dcrat | aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28

Analysis

max time kernel
147s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-05-2024 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe
Size

19.8MB
MD5

3969991942bb5b6130977411ae258ab8
SHA1

c391e670488d73dc79c2acfab1e845d9c3e5227e
SHA256

aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28
SHA512

ce009d113cd85629cb744c0e30fecc9cb1f3bc353b546eab676604a3eec976c5f0dc60cb29b7f4841bb71bb7596128340d1b222408c9aeeb9f9671d1a1add00a
SSDEEP

393216:O581WtclJGQ9GnlC58mn3yJQjNKlgtcTuOYTmWYlY5nGPEy+tj7NJX:OeWgdGnlCqm3vKCTmpY5Py+r

Score

10^/10

dcrat umbral xworm execution infostealer rat stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1221847080373584144/7stbODqa-C2IH_V1s7-AaD6fECqR68YLov_s341xewFGvFGlgl7fRFcAsV3CtRNlSgzQ

Extracted

Family

xworm

127.0.0.1:30683

operating-niger.gl.at.ply.gg:30683:30683

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000013acb-16.dat	family_umbral
behavioral1/memory/2672-17-0x0000000000E70000-0x0000000000EB0000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/2628-40-0x0000000001020000-0x0000000001036000-memory.dmp	family_xworm
behavioral1/files/0x0008000000014246-38.dat	family_xworm

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	1896	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	1896	schtasks.exe	37

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0036000000013a3a-19.dat	dcrat
behavioral1/files/0x0007000000014186-52.dat	dcrat
behavioral1/memory/816-56-0x00000000001D0000-0x00000000002A6000-memory.dmp	dcrat
behavioral1/files/0x0007000000014186-54.dat	dcrat
behavioral1/memory/2548-97-0x0000000000DC0000-0x0000000000E96000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2388	powershell.exe
2284	powershell.exe
876	powershell.exe
2156	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	LoaderMas.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	LoaderMas.exe

Executes dropped EXE 7 IoCs

pid	Process
2968	Nursultan (17).exe
2600	t.bat
2672	Umbral.exe
2456	Nursultan.exe
2628	LoaderMas.exe
816	Chainprovider.exe
2548	winlogon.exe

Loads dropped DLL 3 IoCs

pid	Process
2968	Nursultan (17).exe
2556	cmd.exe
2556	cmd.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Office14\1033\886983d96e3d3e	Chainprovider.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe	Chainprovider.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\886983d96e3d3e	Chainprovider.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\services.exe	Chainprovider.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\c5b4cb5e9653cc	Chainprovider.exe
File created	C:\Program Files\DVD Maker\en-US\wininit.exe	Chainprovider.exe
File created	C:\Program Files\DVD Maker\en-US\56085415360792	Chainprovider.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\csrss.exe	Chainprovider.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\PLA\Templates\spoolsv.exe	Chainprovider.exe
File created	C:\Windows\PLA\Templates\f3b6ecef712a24	Chainprovider.exe
File created	C:\Windows\DigitalLocker\it-IT\Nursultan.exe	Chainprovider.exe
File created	C:\Windows\DigitalLocker\it-IT\8aadbff539e144	Chainprovider.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1052	schtasks.exe
2760	schtasks.exe
2608	schtasks.exe
940	schtasks.exe
1032	schtasks.exe
2532	schtasks.exe
1080	schtasks.exe
780	schtasks.exe
3024	schtasks.exe
2708	schtasks.exe
2428	schtasks.exe
2816	schtasks.exe
1860	schtasks.exe
452	schtasks.exe
2876	schtasks.exe
2084	schtasks.exe
1600	schtasks.exe
1244	schtasks.exe
1804	schtasks.exe
1624	schtasks.exe
3020	schtasks.exe
1356	schtasks.exe
2276	schtasks.exe
2772	schtasks.exe
1740	schtasks.exe
2104	schtasks.exe
3040	schtasks.exe
1872	schtasks.exe
824	schtasks.exe
2936	schtasks.exe
1240	schtasks.exe
2632	schtasks.exe
2440	schtasks.exe
2600	schtasks.exe
3008	schtasks.exe
3068	schtasks.exe
1364	schtasks.exe
1612	schtasks.exe
1156	schtasks.exe
1788	schtasks.exe
2624	schtasks.exe
836	schtasks.exe
2156	schtasks.exe
1964	schtasks.exe
2584	schtasks.exe
1256	schtasks.exe
2952	schtasks.exe
2692	schtasks.exe
2728	schtasks.exe
2892	schtasks.exe
904	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2456	Nursultan.exe
816	Chainprovider.exe
816	Chainprovider.exe
816	Chainprovider.exe
816	Chainprovider.exe
816	Chainprovider.exe
2548	winlogon.exe
2388	powershell.exe
2156	powershell.exe
2284	powershell.exe
876	powershell.exe
2628	LoaderMas.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	Umbral.exe
Token: SeDebugPrivilege	2628	LoaderMas.exe
Token: SeIncreaseQuotaPrivilege	2912	wmic.exe
Token: SeSecurityPrivilege	2912	wmic.exe
Token: SeTakeOwnershipPrivilege	2912	wmic.exe
Token: SeLoadDriverPrivilege	2912	wmic.exe
Token: SeSystemProfilePrivilege	2912	wmic.exe
Token: SeSystemtimePrivilege	2912	wmic.exe
Token: SeProfSingleProcessPrivilege	2912	wmic.exe
Token: SeIncBasePriorityPrivilege	2912	wmic.exe
Token: SeCreatePagefilePrivilege	2912	wmic.exe
Token: SeBackupPrivilege	2912	wmic.exe
Token: SeRestorePrivilege	2912	wmic.exe
Token: SeShutdownPrivilege	2912	wmic.exe
Token: SeDebugPrivilege	2912	wmic.exe
Token: SeSystemEnvironmentPrivilege	2912	wmic.exe
Token: SeRemoteShutdownPrivilege	2912	wmic.exe
Token: SeUndockPrivilege	2912	wmic.exe
Token: SeManageVolumePrivilege	2912	wmic.exe
Token: 33	2912	wmic.exe
Token: 34	2912	wmic.exe
Token: 35	2912	wmic.exe
Token: SeIncreaseQuotaPrivilege	2912	wmic.exe
Token: SeSecurityPrivilege	2912	wmic.exe
Token: SeTakeOwnershipPrivilege	2912	wmic.exe
Token: SeLoadDriverPrivilege	2912	wmic.exe
Token: SeSystemProfilePrivilege	2912	wmic.exe
Token: SeSystemtimePrivilege	2912	wmic.exe
Token: SeProfSingleProcessPrivilege	2912	wmic.exe
Token: SeIncBasePriorityPrivilege	2912	wmic.exe
Token: SeCreatePagefilePrivilege	2912	wmic.exe
Token: SeBackupPrivilege	2912	wmic.exe
Token: SeRestorePrivilege	2912	wmic.exe
Token: SeShutdownPrivilege	2912	wmic.exe
Token: SeDebugPrivilege	2912	wmic.exe
Token: SeSystemEnvironmentPrivilege	2912	wmic.exe
Token: SeRemoteShutdownPrivilege	2912	wmic.exe
Token: SeUndockPrivilege	2912	wmic.exe
Token: SeManageVolumePrivilege	2912	wmic.exe
Token: 33	2912	wmic.exe
Token: 34	2912	wmic.exe
Token: 35	2912	wmic.exe
Token: SeDebugPrivilege	816	Chainprovider.exe
Token: SeDebugPrivilege	2548	winlogon.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	2628	LoaderMas.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2628	LoaderMas.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2968	2876	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	28
PID 2876 wrote to memory of 2968	2876	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	28
PID 2876 wrote to memory of 2968	2876	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	28
PID 2876 wrote to memory of 2600	2876	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	78
PID 2876 wrote to memory of 2600	2876	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	78
PID 2876 wrote to memory of 2600	2876	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	78
PID 2876 wrote to memory of 2600	2876	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	78
PID 2876 wrote to memory of 2672	2876	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	30
PID 2876 wrote to memory of 2672	2876	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	30
PID 2876 wrote to memory of 2672	2876	aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe	30
PID 2600 wrote to memory of 2064	2600	t.bat	31
PID 2600 wrote to memory of 2064	2600	t.bat	31
PID 2600 wrote to memory of 2064	2600	t.bat	31
PID 2600 wrote to memory of 2064	2600	t.bat	31
PID 2968 wrote to memory of 2456	2968	Nursultan (17).exe	32
PID 2968 wrote to memory of 2456	2968	Nursultan (17).exe	32
PID 2968 wrote to memory of 2456	2968	Nursultan (17).exe	32
PID 2968 wrote to memory of 2628	2968	Nursultan (17).exe	34
PID 2968 wrote to memory of 2628	2968	Nursultan (17).exe	34
PID 2968 wrote to memory of 2628	2968	Nursultan (17).exe	34
PID 2672 wrote to memory of 2912	2672	Umbral.exe	35
PID 2672 wrote to memory of 2912	2672	Umbral.exe	35
PID 2672 wrote to memory of 2912	2672	Umbral.exe	35
PID 2064 wrote to memory of 2556	2064	WScript.exe	38
PID 2064 wrote to memory of 2556	2064	WScript.exe	38
PID 2064 wrote to memory of 2556	2064	WScript.exe	38
PID 2064 wrote to memory of 2556	2064	WScript.exe	38
PID 2556 wrote to memory of 816	2556	cmd.exe	40
PID 2556 wrote to memory of 816	2556	cmd.exe	40
PID 2556 wrote to memory of 816	2556	cmd.exe	40
PID 2556 wrote to memory of 816	2556	cmd.exe	40
PID 816 wrote to memory of 2548	816	Chainprovider.exe	92
PID 816 wrote to memory of 2548	816	Chainprovider.exe	92
PID 816 wrote to memory of 2548	816	Chainprovider.exe	92
PID 2628 wrote to memory of 2388	2628	LoaderMas.exe	93
PID 2628 wrote to memory of 2388	2628	LoaderMas.exe	93
PID 2628 wrote to memory of 2388	2628	LoaderMas.exe	93
PID 2628 wrote to memory of 2156	2628	LoaderMas.exe	95
PID 2628 wrote to memory of 2156	2628	LoaderMas.exe	95
PID 2628 wrote to memory of 2156	2628	LoaderMas.exe	95
PID 2628 wrote to memory of 2284	2628	LoaderMas.exe	97
PID 2628 wrote to memory of 2284	2628	LoaderMas.exe	97
PID 2628 wrote to memory of 2284	2628	LoaderMas.exe	97
PID 2628 wrote to memory of 876	2628	LoaderMas.exe	99
PID 2628 wrote to memory of 876	2628	LoaderMas.exe	99
PID 2628 wrote to memory of 876	2628	LoaderMas.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe
"C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Roaming\Nursultan (17).exe
  "C:\Users\Admin\AppData\Roaming\Nursultan (17).exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Users\Admin\AppData\Roaming\Nursultan.exe
    "C:\Users\Admin\AppData\Roaming\Nursultan.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2456
- - C:\Users\Admin\AppData\Roaming\LoaderMas.exe
    "C:\Users\Admin\AppData\Roaming\LoaderMas.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\LoaderMas.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LoaderMas.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2156
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2284
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:876
- C:\Users\Admin\AppData\Roaming\t.bat
  "C:\Users\Admin\AppData\Roaming\t.bat"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\perfdhcpSvc\LUps3wjkA6jhdk7xRy8J55z2u.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\perfdhcpSvc\mStUjP0ksX5N.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\perfdhcpSvc\Chainprovider.exe
        
        "C:\perfdhcpSvc\Chainprovider.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:816
      - C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
- C:\Users\Admin\AppData\Roaming\Umbral.exe
  "C:\Users\Admin\AppData\Roaming\Umbral.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Nurik\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Nurik\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Nurik\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Nurik\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Nurik\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Nurik\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\perfdhcpSvc\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\perfdhcpSvc\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\perfdhcpSvc\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Nurik\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Nurik\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Nurik\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "LoaderMasL" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\LoaderMas.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "LoaderMas" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\LoaderMas.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "LoaderMasL" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\LoaderMas.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\PLA\Templates\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\PLA\Templates\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\PLA\Templates\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NursultanN" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\it-IT\Nursultan.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Nursultan" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\it-IT\Nursultan.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NursultanN" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\it-IT\Nursultan.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\en-US\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Nurik\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Nurik\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Nurik\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\perfdhcpSvc\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\perfdhcpSvc\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\perfdhcpSvc\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\LoaderMas.exe

Filesize
63KB

MD5
a0dbdf3af38ead2237ccb781a098a431

SHA1
1434296af6c5530eb036718e860490e0adc3321a

SHA256
6f483da6b36646bf6f33db0c210bd3683ff29428a44d916a2f26a4240c1a9901

SHA512
dd7dc91a2e09b0c3906efbb486fb84d0289dc61338afd75d203f1ab2f49556c9523a8a9abc913363a45dde8194f5b2ee9d3d659807250047331944c39006edc3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0UDHXIQP5ZVDATXCCS6N.temp

Filesize
7KB

MD5
69302321e63e560b460df385903344c3

SHA1
01d085fb5fcd72bec39d06db5dacac5e385649ce

SHA256
ba977c026fa6ce93468bf8e50656fa85459183c14c939a2323a5e47e239314a1

SHA512
581fcd8a6d85b217b360662d354a6cc3f51230801eea0a56c11679a1784b0eed8d49814390cc2b5904cdc3c7cb135d0ce54523924a1bbd9c6c237d3a2c0d004e

Download Submit
C:\Users\Admin\AppData\Roaming\Nursultan (17).exe

Filesize
2.1MB

MD5
d4aa5924f06302d95ad4fc41e533d3bb

SHA1
9df9116960b9dcc35ee4f776b1c43354c0448e6a

SHA256
c8cc1c9d64ed9db5a85b7ecacb8cf97e277efaf767b8f2fbdf1d9d1125817a26

SHA512
fe54d6fd55a11f99c41548391b4156f1334c6df124ed9ee082960c67b658c0c5f399380b349d43e080ce133e9d7d2025444bb06cfe5a02fffae2f654f21301c3

Download Submit
C:\Users\Admin\AppData\Roaming\Nursultan (17).exe

Filesize
2.8MB

MD5
63bd502af7b50329d95efeacf5b385ac

SHA1
fb336127a08e8e8ed5b24449ffa151f69549389e

SHA256
e6ad1d720fe14bb6b5efd1ef6b5ce72eeef6e7da00c32d12e2b37f984a11c4c4

SHA512
630ef02a4a0af4c6db17043aed1fcf17c6f378d9ae21684276223051f5da60b867b3e0ac6e6c72e49ac97bdd4fbd3f52d456564009df8f2e0c2f3aa115b0156b

Download Submit
C:\Users\Admin\AppData\Roaming\Nursultan.exe

Filesize
2.1MB

MD5
0d610dc8809a1b2992c2fa474952dd40

SHA1
d58fe1025188a8b33ba4dca6d667870e315cdaf5

SHA256
d33e3f64db14413a732b685448b25fad65e27b612c76d81f13baf573845211df

SHA512
f212a6c881c8d776ddd6109419a596dfe61b2e8d2943ff4fdea1195ca887a693febd78f9ba2da70e22572cd5a5a7209e2c25090b013e88b01e490a44712c0631

Download Submit
C:\Users\Admin\AppData\Roaming\Umbral.exe

Filesize
229KB

MD5
f48ef033300ec9fd3c77afff5c20e95f

SHA1
22d6125b980474b3f54937003a765cdd5352f9a8

SHA256
72ee11a905ca278130f02397422b4cc4944851065ce0072f9888b70c5ad40f1e

SHA512
847ee8cdb14879089c861168d6be90325304df490668a38447b37772423e6dab5e32a5df344ceb58410d3b24cf25cd7221e8768951e5aca14820996a1e8304bc

Download Submit
C:\Users\Admin\AppData\Roaming\t.bat

Filesize
1.1MB

MD5
d85bd59cf0808fb894f60773e1594a0a

SHA1
84b9d205f3ae6ca4f8f1bb938ee8b4d452444cde

SHA256
f3ef597673421e514d7fed82b40d65386c3811c4a8f5553afd59fc632bca8746

SHA512
225788e3e98449f53e6206c585315a37c9ff6ed0b5425b2a98e50c7ac45ab3c187ccf7626f126ba300bd8dbdf89c864e89f85d6264edc89281745b081ec58f97

Download Submit
C:\perfdhcpSvc\LUps3wjkA6jhdk7xRy8J55z2u.vbe

Filesize
200B

MD5
00b53f3e200522631227cac1a07e0646

SHA1
a0c69d58c7ca10f5fd5e1320b1b2f92081d7fcfe

SHA256
486c050aadc42906113b0c5c8485dff36b0187f343a732542608a91b0565146c

SHA512
22241ae8a31c7e564c9fb652947e4fe17f80c6e94dfe1a3bb5890f6eb97797ee32ccfff5d647eef02bda31bd47c5d95521cd0c6349a01e501e6e064ea6306243

Download Submit
C:\perfdhcpSvc\mStUjP0ksX5N.bat

Filesize
34B

MD5
a9330c6da12d90d5d956ae2bbcf017d7

SHA1
7ebaa14eed80db6d9f0c0c0f1ecab1a9c3f61410

SHA256
b49853470383dce14680f656aca7ea449b1d6aabb3f18d4165ebd7e3e7545393

SHA512
557c91cc1cc0d7309f50e286644a2da543c0283d4a1659f7d31554282ddc48b5f972d98d5a01433078fdbe6cc813bb6f7c120e2307fae48c5d81be44ae823228

Download Submit
\perfdhcpSvc\Chainprovider.exe

Filesize
827KB

MD5
d2ec227ddac047e735393e58e742fd44

SHA1
7aae5c76378f7cfcff8bb983695fa4c2577a20e2

SHA256
0e679527f2df9f87d33c82023256fac276c36006579d2d71877ccab4be847cce

SHA512
5a11b292a574bd2ca6c225af1e4c9f95004a49ce816cc59a73d4ab6e2a0b007a58ab56e5e0c004901c3ebe4ec06054e6e801f8e659711856857add6d43f38979

Download Submit
\perfdhcpSvc\Chainprovider.exe

Filesize
448KB

MD5
229c9d93312c69ccf7b4666e2ffd09a2

SHA1
0599f3da31c8b871dcc078bec50e61085da7ce19

SHA256
bece1bf1a4f58b86479abab668b46751ba55227b1e45119fc38e7fa68ce225dd

SHA512
1d59f3b0f21ef90bdff3b607cc9ec8157dbfad1680aeebc48d49e405a212572f4da2dfa681c7b2f24cb97f41a0ca064e5b9efce070c9219949423a690a96176b

Download Submit
memory/816-56-0x00000000001D0000-0x00000000002A6000-memory.dmp

Filesize
856KB

Download
memory/2156-110-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2156-109-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2388-103-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2388-102-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2456-42-0x0000000077BE0000-0x0000000077BE2000-memory.dmp

Filesize
8KB

Download
memory/2456-47-0x0000000140000000-0x0000000142153000-memory.dmp

Filesize
33.3MB

Download
memory/2456-46-0x0000000077BE0000-0x0000000077BE2000-memory.dmp

Filesize
8KB

Download
memory/2456-44-0x0000000077BE0000-0x0000000077BE2000-memory.dmp

Filesize
8KB

Download
memory/2548-97-0x0000000000DC0000-0x0000000000E96000-memory.dmp

Filesize
856KB

Download
memory/2628-40-0x0000000001020000-0x0000000001036000-memory.dmp

Filesize
88KB

Download
memory/2672-17-0x0000000000E70000-0x0000000000EB0000-memory.dmp

Filesize
256KB

Download
memory/2876-0-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp

Filesize
4KB

Download
memory/2876-1-0x0000000001300000-0x00000000026D0000-memory.dmp

Filesize
19.8MB

Download
memory/2968-27-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2968-18-0x0000000000F30000-0x000000000216A000-memory.dmp

Filesize
18.2MB

Download
memory/2968-39-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download