbs

Filesize
709B

MD5
be5a90c4e6e93e44a84fcce39da554c2

SHA1
35e91a71ac83269d90d17e6644a118f0227c0eb6

SHA256
b20c8673f7b44a6c7e8844e04ee6ae4a1053c187148e0641e4449c24e15ce049

SHA512
1f3cfc67844453c918cf46c98e7560a621c1191fe797dbede7304cbb466a2218a8c6260a7083d4b93b45e3194d6c1bd629b16eafb63bb45ccde3bd41a567de31

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8e9f827-0086-4c59-9c1c-61656df96598.vbs

Filesize
709B

MD5
4c82540c435b07d4af2b1c98b1ba72ff

SHA1
b299a5bb6e85e1acddd044b21a19d45fc8db3cb4

SHA256
f578a5514aadccb6f5243f7bc5a6eccbd844d76cff34440f51b63c53550c8f9a

SHA512
8bf04896c7f340730b0bf4e1dbd0d4279de1b5881cd04ba4b0fa83e3951cca04f80c0c335d707c5ebdba343c69256ffc022bbd9b27dff7468300ff3fed4f4f40

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e382e3c437a31221aac0104b23be76a5

SHA1
51311deabe89df79816d6e2d2feab9fc8026873b

SHA256
328fe87fdf83bd0940fb9e6eabcb91c0ac446e421c377b7ba140b0df5f0fbd10

SHA512
6f0cf7aaea4d36b689a18df82e3fb75ec83c1961332d12dbbe7ff944a6c1225eae4b2c78f95d330a0b609cafe2ccd7ffef3934d4143be757b9bfc16c26ba2225

Download Submit
memory/296-0-0x000007FEF60B3000-0x000007FEF60B4000-memory.dmp

Filesize
4KB

Download
memory/296-1-0x0000000001120000-0x00000000012C2000-memory.dmp

Filesize
1.6MB

Download
memory/296-6-0x0000000000480000-0x0000000000488000-memory.dmp

Filesize
32KB

Download
memory/296-3-0x0000000000440000-0x000000000045C000-memory.dmp

Filesize
112KB

Download
memory/296-9-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/296-5-0x0000000000460000-0x0000000000476000-memory.dmp

Filesize
88KB

Download
memory/296-4-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/296-14-0x00000000007B0000-0x00000000007B8000-memory.dmp

Filesize
32KB

Download
memory/296-187-0x000007FEF60B0000-0x000007FEF6A9C000-memory.dmp

Filesize
9.9MB

Download
memory/296-11-0x0000000000780000-0x000000000078A000-memory.dmp

Filesize
40KB

Download
memory/296-12-0x0000000000790000-0x000000000079E000-memory.dmp

Filesize
56KB

Download
memory/296-13-0x00000000007A0000-0x00000000007A8000-memory.dmp

Filesize
32KB

Download
memory/296-7-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/296-8-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/296-10-0x0000000000770000-0x000000000077C000-memory.dmp

Filesize
48KB

Download
memory/296-16-0x0000000000B00000-0x0000000000B0C000-memory.dmp

Filesize
48KB

Download
memory/296-15-0x00000000007C0000-0x00000000007CA000-memory.dmp

Filesize
40KB

Download
memory/296-2-0x000007FEF60B0000-0x000007FEF6A9C000-memory.dmp

Filesize
9.9MB

Download
memory/956-155-0x000000001B820000-0x000000001BB02000-memory.dmp

Filesize
2.9MB

Download
memory/1280-156-0x0000000000EF0000-0x0000000001092000-memory.dmp

Filesize
1.6MB

Download
memory/1884-243-0x00000000001B0000-0x0000000000352000-memory.dmp

Filesize
1.6MB

Download
memory/2072-278-0x0000000001310000-0x00000000014B2000-memory.dmp

Filesize
1.6MB

Download
memory/2288-255-0x0000000001240000-0x00000000013E2000-memory.dmp

Filesize
1.6MB

Download
memory/2508-157-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2568-231-0x00000000011F0000-0x0000000001392000-memory.dmp

Filesize
1.6MB

Download