dcrat | 53368d43243cf7dd4690ed5925b24a1c7fdd79e7cd084b31ad34fb4a91371a80

Analysis

max time kernel
151s
max time network
154s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01/11/2022, 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53368d43243cf7dd4690ed5925b24a1c7fdd79e7cd084b31ad34fb4a91371a80.exe
Size

1.3MB
MD5

ee1d63ef602b127a19f4d8d5570858da
SHA1

da38fcc5f27bced51a02452bea36d84b680a06c3
SHA256

53368d43243cf7dd4690ed5925b24a1c7fdd79e7cd084b31ad34fb4a91371a80
SHA512

c4447fe41c7c3db7b273c69c623a170a05be6ec6d68ec9452a074ae990cc7dcb1f066655751dc4bb48b7d03fb5b220f47490f4c5237f7443f949a6cc0dff5d0d
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	4896	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	4896	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3496	4896	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	4896	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	4896	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	4896	schtasks.exe	70

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000600000001abef-279.dat	dcrat
behavioral1/files/0x000600000001abef-280.dat	dcrat
behavioral1/memory/4272-281-0x0000000000B80000-0x0000000000C90000-memory.dmp	dcrat
behavioral1/files/0x000600000001abf4-400.dat	dcrat
behavioral1/files/0x000600000001abf4-399.dat	dcrat
behavioral1/files/0x000600000001abf4-406.dat	dcrat
behavioral1/files/0x000600000001abf4-412.dat	dcrat
behavioral1/files/0x000600000001abf4-417.dat	dcrat
behavioral1/files/0x000600000001abf4-422.dat	dcrat
behavioral1/files/0x000600000001abf4-427.dat	dcrat
behavioral1/files/0x000600000001abf4-433.dat	dcrat
behavioral1/files/0x000600000001abf4-438.dat	dcrat
behavioral1/files/0x000600000001abf4-443.dat	dcrat
behavioral1/files/0x000600000001abf4-448.dat	dcrat
behavioral1/files/0x000600000001abf4-453.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
4272	DllCommonsvc.exe
3664	fontdrvhost.exe
4208	fontdrvhost.exe
4260	fontdrvhost.exe
1576	fontdrvhost.exe
4308	fontdrvhost.exe
1456	fontdrvhost.exe
3316	fontdrvhost.exe
488	fontdrvhost.exe
4340	fontdrvhost.exe
4716	fontdrvhost.exe
3168	fontdrvhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\it-IT\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\en-US\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\sppsvc.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\sppsvc.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4556	schtasks.exe
4328	schtasks.exe
4544	schtasks.exe
4572	schtasks.exe
4616	schtasks.exe
3496	schtasks.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	53368d43243cf7dd4690ed5925b24a1c7fdd79e7cd084b31ad34fb4a91371a80.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
4272	DllCommonsvc.exe
4940	powershell.exe
4928	powershell.exe
5012	powershell.exe
5012	powershell.exe
4940	powershell.exe
4928	powershell.exe
4928	powershell.exe
5012	powershell.exe
4940	powershell.exe
3664	fontdrvhost.exe
4208	fontdrvhost.exe
4260	fontdrvhost.exe
1576	fontdrvhost.exe
4308	fontdrvhost.exe
1456	fontdrvhost.exe
3316	fontdrvhost.exe
488	fontdrvhost.exe
4340	fontdrvhost.exe
4716	fontdrvhost.exe
3168	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4272	DllCommonsvc.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeIncreaseQuotaPrivilege	4928	powershell.exe
Token: SeSecurityPrivilege	4928	powershell.exe
Token: SeTakeOwnershipPrivilege	4928	powershell.exe
Token: SeLoadDriverPrivilege	4928	powershell.exe
Token: SeSystemProfilePrivilege	4928	powershell.exe
Token: SeSystemtimePrivilege	4928	powershell.exe
Token: SeProfSingleProcessPrivilege	4928	powershell.exe
Token: SeIncBasePriorityPrivilege	4928	powershell.exe
Token: SeCreatePagefilePrivilege	4928	powershell.exe
Token: SeBackupPrivilege	4928	powershell.exe
Token: SeRestorePrivilege	4928	powershell.exe
Token: SeShutdownPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeSystemEnvironmentPrivilege	4928	powershell.exe
Token: SeRemoteShutdownPrivilege	4928	powershell.exe
Token: SeUndockPrivilege	4928	powershell.exe
Token: SeManageVolumePrivilege	4928	powershell.exe
Token: 33	4928	powershell.exe
Token: 34	4928	powershell.exe
Token: 35	4928	powershell.exe
Token: 36	4928	powershell.exe
Token: SeIncreaseQuotaPrivilege	5012	powershell.exe
Token: SeSecurityPrivilege	5012	powershell.exe
Token: SeTakeOwnershipPrivilege	5012	powershell.exe
Token: SeLoadDriverPrivilege	5012	powershell.exe
Token: SeSystemProfilePrivilege	5012	powershell.exe
Token: SeSystemtimePrivilege	5012	powershell.exe
Token: SeProfSingleProcessPrivilege	5012	powershell.exe
Token: SeIncBasePriorityPrivilege	5012	powershell.exe
Token: SeCreatePagefilePrivilege	5012	powershell.exe
Token: SeBackupPrivilege	5012	powershell.exe
Token: SeRestorePrivilege	5012	powershell.exe
Token: SeShutdownPrivilege	5012	powershell.exe
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeSystemEnvironmentPrivilege	5012	powershell.exe
Token: SeRemoteShutdownPrivilege	5012	powershell.exe
Token: SeUndockPrivilege	5012	powershell.exe
Token: SeManageVolumePrivilege	5012	powershell.exe
Token: 33	5012	powershell.exe
Token: 34	5012	powershell.exe
Token: 35	5012	powershell.exe
Token: 36	5012	powershell.exe
Token: SeIncreaseQuotaPrivilege	4940	powershell.exe
Token: SeSecurityPrivilege	4940	powershell.exe
Token: SeTakeOwnershipPrivilege	4940	powershell.exe
Token: SeLoadDriverPrivilege	4940	powershell.exe
Token: SeSystemProfilePrivilege	4940	powershell.exe
Token: SeSystemtimePrivilege	4940	powershell.exe
Token: SeProfSingleProcessPrivilege	4940	powershell.exe
Token: SeIncBasePriorityPrivilege	4940	powershell.exe
Token: SeCreatePagefilePrivilege	4940	powershell.exe
Token: SeBackupPrivilege	4940	powershell.exe
Token: SeRestorePrivilege	4940	powershell.exe
Token: SeShutdownPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeSystemEnvironmentPrivilege	4940	powershell.exe
Token: SeRemoteShutdownPrivilege	4940	powershell.exe
Token: SeUndockPrivilege	4940	powershell.exe
Token: SeManageVolumePrivilege	4940	powershell.exe
Token: 33	4940	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 5052	2728	53368d43243cf7dd4690ed5925b24a1c7fdd79e7cd084b31ad34fb4a91371a80.exe	66
PID 2728 wrote to memory of 5052	2728	53368d43243cf7dd4690ed5925b24a1c7fdd79e7cd084b31ad34fb4a91371a80.exe	66
PID 2728 wrote to memory of 5052	2728	53368d43243cf7dd4690ed5925b24a1c7fdd79e7cd084b31ad34fb4a91371a80.exe	66
PID 5052 wrote to memory of 3872	5052	WScript.exe	67
PID 5052 wrote to memory of 3872	5052	WScript.exe	67
PID 5052 wrote to memory of 3872	5052	WScript.exe	67
PID 3872 wrote to memory of 4272	3872	cmd.exe	69
PID 3872 wrote to memory of 4272	3872	cmd.exe	69
PID 4272 wrote to memory of 5012	4272	DllCommonsvc.exe	79
PID 4272 wrote to memory of 5012	4272	DllCommonsvc.exe	79
PID 4272 wrote to memory of 4928	4272	DllCommonsvc.exe	78
PID 4272 wrote to memory of 4928	4272	DllCommonsvc.exe	78
PID 4272 wrote to memory of 4940	4272	DllCommonsvc.exe	76
PID 4272 wrote to memory of 4940	4272	DllCommonsvc.exe	76
PID 4272 wrote to memory of 748	4272	DllCommonsvc.exe	81
PID 4272 wrote to memory of 748	4272	DllCommonsvc.exe	81
PID 748 wrote to memory of 4688	748	cmd.exe	84
PID 748 wrote to memory of 4688	748	cmd.exe	84
PID 748 wrote to memory of 3664	748	cmd.exe	87
PID 748 wrote to memory of 3664	748	cmd.exe	87
PID 3664 wrote to memory of 4760	3664	fontdrvhost.exe	88
PID 3664 wrote to memory of 4760	3664	fontdrvhost.exe	88
PID 4760 wrote to memory of 3776	4760	cmd.exe	90
PID 4760 wrote to memory of 3776	4760	cmd.exe	90
PID 4760 wrote to memory of 4208	4760	cmd.exe	91
PID 4760 wrote to memory of 4208	4760	cmd.exe	91
PID 4208 wrote to memory of 4988	4208	fontdrvhost.exe	92
PID 4208 wrote to memory of 4988	4208	fontdrvhost.exe	92
PID 4988 wrote to memory of 1300	4988	cmd.exe	94
PID 4988 wrote to memory of 1300	4988	cmd.exe	94
PID 4988 wrote to memory of 4260	4988	cmd.exe	95
PID 4988 wrote to memory of 4260	4988	cmd.exe	95
PID 4260 wrote to memory of 4864	4260	fontdrvhost.exe	96
PID 4260 wrote to memory of 4864	4260	fontdrvhost.exe	96
PID 4864 wrote to memory of 4468	4864	cmd.exe	98
PID 4864 wrote to memory of 4468	4864	cmd.exe	98
PID 4864 wrote to memory of 1576	4864	cmd.exe	99
PID 4864 wrote to memory of 1576	4864	cmd.exe	99
PID 1576 wrote to memory of 4912	1576	fontdrvhost.exe	100
PID 1576 wrote to memory of 4912	1576	fontdrvhost.exe	100
PID 4912 wrote to memory of 3920	4912	cmd.exe	102
PID 4912 wrote to memory of 3920	4912	cmd.exe	102
PID 4912 wrote to memory of 4308	4912	cmd.exe	103
PID 4912 wrote to memory of 4308	4912	cmd.exe	103
PID 4308 wrote to memory of 1848	4308	fontdrvhost.exe	104
PID 4308 wrote to memory of 1848	4308	fontdrvhost.exe	104
PID 1848 wrote to memory of 1368	1848	cmd.exe	106
PID 1848 wrote to memory of 1368	1848	cmd.exe	106
PID 1848 wrote to memory of 1456	1848	cmd.exe	107
PID 1848 wrote to memory of 1456	1848	cmd.exe	107
PID 1456 wrote to memory of 1364	1456	fontdrvhost.exe	108
PID 1456 wrote to memory of 1364	1456	fontdrvhost.exe	108
PID 1364 wrote to memory of 428	1364	cmd.exe	110
PID 1364 wrote to memory of 428	1364	cmd.exe	110
PID 1364 wrote to memory of 3316	1364	cmd.exe	111
PID 1364 wrote to memory of 3316	1364	cmd.exe	111
PID 3316 wrote to memory of 1792	3316	fontdrvhost.exe	112
PID 3316 wrote to memory of 1792	3316	fontdrvhost.exe	112
PID 1792 wrote to memory of 660	1792	cmd.exe	114
PID 1792 wrote to memory of 660	1792	cmd.exe	114
PID 1792 wrote to memory of 488	1792	cmd.exe	115
PID 1792 wrote to memory of 488	1792	cmd.exe	115
PID 488 wrote to memory of 2640	488	fontdrvhost.exe	116
PID 488 wrote to memory of 2640	488	fontdrvhost.exe	116

C:\Users\Admin\AppData\Local\Temp\53368d43243cf7dd4690ed5925b24a1c7fdd79e7cd084b31ad34fb4a91371a80.exe
"C:\Users\Admin\AppData\Local\Temp\53368d43243cf7dd4690ed5925b24a1c7fdd79e7cd084b31ad34fb4a91371a80.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3872
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\it-IT\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5012
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\41WQ2Fy3zH.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:748
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4688
      - C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe
        
        "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GKRF07RVHS.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3776
        
        C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe
        
        "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1300
        
        C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe
        
        "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4468
        
        C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe
        
        "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zcjutnjrcv.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3920
        
        C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe
        
        "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LIqDUaLb8G.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1368
        
        C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe
        
        "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:428
        
        C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe
        
        "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:660
        
        C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe
        
        "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat"
        21⤵
        
        PID:2640
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:4352
        
        C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe
        
        "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe"
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat"
        23⤵
        
        PID:4464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:4056
        
        C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe
        
        "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe"
        24⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LIqDUaLb8G.bat"
        25⤵
        
        PID:4944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1464
        
        C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe
        
        "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe"
        26⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\crRU6Ya2tl.bat"
        27⤵
        
        PID:4528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Defender Advanced Threat Protection\en-US\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0c54ff6cd7db20ebbcbcd2ae2d8f1f03

SHA1
4ab647c85091a3eeff8e828471cc581c2fcba3b4

SHA256
bb34678ec0ffce88f3302ddfc719d879e837254e43a0cc336bed007045f93272

SHA512
4e768867c5beab5444b4c22a66ad6b44c3dd50299eccdbc6aab6db381f6c76c7594f2d120d1afd15fa21629ab38f44f25898fd3622a28ffecf563fd9364334f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\41WQ2Fy3zH.bat

Filesize
247B

MD5
503ba104f948b7c76bae1bc12bb0b3a7

SHA1
89a4a9e5197c71ee46fd59ae8f4f64780664ead9

SHA256
42e0006eea58c4f2d6665d68f140f5374f018e164108d7274e4b25aec088bc85

SHA512
150b5fd4b392573d38fc2e761a69c8ae24d2ab79e7f1bf63f8fd79b778db7190637b6abb0c63c3e2edffc707279570f5b4a0c967aee6de49b8cf85779303dd92

Download Submit
C:\Users\Admin\AppData\Local\Temp\GKRF07RVHS.bat

Filesize
247B

MD5
d134e0c03452671b686faaf04d022fc8

SHA1
be9ae0f0a23594cd5f2391aee6572c320670c7a3

SHA256
45696998ab7933c6a68b000429747db531b18cc1a1e7113a1ace0c6910f847f5

SHA512
f015e5b2cd35036ac50c86df4c06206297a8ce460060bd1bbfe09c913ef89f1f926ce0961e5bc932c045632b38bd95689dcf9e35db0cad5abc12bec0512b988f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat

Filesize
247B

MD5
9c0af6a3e3c5d2177ba0cc2e4fa514dc

SHA1
7d882c0bf62b511e5d7b7cba8ab1a871f869bb7e

SHA256
9cb25d39cd088c8c3e4894b73ceadf69d2b5f4cbc2ff0ab2560401d24a497425

SHA512
518dd570d386bbc6d0c30556073bcd351a0e351e535d28c8faeef783a2145f611df3352d425825ef0cb32086a2679142f53987400df5b62573eacf3dd6885a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LIqDUaLb8G.bat

Filesize
247B

MD5
134f2dabbd0b4bf11bff6f567e4177ab

SHA1
2c8726bcb7ecfb82c92c97c8461f4c6e7f4c67ed

SHA256
25d55ea00633940741b1dca9d805489c65a1b03049b55b8df55083d6cc0d678f

SHA512
e6000728e04000c5fe2bf5736d027c1a6a35d75a76a8846e4cab6d9b3105aaac55c966774b3f20b0c75dc288c61788704b61a51f9ce6a103a0b75e5d8024bdb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\LIqDUaLb8G.bat

Filesize
247B

MD5
134f2dabbd0b4bf11bff6f567e4177ab

SHA1
2c8726bcb7ecfb82c92c97c8461f4c6e7f4c67ed

SHA256
25d55ea00633940741b1dca9d805489c65a1b03049b55b8df55083d6cc0d678f

SHA512
e6000728e04000c5fe2bf5736d027c1a6a35d75a76a8846e4cab6d9b3105aaac55c966774b3f20b0c75dc288c61788704b61a51f9ce6a103a0b75e5d8024bdb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat

Filesize
247B

MD5
2f1dd450ceac22e1a90ed936860e06e2

SHA1
73dcdcac5e8e6eec3a55d75bef6d34762a76b307

SHA256
ca075568d83443bcf5d6164c8412b052e9f538d5e072ce0bcee78c2cacbee067

SHA512
4dde00216ea94b3f73d02aaab4f583438dbb14eb00457e10a81343f9289355286feb62c27174ae7482d0e070013a24d6ca9d8879037a3c06947c95531dd2ba8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\crRU6Ya2tl.bat

Filesize
247B

MD5
7a75b2b3043768d01e90570a2b6f10e6

SHA1
17c600a0c2b88582a3dbae7cc165ebcafb962928

SHA256
44dfb6ff166b728c47fb9a621fbe0fb634e100cbe9e228dd0ad128e7c6d48648

SHA512
bed802b9cb8c48494efa38e779ed7438d10359ed9afc5d3bf7463bce5c267140e46e6e43965d3547686a5da948659c4832f438e02e14f95a79ada51fa5d3bef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat

Filesize
247B

MD5
85fd5846d2a1f311f9530265da202d9e

SHA1
09c42a4c071544f7d2cbe1422d6366d12a5d00a7

SHA256
660cc6879fe40b1b9e1bf78e16ad2dd512ba9f0627e72ee22f58c0a281a97292

SHA512
2f5954a7339cbcfce5e22a9691e2b954c3d600030b7573a2ca4d9c2f8f888c73253762f02b3bceaeb7817547647389c06fc0055e2f12dce748fb0e5937e1d4f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat

Filesize
247B

MD5
1e729c4ccab48868d69dd6c5310d9d3c

SHA1
7a0699c4e3fc084103d447587889e3ab0e498256

SHA256
132d1a09d9255dacbb4c75d38554ad9bedfefa5fb5cb2d2ed1b89c3de28c9ebd

SHA512
666fc3279e1e9dc95201d8991af959b983b63d8f15ca6114aeffdfccf96fcd4babf0beea723bfee81f7e7fc651fae232864f82eb6b14ee8528c42372fe828e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat

Filesize
247B

MD5
e96e358013e9eca89fdcacf2e3858715

SHA1
53625d6832d967a9c7a6b04f5a8553809719c8a8

SHA256
f7d90b0cf2badf2d56594a1880502d6d60869ad8dcc9d1c2768fa32d4bb8c956

SHA512
ec0c753552dba881590d7f4ef098b68024c5fec46398b0abb64686086856cf8cab8d28440476678d375049e8941acc11f334d940c57b289f462d1fdac4322c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat

Filesize
247B

MD5
e96e358013e9eca89fdcacf2e3858715

SHA1
53625d6832d967a9c7a6b04f5a8553809719c8a8

SHA256
f7d90b0cf2badf2d56594a1880502d6d60869ad8dcc9d1c2768fa32d4bb8c956

SHA512
ec0c753552dba881590d7f4ef098b68024c5fec46398b0abb64686086856cf8cab8d28440476678d375049e8941acc11f334d940c57b289f462d1fdac4322c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcjutnjrcv.bat

Filesize
247B

MD5
06b13e1740d2455a4918eeb1bba0f594

SHA1
edf2290b1f9164d81819892f1d98483e9fe2454f

SHA256
5fcf58273075816bd3231f7c7d4df928c5779df41ac3ecf0b797674a04c26fbb

SHA512
a5d7cb2e650bb82c19d8cc310fcd517191f24a7a4ef86b2d9b8d8ffc65d85068a2ac129f2a56e6c70cf405a0492da9a049302351f64261d3c3d5919724c7b7b6

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1456-428-0x0000000001350000-0x0000000001362000-memory.dmp

Filesize
72KB

Download
memory/2728-145-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-147-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-164-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-165-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-167-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-166-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-169-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-168-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-170-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-171-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-172-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-173-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-174-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-176-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-175-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-162-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-118-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-161-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-178-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-177-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-160-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-120-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-159-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-152-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-154-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-121-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-157-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-158-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-156-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-155-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-153-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-151-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-150-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-149-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-144-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-163-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-148-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-146-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-143-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-142-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-141-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-139-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-140-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-117-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-116-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-138-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-137-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-115-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-136-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-135-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-134-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-123-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-130-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-133-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-132-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-131-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-126-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-127-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-129-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-128-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-125-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-124-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3168-454-0x00000000028F0000-0x0000000002902000-memory.dmp

Filesize
72KB

Download
memory/3664-401-0x0000000001460000-0x0000000001472000-memory.dmp

Filesize
72KB

Download
memory/4272-281-0x0000000000B80000-0x0000000000C90000-memory.dmp

Filesize
1.1MB

Download
memory/4272-282-0x00000000011B0000-0x00000000011C2000-memory.dmp

Filesize
72KB

Download
memory/4272-283-0x00000000011C0000-0x00000000011CC000-memory.dmp

Filesize
48KB

Download
memory/4272-285-0x00000000016B0000-0x00000000016BC000-memory.dmp

Filesize
48KB

Download
memory/4272-284-0x00000000016A0000-0x00000000016AC000-memory.dmp

Filesize
48KB

Download
memory/4940-301-0x0000023A3CED0000-0x0000023A3CEF2000-memory.dmp

Filesize
136KB

Download
memory/5012-310-0x00000281D65C0000-0x00000281D6636000-memory.dmp

Filesize
472KB

Download
memory/5052-180-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/5052-181-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download