dcrat | de027cb9277735fb1ebeda3beef8c5eb209eae1f89a02915c373406bedccebc8

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-01-2025 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3476cd061ca60baffd1a9cf0bbaed40e.exe
Size

84.5MB
MD5

3476cd061ca60baffd1a9cf0bbaed40e
SHA1

05f9416183efec7caed9e9039cb4255e94076c8b
SHA256

de027cb9277735fb1ebeda3beef8c5eb209eae1f89a02915c373406bedccebc8
SHA512

4d43a5991725913cf36801584de563f63eff60fd0204c271a8a6b722e1b1f897078469d012cc153b39c169e827678f0d6986c1da570af1c66251c5b4cf42ce62
SSDEEP

1572864:08cM2l+paDOIYaqkegNzQNGkwaSu0JkWU3M83NzQNGkwjE1Su0JkWU33NAZnk+Gv:BcFApaIueQG6aSu/5BG6mSu/GZnA

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	1728	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	1728	schtasks.exe	38

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d50-31.dat	dcrat
behavioral1/memory/1548-34-0x0000000000400000-0x000000000587C000-memory.dmp	dcrat
behavioral1/files/0x000500000001a078-947.dat	dcrat
behavioral1/memory/1608-995-0x0000000000910000-0x00000000009E6000-memory.dmp	dcrat
behavioral1/memory/316-1683-0x0000000001020000-0x00000000010F6000-memory.dmp	dcrat

Executes dropped EXE 6 IoCs

pid	Process
2040	BloodLustDesk.exe
2740	FastBombMode.exe
1608	surrogatecontainerbroker.exe
2772	BloodLustDesk.exe
1212	Process not Found
316	audiodg.exe

Loads dropped DLL 12 IoCs

pid	Process
1548	3476cd061ca60baffd1a9cf0bbaed40e.exe
1548	3476cd061ca60baffd1a9cf0bbaed40e.exe
1092	cmd.exe
1092	cmd.exe
2040	BloodLustDesk.exe
2772	BloodLustDesk.exe
2772	BloodLustDesk.exe
2772	BloodLustDesk.exe
2772	BloodLustDesk.exe
2772	BloodLustDesk.exe
2772	BloodLustDesk.exe
2772	BloodLustDesk.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\taskhost.exe	surrogatecontainerbroker.exe
File created	C:\Program Files (x86)\Windows Media Player\b75386f1303e64	surrogatecontainerbroker.exe
File created	C:\Program Files\Windows Defender\cmd.exe	surrogatecontainerbroker.exe
File created	C:\Program Files\Windows Defender\ebf1f9fa8afd6d	surrogatecontainerbroker.exe
File created	C:\Program Files\Windows Portable Devices\conhost.exe	surrogatecontainerbroker.exe
File created	C:\Program Files\Windows Portable Devices\088424020bedd6	surrogatecontainerbroker.exe
File created	C:\Program Files\Windows Defender\en-US\WMIADAP.exe	surrogatecontainerbroker.exe
File created	C:\Program Files\Windows Defender\en-US\75a57c1bdf437c	surrogatecontainerbroker.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\ja-JP\lsm.exe	surrogatecontainerbroker.exe
File created	C:\Windows\ja-JP\101b941d020240	surrogatecontainerbroker.exe
File created	C:\Windows\diagnostics\system\WindowsUpdate\fr-FR\WMIADAP.exe	surrogatecontainerbroker.exe
File created	C:\Windows\winsxs\spoolsv.exe	surrogatecontainerbroker.exe
File created	C:\Windows\security\cmd.exe	surrogatecontainerbroker.exe
File created	C:\Windows\security\ebf1f9fa8afd6d	surrogatecontainerbroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3476cd061ca60baffd1a9cf0bbaed40e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FastBombMode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2620	schtasks.exe
2112	schtasks.exe
3036	schtasks.exe
2700	schtasks.exe
1508	schtasks.exe
1052	schtasks.exe
852	schtasks.exe
2988	schtasks.exe
2880	schtasks.exe
3032	schtasks.exe
2836	schtasks.exe
1112	schtasks.exe
2264	schtasks.exe
1788	schtasks.exe
1008	schtasks.exe
2164	schtasks.exe
900	schtasks.exe
2648	schtasks.exe
3064	schtasks.exe
1320	schtasks.exe
1232	schtasks.exe
2268	schtasks.exe
1284	schtasks.exe
3028	schtasks.exe
1600	schtasks.exe
2576	schtasks.exe
1840	schtasks.exe
636	schtasks.exe
1628	schtasks.exe
1636	schtasks.exe
1760	schtasks.exe
3048	schtasks.exe
2684	schtasks.exe
1768	schtasks.exe
2100	schtasks.exe
1676	schtasks.exe
2540	schtasks.exe
2556	schtasks.exe
2604	schtasks.exe
1652	schtasks.exe
1132	schtasks.exe
2904	schtasks.exe
2680	schtasks.exe
2840	schtasks.exe
2716	schtasks.exe
888	schtasks.exe
2036	schtasks.exe
2896	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1608	surrogatecontainerbroker.exe
1608	surrogatecontainerbroker.exe
1608	surrogatecontainerbroker.exe
316	audiodg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1608	surrogatecontainerbroker.exe
Token: SeDebugPrivilege	316	audiodg.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 2040	1548	3476cd061ca60baffd1a9cf0bbaed40e.exe	31
PID 1548 wrote to memory of 2040	1548	3476cd061ca60baffd1a9cf0bbaed40e.exe	31
PID 1548 wrote to memory of 2040	1548	3476cd061ca60baffd1a9cf0bbaed40e.exe	31
PID 1548 wrote to memory of 2040	1548	3476cd061ca60baffd1a9cf0bbaed40e.exe	31
PID 1548 wrote to memory of 2740	1548	3476cd061ca60baffd1a9cf0bbaed40e.exe	32
PID 1548 wrote to memory of 2740	1548	3476cd061ca60baffd1a9cf0bbaed40e.exe	32
PID 1548 wrote to memory of 2740	1548	3476cd061ca60baffd1a9cf0bbaed40e.exe	32
PID 1548 wrote to memory of 2740	1548	3476cd061ca60baffd1a9cf0bbaed40e.exe	32
PID 2740 wrote to memory of 1632	2740	FastBombMode.exe	33
PID 2740 wrote to memory of 1632	2740	FastBombMode.exe	33
PID 2740 wrote to memory of 1632	2740	FastBombMode.exe	33
PID 2740 wrote to memory of 1632	2740	FastBombMode.exe	33
PID 1632 wrote to memory of 1092	1632	WScript.exe	34
PID 1632 wrote to memory of 1092	1632	WScript.exe	34
PID 1632 wrote to memory of 1092	1632	WScript.exe	34
PID 1632 wrote to memory of 1092	1632	WScript.exe	34
PID 1092 wrote to memory of 1608	1092	cmd.exe	36
PID 1092 wrote to memory of 1608	1092	cmd.exe	36
PID 1092 wrote to memory of 1608	1092	cmd.exe	36
PID 1092 wrote to memory of 1608	1092	cmd.exe	36
PID 2040 wrote to memory of 2772	2040	BloodLustDesk.exe	37
PID 2040 wrote to memory of 2772	2040	BloodLustDesk.exe	37
PID 2040 wrote to memory of 2772	2040	BloodLustDesk.exe	37
PID 1608 wrote to memory of 1640	1608	surrogatecontainerbroker.exe	87
PID 1608 wrote to memory of 1640	1608	surrogatecontainerbroker.exe	87
PID 1608 wrote to memory of 1640	1608	surrogatecontainerbroker.exe	87
PID 1640 wrote to memory of 968	1640	cmd.exe	89
PID 1640 wrote to memory of 968	1640	cmd.exe	89
PID 1640 wrote to memory of 968	1640	cmd.exe	89
PID 1640 wrote to memory of 316	1640	cmd.exe	91
PID 1640 wrote to memory of 316	1640	cmd.exe	91
PID 1640 wrote to memory of 316	1640	cmd.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3476cd061ca60baffd1a9cf0bbaed40e.exe
"C:\Users\Admin\AppData\Local\Temp\3476cd061ca60baffd1a9cf0bbaed40e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Users\Admin\AppData\Local\Temp\BloodLustDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\BloodLustDesk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\BloodLustDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\BloodLustDesk.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2772
- C:\Users\Admin\AppData\Local\Temp\FastBombMode.exe
  "C:\Users\Admin\AppData\Local\Temp\FastBombMode.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Componenthostnet\TvxC3PUKAKzjvlu.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Componenthostnet\VE2B2eC4lgdcy8a.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1092
    - - C:\Componenthostnet\surrogatecontainerbroker.exe
        
        "C:\Componenthostnet\surrogatecontainerbroker.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1608
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\klF8DKaF7L.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:968
        
        C:\Componenthostnet\audiodg.exe
        
        "C:\Componenthostnet\audiodg.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Componenthostnet\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Componenthostnet\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Componenthostnet\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Windows\ja-JP\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Desktop\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\en-US\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\en-US\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Documents\My Videos\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Videos\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Documents\My Videos\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Windows\security\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\security\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\security\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BloodLustDeskB" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\BloodLustDesk.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BloodLustDesk" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\BloodLustDesk.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BloodLustDeskB" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\BloodLustDesk.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Componenthostnet\TvxC3PUKAKzjvlu.vbe

Filesize
208B

MD5
d23133ca3691f7d9d1d32cab028e355c

SHA1
67ebcd77cfa01c68ff71f8b33210a83ab9165c84

SHA256
113c31301fd382d7a23d9f9d7e7090ac299581f347bb666047ba6997e54bf427

SHA512
d202ef559bbbf5e0027c1f4ed9d36cff1fe961465d1431c9ffa9cdb873fb84d840f71be390949f768e241ff51b8ec7cf1442850747ae0563555f0a09b9a444fa

Download Submit
C:\Componenthostnet\VE2B2eC4lgdcy8a.bat

Filesize
50B

MD5
5edec98915bab0d6d5fc7f48099ef999

SHA1
beff0ae385f235bc88841555740063fe1ba36999

SHA256
b369dda05f06bf6a67327cb15d9d566e9301c08261e5252b7e1da57c98dfecd2

SHA512
6d46f0b4a8e46e2f96018751e337ff3de82cb17eade47a05971c086ba5c18ad64f9c4eb37b3e9c9850d955e860828167ae9afad738b5396e70e50005f3d63e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\pytz\zoneinfo\Africa\Conakry

Filesize
148B

MD5
09a9397080948b96d97819d636775e33

SHA1
5cc9b028b5bd2222200e20091a18868ea62c4f18

SHA256
d2efac4e5f23d88c95d72c1db42807170f52f43dd98a205af5a92a91b9f2d997

SHA512
2eccf2515599ed261e96da3fbcfbab0b6a2dfc86a1d87e3814091709f0bfe2f600c3044c8555ed027978a8ae9045666ee639a8c249f48d665d8e5c60f0597799

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\pytz\zoneinfo\Africa\Djibouti

Filesize
265B

MD5
86dcc322e421bc8bdd14925e9d61cd6c

SHA1
289d1fb5a419107bc1d23a84a9e06ad3f9ee8403

SHA256
c89b2e253a8926a6cecf7eff34e4bfcdb7fe24daff22d84718c30deec0ea4968

SHA512
d32771be8629fb3186723c8971f06c3803d31389438b29bf6baa958b3f9db9a38971019583ba272c7a8f5eb4a633dfc467bfcb6f76faa8e290bad4fd7366bb2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\pytz\zoneinfo\Africa\Kigali

Filesize
149B

MD5
b77fb20b4917d76b65c3450a7117023c

SHA1
b99f3115100292d9884a22ed9aef9a9c43b31ccd

SHA256
93f19e9551d58868ae5820752d2c93a486124c364463dc9c9489d0458f8bc682

SHA512
a088c2a4c7d72717257c3125c7c2aca28463d68306ea452afaad75b8a0f9e5730a8d9c430d14668809717a672dc63c4816762acb046b339da662da421a6d65df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\pytz\zoneinfo\Africa\Lagos

Filesize
235B

MD5
8244c4cc8508425b6612fa24df71e603

SHA1
30ba925b4670235915dddfa1dd824dd9d7295eac

SHA256
cffeb0282ccbd7fba0e493ff8677a1e5a6dd5197885042e437f95a773f844846

SHA512
560c7581dcb2c800eae779005e41406beaf15d24efc763304e3111b9bb6074fe0ba59c48b5a2c5511245551b94418bbc35934d9bd46313fcc6e383323056668c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\pytz\zoneinfo\America\Curacao

Filesize
246B

MD5
adf95d436701b9774205f9315ec6e4a4

SHA1
fcf8be5296496a5dd3a7a97ed331b0bb5c861450

SHA256
8491e557ff801a8306516b8ca5946ff5f2e6821af31477eb47d7d191cc5a6497

SHA512
f8fceff3c346224d693315af1ab12433eb046415200abaa6cdd65fd0ad40673fdddf67b83563d351e4aa520565881a4226fb37d578d3ba88a135e596ebb9b348

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\pytz\zoneinfo\America\Toronto

Filesize
3KB

MD5
8dabdbbb4e33dcb0683c8a2db78fedc4

SHA1
a6d038ecff7126ee19ebb08a40d157c9a79964cd

SHA256
a587a1a1607439f7bac283e1815f2bdbafb9649a453d18e06c2e44e6996d888f

SHA512
35bfd5182535f5257d7ee693eb6827751993915129d7f3cc276783926b1f4db7a00d8f0b44a95ac80c294a9cc1b84bda6418134c2a5c10ba6c89946bd8ef97a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\pytz\zoneinfo\Etc\Greenwich

Filesize
114B

MD5
9cd2aef183c064f630dfcf6018551374

SHA1
2a8483df5c2809f1dfe0c595102c474874338379

SHA256
6d9f378883c079f86c0387a5547a92c449869d806e07de10084ab04f0249018d

SHA512
dafa0cb9d0a8e0ff75a19be499751ad85372aafa856ff06dd68ecf2b1c5578bb98a040becaecf0aed2c3e4ff7372ff200fe7614334756d19fe79dd61c01d4e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\pytz\zoneinfo\Europe\London

Filesize
3KB

MD5
a40006ee580ef0a4b6a7b925fee2e11f

SHA1
1beba7108ea93c7111dabc9d7f4e4bfdea383992

SHA256
c85495070dca42687df6a1c3ee780a27cbcb82f1844750ea6f642833a44d29b4

SHA512
316ecacc34136294ce11dcb6d0f292570ad0515f799fd59fbff5e7121799860b1347d802b6439a291f029573a3715e043009e2c1d5275f38957be9e04f92e62e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\pytz\zoneinfo\Europe\Oslo

Filesize
2KB

MD5
7db6c3e5031eaf69e6d1e5583ab2e870

SHA1
918341ad71f9d3acd28997326e42d5b00fba41e0

SHA256
5ee475f71a0fc1a32faeb849f8c39c6e7aa66d6d41ec742b97b3a7436b3b0701

SHA512
688eaa6d3001192addaa49d4e15f57aa59f3dd9dc511c063aa2687f36ffd28ffef01d937547926be6477bba8352a8006e8295ee77690be935f76d977c3ea12fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\pytz\zoneinfo\Europe\Skopje

Filesize
1KB

MD5
6213fc0a706f93af6ff6a831fecbc095

SHA1
961a2223fd1573ab344930109fbd905336175c5f

SHA256
3a95adb06156044fd2fa662841c0268c2b5af47c1b19000d9d299563d387093a

SHA512
8149de3fd09f8e0f5a388f546ffe8823bdcda662d3e285b5cebc92738f0c6548ccb6ed2a5d086fd738cb3edc8e9e1f81c5e2e48edb0571e7ea7f131675b99327

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\pytz\zoneinfo\PRC

Filesize
561B

MD5
09dd479d2f22832ce98c27c4db7ab97c

SHA1
79360e38e040eaa15b6e880296c1d1531f537b6f

SHA256
64ffc2e43a94435a043c040d1d3af7e92d031adc78e7737af1861baa4eeef3e6

SHA512
f88ae25f3f04c7d5d5f98aafecc03cc7e4e56f1cd4c8deba6afd043f0fb7fe67b4d50e4df5493e77c6b34ba183e019442e736a13f784ba8c2847c06fd74ff200

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\pytz\zoneinfo\Pacific\Wallis

Filesize
152B

MD5
5bdd7374e21e3df324a5b3d178179715

SHA1
244ed7d52bc39d915e1f860727ecfe3f4b1ae121

SHA256
53268a8a6b11f0b8e02fc67683ae48d074efaf7b4c66e036c1478107afd9a7d7

SHA512
9c76f39e8795c50e6c5b384a7ff1f308a1c5173f42f810759b36cdeae7d33d1dac4934efeed580c59d988c152e2d7f8d9b8eb2073ab1fc15e4b9c10900c7b383

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\pytz\zoneinfo\Pacific\Yap

Filesize
172B

MD5
ec972f59902432836f93737f75c5116f

SHA1
331542d6faf6ab15ffd364d57fbaa62629b52b94

SHA256
9c1dfa1c15994dd8774e53f40cb14dcf529143468721f1dba7b2c2e14ae9f5f0

SHA512
e8e8c8f6d096c352d1244280254e4c6ecf93f7c2ff69ecc6fa4363a6be8a2daf6cfcd7f0d96bc2669268ced5565532fa06be348a139b0742ccccb83953c6324d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\pytz\zoneinfo\UCT

Filesize
114B

MD5
38bb24ba4d742dd6f50c1cba29cd966a

SHA1
d0b8991654116e9395714102c41d858c1454b3bd

SHA256
8b85846791ab2c8a5463c83a5be3c043e2570d7448434d41398969ed47e3e6f2

SHA512
194867d0cf66c2de4969dbfeb58c775964ecb2132acdc1b000b5ef0998cefde4a2979ffc04ec8b7dcb430e43326a79d9cedb28ecea184345aa7d742eaf9234ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\klF8DKaF7L.bat

Filesize
196B

MD5
28c992140f650e48e115b4028f502b86

SHA1
cefa40bdb0a3e05aa8f15b0dcfd1ff100f1873fa

SHA256
02301216ac5e6d6aba9c46b27fb964b36b0655fe398fc8492e3494a0d2c9315a

SHA512
86e984fc76072382e0e0ad627e33b5e4d5df24ae51e17dab87a8f854df6adcf725671eb8e9e1afd56b72c21d7bbc203643ba6239d49716c2deafb769fa40746a

Download Submit
\Componenthostnet\surrogatecontainerbroker.exe

Filesize
827KB

MD5
cb58babe6cf8d4bbf6d4ff43509d1b57

SHA1
e3f30374679890b1ff56737085e34e3713828ddc

SHA256
fcddce25418e3c1ebfc98373185c1e201980d060bf24ed3cc2055adfb2fff255

SHA512
009dd43521c14b36bcae6ee1421ca89e0a1874b6850ac933e28ce4cc4c42391615cc59a094a1b5b2ba96b39f19e234921ab46e80c8f1f66b08670ab290f87797

Download Submit
\Users\Admin\AppData\Local\Temp\FastBombMode.exe

Filesize
1.1MB

MD5
14e58615a68163596b9963cf2546cac5

SHA1
708224797285d1d018bbb9de930d6fba72213b3b

SHA256
38e7a2d869e2ba24d63c146ef9be98f6039953b17dcbca6e4f7ac98aacadb048

SHA512
f4facd1983d63b32ae18e4de2c2364f5150211e8c81dc8e5fb02f3bf4a2fe638830ea208f93bbc3e8eb1d761955c145d95fe3f07373c8b8ee30a0f84e5ac1743

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
5a72a803df2b425d5aaff21f0f064011

SHA1
4b31963d981c07a7ab2a0d1a706067c539c55ec5

SHA256
629e52ba4e2dca91b10ef7729a1722888e01284eed7dda6030d0a1ec46c94086

SHA512
bf44997c405c2ba80100eb0f2ff7304938fc69e4d7ae3eac52b3c236c3188e80c9f18bda226b5f4fde0112320e74c198ad985f9ffd7cea99aca22980c39c7f69

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
721b60b85094851c06d572f0bd5d88cd

SHA1
4d0ee4d717aeb9c35da8621a545d3e2b9f19b4e7

SHA256
dac867476caa42ff8df8f5dfe869ffd56a18dadee17d47889afb69ed6519afbf

SHA512
430a91fcecde4c8cc4ac7eb9b4c6619243ab244ee88c34c9e93ca918e54bd42b08aca8ea4475d4c0f5fa95241e4aacb3206cbae863e92d15528c8e7c9f45601b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-core-localization-l1-2-0.dll

Filesize
14KB

MD5
1ed0b196ab58edb58fcf84e1739c63ce

SHA1
ac7d6c77629bdee1df7e380cc9559e09d51d75b7

SHA256
8664222823e122fca724620fd8b72187fc5336c737d891d3cef85f4f533b8de2

SHA512
e1fa7f14f39c97aaa3104f3e13098626b5f7cfd665ba52dcb2312a329639aaf5083a9177e4686d11c4213e28acc40e2c027988074b6cc13c5016d5c5e9ef897b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
7e8b61d27a9d04e28d4dae0bfa0902ed

SHA1
861a7b31022915f26fb49c79ac357c65782c9f4b

SHA256
1ef06c600c451e66e744b2ca356b7f4b7b88ba2f52ec7795858d21525848ac8c

SHA512
1c5b35026937b45beb76cb8d79334a306342c57a8e36cc15d633458582fc8f7d9ab70ace7a92144288c6c017f33ecfc20477a04432619b40a21c9cda8d249f6d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
91a2ae3c4eb79cf748e15a58108409ad

SHA1
d402b9df99723ea26a141bfc640d78eaf0b0111b

SHA256
b0eda99eabd32fefecc478fd9fe7439a3f646a864fdab4ec3c1f18574b5f8b34

SHA512
8527af610c1e2101b6f336a142b1a85ac9c19bb3af4ad4a245cfb6fd602dc185da0f7803358067099475102f3a8f10a834dc75b56d3e6ded2ed833c00ad217ed

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20402\python39.dll

Filesize
4.3MB

MD5
11c051f93c922d6b6b4829772f27a5be

SHA1
42fbdf3403a4bc3d46d348ca37a9f835e073d440

SHA256
0eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c

SHA512
1cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20402\ucrtbase.dll

Filesize
1011KB

MD5
849959a003fa63c5a42ae87929fcd18b

SHA1
d1b80b3265e31a2b5d8d7da6183146bbd5fb791b

SHA256
6238cbfe9f57c142b75e153c399c478d492252fda8cb40ee539c2dcb0f2eb232

SHA512
64958dabdb94d21b59254c2f074db5d51e914ddbc8437452115dff369b0c134e50462c3fdbbc14b6fa809a6ee19ab2fb83d654061601cc175cddcb7d74778e09

Download Submit
memory/316-1683-0x0000000001020000-0x00000000010F6000-memory.dmp

Filesize
856KB

Download
memory/1548-34-0x0000000000400000-0x000000000587C000-memory.dmp

Filesize
84.5MB

Download
memory/1608-995-0x0000000000910000-0x00000000009E6000-memory.dmp

Filesize
856KB

Download