dcrat | 55d40cd8c837c10a74fb135e0973db85a553209117a67008f68582b5bbbcf02b

Analysis

max time kernel
141s
max time network
152s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
22-01-2023 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55d40cd8c837c10a74fb135e0973db85a553209117a67008f68582b5bbbcf02b.exe
Size

1.1MB
MD5

f10fe10a538f342b001eb1c9ee3855f1
SHA1

b52c40944c9a593ab5fb2bdb878c43f7f0f63361
SHA256

55d40cd8c837c10a74fb135e0973db85a553209117a67008f68582b5bbbcf02b
SHA512

c09ee1ff09a34ce6443e8b1505b52b334db742fad8545d8354b2ada8361fe07d00c7e9350160cb0cddb1a122d2c3c2355ecbe5058cb0939e2ebfda8a2b6612db
SSDEEP

24576:U2G/nvxW3Ww0tWamzgLwLwTi7Pvezfsj088gN/aqEUIr2:UbA30WBujO+fsj0DIcUl

Score

10^/10

dcrat evasion infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	4384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	4384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	4384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	4384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	4384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	4384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	4384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3284	4384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	4384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	4384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	4384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	4384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	4384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	4384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	4384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	4384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	4384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	4384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	4384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	4384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	4384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	4384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	4384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	4384	schtasks.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\providernet\BridgeDriverCommon.exe	dcrat
C:\Users\Admin\AppData\Roaming\providernet\BridgeDriverCommon.exe	dcrat
behavioral1/memory/4124-286-0x0000000000EF0000-0x0000000000FC6000-memory.dmp	dcrat
C:\Recovery\WindowsRE\conhost.exe	dcrat
C:\Recovery\WindowsRE\conhost.exe	dcrat

Disables Task Manager via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

BridgeDriverCommon.execonhost.exe

pid process

4124 BridgeDriverCommon.exe
764 conhost.exe

Drops file in Program Files directory 9 IoCs

Processes:

BridgeDriverCommon.exe

description	ioc	process
File created	C:\Program Files\Mozilla Firefox\defaults\fontdrvhost.exe	BridgeDriverCommon.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\winlogon.exe	BridgeDriverCommon.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\cc11b995f2a76d	BridgeDriverCommon.exe
File created	C:\Program Files\Windows Multimedia Platform\lsass.exe	BridgeDriverCommon.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe	BridgeDriverCommon.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe	BridgeDriverCommon.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\5940a34987c991	BridgeDriverCommon.exe
File created	C:\Program Files\Mozilla Firefox\defaults\5b884080fd4f94	BridgeDriverCommon.exe
File created	C:\Program Files\Windows Multimedia Platform\6203df4a6bafc7	BridgeDriverCommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4956	schtasks.exe
4156	schtasks.exe
4232	schtasks.exe
3020	schtasks.exe
4840	schtasks.exe
4992	schtasks.exe
4644	schtasks.exe
5064	schtasks.exe
4424	schtasks.exe
4176	schtasks.exe
3888	schtasks.exe
4888	schtasks.exe
4972	schtasks.exe
1804	schtasks.exe
4020	schtasks.exe
3284	schtasks.exe
3344	schtasks.exe
4240	schtasks.exe
4824	schtasks.exe
4648	schtasks.exe
4980	schtasks.exe
4188	schtasks.exe
4836	schtasks.exe
3720	schtasks.exe

Modifies registry class 2 IoCs

Processes:

55d40cd8c837c10a74fb135e0973db85a553209117a67008f68582b5bbbcf02b.exeBridgeDriverCommon.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	55d40cd8c837c10a74fb135e0973db85a553209117a67008f68582b5bbbcf02b.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	BridgeDriverCommon.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

68 reg.exe

pid	process
68	reg.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

BridgeDriverCommon.execonhost.exe

pid	process
4124	BridgeDriverCommon.exe
4124	BridgeDriverCommon.exe
4124	BridgeDriverCommon.exe
4124	BridgeDriverCommon.exe
4124	BridgeDriverCommon.exe
4124	BridgeDriverCommon.exe
4124	BridgeDriverCommon.exe
4124	BridgeDriverCommon.exe
4124	BridgeDriverCommon.exe
4124	BridgeDriverCommon.exe
4124	BridgeDriverCommon.exe
4124	BridgeDriverCommon.exe
4124	BridgeDriverCommon.exe
4124	BridgeDriverCommon.exe
4124	BridgeDriverCommon.exe
764	conhost.exe
764	conhost.exe
764	conhost.exe
764	conhost.exe
764	conhost.exe
764	conhost.exe
764	conhost.exe
764	conhost.exe
764	conhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

conhost.exe

pid process

764 conhost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

BridgeDriverCommon.execonhost.exe

description pid process

Token: SeDebugPrivilege 4124 BridgeDriverCommon.exe
Token: SeDebugPrivilege 764 conhost.exe

pid	process
764	conhost.exe

description	pid	process
Token: SeDebugPrivilege	4124	BridgeDriverCommon.exe
Token: SeDebugPrivilege	764	conhost.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

55d40cd8c837c10a74fb135e0973db85a553209117a67008f68582b5bbbcf02b.exeWScript.execmd.exeBridgeDriverCommon.execmd.exe

description	pid	process	target process
PID 2512 wrote to memory of 3668	2512	55d40cd8c837c10a74fb135e0973db85a553209117a67008f68582b5bbbcf02b.exe	WScript.exe
PID 2512 wrote to memory of 3668	2512	55d40cd8c837c10a74fb135e0973db85a553209117a67008f68582b5bbbcf02b.exe	WScript.exe
PID 2512 wrote to memory of 3668	2512	55d40cd8c837c10a74fb135e0973db85a553209117a67008f68582b5bbbcf02b.exe	WScript.exe
PID 3668 wrote to memory of 4544	3668	WScript.exe	cmd.exe
PID 3668 wrote to memory of 4544	3668	WScript.exe	cmd.exe
PID 3668 wrote to memory of 4544	3668	WScript.exe	cmd.exe
PID 4544 wrote to memory of 4124	4544	cmd.exe	BridgeDriverCommon.exe
PID 4544 wrote to memory of 4124	4544	cmd.exe	BridgeDriverCommon.exe
PID 4124 wrote to memory of 672	4124	BridgeDriverCommon.exe	cmd.exe
PID 4124 wrote to memory of 672	4124	BridgeDriverCommon.exe	cmd.exe
PID 672 wrote to memory of 1900	672	cmd.exe	w32tm.exe
PID 672 wrote to memory of 1900	672	cmd.exe	w32tm.exe
PID 4544 wrote to memory of 68	4544	cmd.exe	reg.exe
PID 4544 wrote to memory of 68	4544	cmd.exe	reg.exe
PID 4544 wrote to memory of 68	4544	cmd.exe	reg.exe
PID 672 wrote to memory of 764	672	cmd.exe	conhost.exe
PID 672 wrote to memory of 764	672	cmd.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\55d40cd8c837c10a74fb135e0973db85a553209117a67008f68582b5bbbcf02b.exe
"C:\Users\Admin\AppData\Local\Temp\55d40cd8c837c10a74fb135e0973db85a553209117a67008f68582b5bbbcf02b.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\providernet\4jmQUE0o6kUl1Vu582jqzdW7c.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\providernet\vkgZEOQzYZEVY2BO.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4544

C:\Users\Admin\AppData\Roaming\providernet\BridgeDriverCommon.exe
"C:\Users\Admin\AppData\Roaming\providernet\BridgeDriverCommon.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4124

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ofEQwO3Cbj.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:1900

C:\Recovery\WindowsRE\conhost.exe
"C:\Recovery\WindowsRE\conhost.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
- Modifies registry key
PID:68

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\defaults\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\defaults\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\odt\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BridgeDriverCommonB" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\BridgeDriverCommon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BridgeDriverCommon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\BridgeDriverCommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BridgeDriverCommonB" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\BridgeDriverCommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\conhost.exe
Filesize
829KB

MD5
58a53522fff194ea5e41d1e8caf38bf1

SHA1
d08175471a2bcd2e7c3984d74757fab9a9d139e4

SHA256
c9d01883ed1ae6ede8b6f06a804da876efb1d28962668fd685cdc6c5a7140a69

SHA512
ca4ea6294413deaeb65c2b9bbb4379377ea04d0bde5721e527784f9879107ad6e5ee1cdcbf605159cf8f2f28166e4efb760dd59c542662efc4735909c89fc63f

Download Submit
C:\Recovery\WindowsRE\conhost.exe
Filesize
829KB

MD5
58a53522fff194ea5e41d1e8caf38bf1

SHA1
d08175471a2bcd2e7c3984d74757fab9a9d139e4

SHA256
c9d01883ed1ae6ede8b6f06a804da876efb1d28962668fd685cdc6c5a7140a69

SHA512
ca4ea6294413deaeb65c2b9bbb4379377ea04d0bde5721e527784f9879107ad6e5ee1cdcbf605159cf8f2f28166e4efb760dd59c542662efc4735909c89fc63f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ofEQwO3Cbj.bat
Filesize
198B

MD5
f0cded0b643e7ea8d9fac68678a31b90

SHA1
56f483af3ef96efcbd872e8e974f0c2517961dd6

SHA256
d9e81a154df131a89e34c43a660c3ef8ef60f83412518531b8d7f025f4afeab9

SHA512
e7396f41be79e8ff2e35f7f6711164df21bc2387735984b599afc674a20e8dd4e15288d9a073f06057c7d576ebdebbd52690536224621a5fb8785cd0a12cacf7

Download Submit
C:\Users\Admin\AppData\Roaming\providernet\4jmQUE0o6kUl1Vu582jqzdW7c.vbe
Filesize
211B

MD5
9fc5132d34f1452b73382bce3bcda006

SHA1
587485123f3174e839eb76cb54f4369643577b20

SHA256
c21067aa7f2312a0de760c4726f8431f6af84edeb6575f4e7ce7d923d91a043e

SHA512
bd707bc48e7b1ae92ab49f67002f93d2e27a9d0a8bbccfad0fae514a02e63c8a6b5f965f894f5c96dc496fb455d81a652c2837b97b6b675b0c2373c0153b0ea3

Download Submit
C:\Users\Admin\AppData\Roaming\providernet\BridgeDriverCommon.exe
Filesize
829KB

MD5
58a53522fff194ea5e41d1e8caf38bf1

SHA1
d08175471a2bcd2e7c3984d74757fab9a9d139e4

SHA256
c9d01883ed1ae6ede8b6f06a804da876efb1d28962668fd685cdc6c5a7140a69

SHA512
ca4ea6294413deaeb65c2b9bbb4379377ea04d0bde5721e527784f9879107ad6e5ee1cdcbf605159cf8f2f28166e4efb760dd59c542662efc4735909c89fc63f

Download Submit
C:\Users\Admin\AppData\Roaming\providernet\BridgeDriverCommon.exe
Filesize
829KB

MD5
58a53522fff194ea5e41d1e8caf38bf1

SHA1
d08175471a2bcd2e7c3984d74757fab9a9d139e4

SHA256
c9d01883ed1ae6ede8b6f06a804da876efb1d28962668fd685cdc6c5a7140a69

SHA512
ca4ea6294413deaeb65c2b9bbb4379377ea04d0bde5721e527784f9879107ad6e5ee1cdcbf605159cf8f2f28166e4efb760dd59c542662efc4735909c89fc63f

Download Submit
C:\Users\Admin\AppData\Roaming\providernet\vkgZEOQzYZEVY2BO.bat
Filesize
158B

MD5
2f7acb46c6cf751eb8dc3ddce96e4303

SHA1
65ad2e7b73840b6652546d040eab78cb5c51b6fb

SHA256
54e27a15b7d052f48e619e0329967e7cddab696489b7968cdf90b223a0b63906

SHA512
144a592c510259a5b6b2b634d260b3a6c5926322de16168a416c68ab3c230b2ab147b60c2a8c0b70eec96c3d1bd737aac583948abe12d24dfe5b0beda7f46046

Download Submit
memory/68-290-0x0000000000000000-mapping.dmp

Download
memory/672-287-0x0000000000000000-mapping.dmp

Download
memory/764-303-0x0000000000000000-mapping.dmp

Download
memory/1900-289-0x0000000000000000-mapping.dmp

Download
memory/2512-156-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-162-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-132-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-133-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-135-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-136-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-134-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-137-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-138-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-139-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-140-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-141-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-131-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-142-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-143-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-144-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-145-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-146-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-147-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-148-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-149-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-150-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-151-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-152-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-153-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-154-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-155-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-129-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-157-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-158-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-159-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-160-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-161-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-130-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-163-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-164-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-165-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-166-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-167-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-168-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-169-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-171-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-172-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-170-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-173-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-174-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-175-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-176-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-177-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-178-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-179-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-180-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-181-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-182-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-183-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-120-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-121-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-122-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-123-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-125-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-128-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2512-126-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-186-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-185-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-184-0x0000000000000000-mapping.dmp

Download
memory/4124-286-0x0000000000EF0000-0x0000000000FC6000-memory.dmp

Filesize
856KB

Download
memory/4124-283-0x0000000000000000-mapping.dmp

Download
memory/4544-260-0x0000000000000000-mapping.dmp

Download