dcrat | f4e113eaba1238c566ce7eb0a0d8cc1a579d0044533a949098fc332dd25d2146

Analysis

max time kernel
900s
max time network
901s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
20-01-2025 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Blue.cc/Blue cc/blue.cc.exe
Size

5.7MB
MD5

f3edbc69d3579a04978e4a90825b2c86
SHA1

0a4c0b114f28c63c021756d7d9009652712566e8
SHA256

8afbd41db0f57e93abe9c3337571e9775eb15b96835252e3cfcdffe01d6fe0e4
SHA512

4829622b1fe7fe86ef9dc9a793bb805664717dd32fab380678e0aa2cbc2d6e14ef1e4d8da86d1a99cf0e607c50dd9bbb8227eecef06e731a7596d1e8703db639
SSDEEP

98304:YPzPxjBNchBLJX4jTq+Q0SBPOOx7G1NcL+X1pYjJT1xMetHxPP+NlU7qG7BnjuA7:YPdBNcRX9FBm4SciDY91KetRHIM9QRPY

Score

10^/10

dcrat xmrig discovery evasion execution infostealer miner persistence rat spyware stealer upx

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral2/memory/3712-328-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3712-327-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3712-325-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3712-326-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3712-323-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3712-329-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3712-322-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3712-332-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3712-333-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3712-334-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3712-335-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3712-336-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3900	powershell.exe
4884	powershell.exe
4092	powershell.exe
4824	powershell.exe
3696	powershell.exe
3228	powershell.exe
2120	powershell.exe
4776	powershell.exe
3904	powershell.exe
3828	powershell.exe
4732	powershell.exe
4844	powershell.exe
1048	powershell.exe
4664	powershell.exe
832	powershell.exe
648	powershell.exe
1288	powershell.exe
4752	powershell.exe
2012	powershell.exe
5900	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation	blue.cc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation	Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation	portRuntimedll.exe

Executes dropped EXE 5 IoCs

pid	Process
3872	Cheat.exe
1640	Loader.exe
4972	portRuntimedll.exe
5776	OfficeClickToRun.exe
4320	sjtrewuvofcs.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
6084	powercfg.exe
6100	powercfg.exe
6092	powercfg.exe
1228	powercfg.exe
3796	powercfg.exe
1596	powercfg.exe
4484	powercfg.exe
6068	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	sjtrewuvofcs.exe
File opened for modification	C:\Windows\system32\MRT.exe	Loader.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4320 set thread context of 2192	4320	sjtrewuvofcs.exe	159
PID 4320 set thread context of 3712	4320	sjtrewuvofcs.exe	165

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3712-319-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3712-328-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3712-327-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3712-325-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3712-326-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3712-323-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3712-329-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3712-321-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3712-320-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3712-322-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3712-318-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3712-317-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3712-332-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3712-333-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3712-334-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3712-335-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3712-336-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\en-US\088424020bedd6	portRuntimedll.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\SppExtComObj.exe	portRuntimedll.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\e1ef82546f0b02	portRuntimedll.exe
File created	C:\Program Files (x86)\Common Files\Oracle\portRuntimedll.exe	portRuntimedll.exe
File created	C:\Program Files (x86)\Common Files\Oracle\f158a526154f35	portRuntimedll.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\OfficeClickToRun.exe	portRuntimedll.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\e6c9b481da804f	portRuntimedll.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\conhost.exe	portRuntimedll.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Media\portRuntimedll.exe	portRuntimedll.exe
File created	C:\Windows\Media\f158a526154f35	portRuntimedll.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6108	sc.exe
5648	sc.exe
4128	sc.exe
3320	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000_Classes\Local Settings	Cheat.exe
Key created	\REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000_Classes\Local Settings	portRuntimedll.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe
4972	portRuntimedll.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5776	OfficeClickToRun.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4972	portRuntimedll.exe
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeDebugPrivilege	3904	powershell.exe
Token: SeDebugPrivilege	3696	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeDebugPrivilege	4776	powershell.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeDebugPrivilege	3900	powershell.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeIncreaseQuotaPrivilege	4752	powershell.exe
Token: SeSecurityPrivilege	4752	powershell.exe
Token: SeTakeOwnershipPrivilege	4752	powershell.exe
Token: SeLoadDriverPrivilege	4752	powershell.exe
Token: SeSystemProfilePrivilege	4752	powershell.exe
Token: SeSystemtimePrivilege	4752	powershell.exe
Token: SeProfSingleProcessPrivilege	4752	powershell.exe
Token: SeIncBasePriorityPrivilege	4752	powershell.exe
Token: SeCreatePagefilePrivilege	4752	powershell.exe
Token: SeBackupPrivilege	4752	powershell.exe
Token: SeRestorePrivilege	4752	powershell.exe
Token: SeShutdownPrivilege	4752	powershell.exe
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeSystemEnvironmentPrivilege	4752	powershell.exe
Token: SeRemoteShutdownPrivilege	4752	powershell.exe
Token: SeUndockPrivilege	4752	powershell.exe
Token: SeManageVolumePrivilege	4752	powershell.exe
Token: 33	4752	powershell.exe
Token: 34	4752	powershell.exe
Token: 35	4752	powershell.exe
Token: 36	4752	powershell.exe
Token: SeIncreaseQuotaPrivilege	4664	powershell.exe
Token: SeSecurityPrivilege	4664	powershell.exe
Token: SeTakeOwnershipPrivilege	4664	powershell.exe
Token: SeLoadDriverPrivilege	4664	powershell.exe
Token: SeSystemProfilePrivilege	4664	powershell.exe
Token: SeSystemtimePrivilege	4664	powershell.exe
Token: SeProfSingleProcessPrivilege	4664	powershell.exe
Token: SeIncBasePriorityPrivilege	4664	powershell.exe
Token: SeCreatePagefilePrivilege	4664	powershell.exe
Token: SeBackupPrivilege	4664	powershell.exe
Token: SeRestorePrivilege	4664	powershell.exe
Token: SeShutdownPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeSystemEnvironmentPrivilege	4664	powershell.exe
Token: SeRemoteShutdownPrivilege	4664	powershell.exe
Token: SeUndockPrivilege	4664	powershell.exe
Token: SeManageVolumePrivilege	4664	powershell.exe
Token: 33	4664	powershell.exe
Token: 34	4664	powershell.exe
Token: 35	4664	powershell.exe
Token: 36	4664	powershell.exe
Token: SeIncreaseQuotaPrivilege	1288	powershell.exe
Token: SeSecurityPrivilege	1288	powershell.exe
Token: SeTakeOwnershipPrivilege	1288	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 3872	1748	blue.cc.exe	81
PID 1748 wrote to memory of 3872	1748	blue.cc.exe	81
PID 1748 wrote to memory of 3872	1748	blue.cc.exe	81
PID 1748 wrote to memory of 1640	1748	blue.cc.exe	82
PID 1748 wrote to memory of 1640	1748	blue.cc.exe	82
PID 3872 wrote to memory of 2920	3872	Cheat.exe	83
PID 3872 wrote to memory of 2920	3872	Cheat.exe	83
PID 3872 wrote to memory of 2920	3872	Cheat.exe	83
PID 2920 wrote to memory of 2464	2920	WScript.exe	84
PID 2920 wrote to memory of 2464	2920	WScript.exe	84
PID 2920 wrote to memory of 2464	2920	WScript.exe	84
PID 2464 wrote to memory of 4972	2464	cmd.exe	86
PID 2464 wrote to memory of 4972	2464	cmd.exe	86
PID 4972 wrote to memory of 4092	4972	portRuntimedll.exe	87
PID 4972 wrote to memory of 4092	4972	portRuntimedll.exe	87
PID 4972 wrote to memory of 4664	4972	portRuntimedll.exe	88
PID 4972 wrote to memory of 4664	4972	portRuntimedll.exe	88
PID 4972 wrote to memory of 832	4972	portRuntimedll.exe	89
PID 4972 wrote to memory of 832	4972	portRuntimedll.exe	89
PID 4972 wrote to memory of 4824	4972	portRuntimedll.exe	90
PID 4972 wrote to memory of 4824	4972	portRuntimedll.exe	90
PID 4972 wrote to memory of 3696	4972	portRuntimedll.exe	91
PID 4972 wrote to memory of 3696	4972	portRuntimedll.exe	91
PID 4972 wrote to memory of 3228	4972	portRuntimedll.exe	92
PID 4972 wrote to memory of 3228	4972	portRuntimedll.exe	92
PID 4972 wrote to memory of 2120	4972	portRuntimedll.exe	93
PID 4972 wrote to memory of 2120	4972	portRuntimedll.exe	93
PID 4972 wrote to memory of 4776	4972	portRuntimedll.exe	94
PID 4972 wrote to memory of 4776	4972	portRuntimedll.exe	94
PID 4972 wrote to memory of 3900	4972	portRuntimedll.exe	95
PID 4972 wrote to memory of 3900	4972	portRuntimedll.exe	95
PID 4972 wrote to memory of 648	4972	portRuntimedll.exe	96
PID 4972 wrote to memory of 648	4972	portRuntimedll.exe	96
PID 4972 wrote to memory of 4884	4972	portRuntimedll.exe	97
PID 4972 wrote to memory of 4884	4972	portRuntimedll.exe	97
PID 4972 wrote to memory of 4752	4972	portRuntimedll.exe	98
PID 4972 wrote to memory of 4752	4972	portRuntimedll.exe	98
PID 4972 wrote to memory of 2012	4972	portRuntimedll.exe	99
PID 4972 wrote to memory of 2012	4972	portRuntimedll.exe	99
PID 4972 wrote to memory of 1288	4972	portRuntimedll.exe	100
PID 4972 wrote to memory of 1288	4972	portRuntimedll.exe	100
PID 4972 wrote to memory of 3904	4972	portRuntimedll.exe	101
PID 4972 wrote to memory of 3904	4972	portRuntimedll.exe	101
PID 4972 wrote to memory of 1048	4972	portRuntimedll.exe	102
PID 4972 wrote to memory of 1048	4972	portRuntimedll.exe	102
PID 4972 wrote to memory of 4844	4972	portRuntimedll.exe	103
PID 4972 wrote to memory of 4844	4972	portRuntimedll.exe	103
PID 4972 wrote to memory of 4732	4972	portRuntimedll.exe	104
PID 4972 wrote to memory of 4732	4972	portRuntimedll.exe	104
PID 4972 wrote to memory of 4912	4972	portRuntimedll.exe	123
PID 4972 wrote to memory of 4912	4972	portRuntimedll.exe	123
PID 4912 wrote to memory of 2448	4912	cmd.exe	125
PID 4912 wrote to memory of 2448	4912	cmd.exe	125
PID 4912 wrote to memory of 4552	4912	cmd.exe	126
PID 4912 wrote to memory of 4552	4912	cmd.exe	126
PID 4912 wrote to memory of 5776	4912	cmd.exe	128
PID 4912 wrote to memory of 5776	4912	cmd.exe	128
PID 6060 wrote to memory of 2324	6060	cmd.exe	144
PID 6060 wrote to memory of 2324	6060	cmd.exe	144
PID 4320 wrote to memory of 2192	4320	sjtrewuvofcs.exe	159
PID 4320 wrote to memory of 2192	4320	sjtrewuvofcs.exe	159
PID 4320 wrote to memory of 2192	4320	sjtrewuvofcs.exe	159
PID 4320 wrote to memory of 2192	4320	sjtrewuvofcs.exe	159
PID 4320 wrote to memory of 2192	4320	sjtrewuvofcs.exe	159

C:\Users\Admin\AppData\Local\Temp\Blue.cc\Blue cc\blue.cc.exe
"C:\Users\Admin\AppData\Local\Temp\Blue.cc\Blue cc\blue.cc.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\Cheat.exe
  "C:\Users\Admin\AppData\Local\Temp\Cheat.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\surrogatewebDriverPerfdll\O2Mqb5EZIjFAAhUWjaVV4BgoTlxmSKSI5p5mmNTOQWmByl3e.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\surrogatewebDriverPerfdll\sBHMgLRm.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\surrogatewebDriverPerfdll\portRuntimedll.exe
        
        "C:\surrogatewebDriverPerfdll/portRuntimedll.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4972
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4092
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4664
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4824
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3696
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3228
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4776
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/surrogatewebDriverPerfdll/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3900
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:648
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4884
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4752
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Oracle\portRuntimedll.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\SppExtComObj.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\portRuntimedll.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3904
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\en-US\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\OfficeClickToRun.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4844
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\surrogatewebDriverPerfdll\portRuntimedll.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4732
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZMwhQ5IWge.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4552
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\OfficeClickToRun.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\OfficeClickToRun.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:5776
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1640
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6060
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:2324
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:6068
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:6084
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:6092
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:6100
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "BSJXEIWT"
    3⤵
    - Launches sc.exe
    PID:6108
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "BSJXEIWT" binpath= "C:\ProgramData\erxkvsklcucy\sjtrewuvofcs.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:5648
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:4128
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "BSJXEIWT"
    3⤵
    - Launches sc.exe
    PID:3320

C:\ProgramData\erxkvsklcucy\sjtrewuvofcs.exe
C:\ProgramData\erxkvsklcucy\sjtrewuvofcs.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:5476
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3424
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:1228
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:3796
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:1596
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:4484
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2192
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:3712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c5f67682ca7a065a4b73be7f11a53548

SHA1
f7439e2bdd1dccdfd581db2e24b7bd51b274837e

SHA256
4644634fe9c942d8f31365e20782bf623f10381766602cf34bd76ae1cc68785f

SHA512
4291d74ee55d41bdfe91d14e3a16a0e3cf592f077ffeb7424b7943ee4ab3a40e3b7cd1c3b9826110c46544d6e60aa9e933b473863f63b5b52a4013a50a9c0b82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
af1cc13f412ef37a00e668df293b1584

SHA1
8973b3e622f187fcf484a0eb9fa692bf3e2103cb

SHA256
449c0c61734cf23f28ad05a7e528f55dd8a7c6ae7a723253707e5f73de187037

SHA512
75d954ec8b98f804d068635875fac06e9594874f0f5d6e2ad9d6267285d1d4a1de6309009de9e2956c6477a888db648396f77a1a49b58287d2683b8214e7a3d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a807b1c91ac66f33f88a787d64904c1

SHA1
83c554c7de04a8115c9005709e5cd01fca82c5d3

SHA256
155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

SHA512
29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0f59cccd39a3694e0e6dfd44d0fa76d

SHA1
fccd7911d463041e1168431df8823e4c4ea387c1

SHA256
70466c7f3a911368d653396fdd68f993322c69e1797b492ca00f8be34b7f3401

SHA512
5c726e1e28cb9c0c3ab963fbfbf471c6033839f3e535a3811581fdaa4da17175e5a8a8be84a4fccd99b81e048058e51d230ff3836e3ec920057a1b1676110bee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
83d94e8aa23c7ad2db6f972739506306

SHA1
bd6d73d0417971c0077f772352d2f538a6201024

SHA256
dfa5cbd243b304f47196c492bc2d8b29941a550c2f076ef8bdfca72755e71881

SHA512
4224625e8ef8dadc72f1e1a1edfe2079656b14f2af94ce6128316481d96e9d0b6edf4de13fcdcc182038a2b29eb562b9246f944aecebfcb7c5ee8d7936b6287e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat.exe

Filesize
2.2MB

MD5
a54657ad972c7ed59bfec031e449c45a

SHA1
f26cc3e543842e3d59825d61add2852853078c5a

SHA256
56782c0bce98d22894af0d0354008a0793f7b24ed774c8451c2b367ebc8f2304

SHA512
1f1136608792ba227abe8988411a9127edf3d14c9f40dc9112b3205032fcd293ad7fc29ac322c7a88f005907822d1310e362ad8af32691b0fb8422a92a1060bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
5.0MB

MD5
9a4520febabd856344d00ff8867d278c

SHA1
0cbe2d841471f6d0386232951b16edcc5c19f645

SHA256
d5c5036bdeafcc68f74097fbe090d48be72d0504b446980e00276dfe6c70067a

SHA512
8223c4ed4e0b67c4363eb913206c70441325568816922b9f60b99f64551f2c28b9961f36a4133fc86fe832d2118a88674478f6b62fcd33265e2449f1f512223b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMwhQ5IWge.bat

Filesize
260B

MD5
afed5b4c9216e16fbb8205264f5d5fc6

SHA1
719968a9a21a8baab75ca15660678d0bd6831144

SHA256
50eb301320b31b8374a332e546ddf0e8d9e5b2d20e7fa32d96b1dec5472de1cd

SHA512
f1b91e3a7da3fe243e7900fb4d2986ec7473db92b325f5291593336c7f140bd324350895554fbd35f360e24ad6de3a48215bd488e744c37ef4fd41eaccfe361e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hmn1kz55.otg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\surrogatewebDriverPerfdll\O2Mqb5EZIjFAAhUWjaVV4BgoTlxmSKSI5p5mmNTOQWmByl3e.vbe

Filesize
208B

MD5
24baff33090912fda41dbd7ff59c0758

SHA1
07b467337330f0abf1d1c34ea3d7ad305b42ebd2

SHA256
cf363df03c9082c65d6bb5c914deea16353fbd3871599953c5e51eedfab7d85e

SHA512
337d1dc80884f59fdd5eaf77fcd3cf5353a422ebed3a9bcea53bad1f9363121a2c3e912be00fb3577af0ab0700156a76325fe3ce038a3c91fa416bb318a270bf

Download Submit
C:\surrogatewebDriverPerfdll\portRuntimedll.exe

Filesize
1.9MB

MD5
5d8b6304415990e22a07694f005ea272

SHA1
93e356cac768aad2bb3c614cc3a22825064a5e42

SHA256
ee7ed4e85816e7b6d1587065b4c3c4885082a67e7a1deee08928b903db253cbf

SHA512
f04caa5285b55dbbebee789fcec122d164a5ea541e5b57d05808cff7705508eb716f3e20248dc1659236af37b1f5d64d923d5333d6c0e956d71ebaf879eb04a4

Download Submit
C:\surrogatewebDriverPerfdll\sBHMgLRm.bat

Filesize
88B

MD5
64970882419ad8bc36002ab5bc472a7c

SHA1
10ca95dbb24607f3eafaf27d9233acccd3d929ff

SHA256
cede47cf582f74d4b064d589b94a832a6260a2dc71633ccadb55782ae17e193c

SHA512
09e5b6a4c5158c33eb84d13831eec7c4cd2670b5a810a083667557dc04bcd666e440988e2584ccafa7b8308c6d38c544483752b36cc3d4ea2abf24793ffcb2f3

Download Submit
memory/1748-36-0x00007FFFBC7B0000-0x00007FFFBD272000-memory.dmp

Filesize
10.8MB

Download
memory/1748-0-0x00007FFFBC7B3000-0x00007FFFBC7B5000-memory.dmp

Filesize
8KB

Download
memory/1748-3-0x00007FFFBC7B0000-0x00007FFFBD272000-memory.dmp

Filesize
10.8MB

Download
memory/1748-1-0x0000000000020000-0x00000000005D8000-memory.dmp

Filesize
5.7MB

Download
memory/2192-313-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2192-312-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2192-311-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2192-310-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2192-309-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2192-316-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3712-335-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3712-332-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3712-333-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3712-334-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3712-318-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3712-317-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3712-336-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3712-319-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3712-328-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3712-327-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3712-325-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3712-326-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3712-324-0x0000000000A00000-0x0000000000A20000-memory.dmp

Filesize
128KB

Download
memory/3712-323-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3712-329-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3712-321-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3712-320-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3712-322-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3828-304-0x00000206FD420000-0x00000206FD43C000-memory.dmp

Filesize
112KB

Download
memory/3828-306-0x00000206FD410000-0x00000206FD41A000-memory.dmp

Filesize
40KB

Download
memory/3828-305-0x00000206FD440000-0x00000206FD4F5000-memory.dmp

Filesize
724KB

Download
memory/4776-70-0x000001DD525A0000-0x000001DD525C2000-memory.dmp

Filesize
136KB

Download
memory/4972-55-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/4972-53-0x0000000000E40000-0x0000000000E4E000-memory.dmp

Filesize
56KB

Download
memory/4972-51-0x0000000000E30000-0x0000000000E3E000-memory.dmp

Filesize
56KB

Download
memory/4972-49-0x0000000000E70000-0x0000000000E88000-memory.dmp

Filesize
96KB

Download
memory/4972-47-0x0000000000EC0000-0x0000000000F10000-memory.dmp

Filesize
320KB

Download
memory/4972-46-0x0000000000E50000-0x0000000000E6C000-memory.dmp

Filesize
112KB

Download
memory/4972-44-0x0000000000E20000-0x0000000000E2E000-memory.dmp

Filesize
56KB

Download
memory/4972-42-0x00000000003F0000-0x00000000005E0000-memory.dmp

Filesize
1.9MB

Download