dcrat | de027cb9277735fb1ebeda3beef8c5eb209eae1f89a02915c373406bedccebc8

Analysis

max time kernel
93s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2025, 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3476cd061ca60baffd1a9cf0bbaed40e.exe
Size

84.5MB
MD5

3476cd061ca60baffd1a9cf0bbaed40e
SHA1

05f9416183efec7caed9e9039cb4255e94076c8b
SHA256

de027cb9277735fb1ebeda3beef8c5eb209eae1f89a02915c373406bedccebc8
SHA512

4d43a5991725913cf36801584de563f63eff60fd0204c271a8a6b722e1b1f897078469d012cc153b39c169e827678f0d6986c1da570af1c66251c5b4cf42ce62
SSDEEP

1572864:08cM2l+paDOIYaqkegNzQNGkwaSu0JkWU3M83NzQNGkwjE1Su0JkWU33NAZnk+Gv:BcFApaIueQG6aSu/5BG6mSu/GZnA

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	4328	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	4328	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	4328	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	4328	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	4328	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	4328	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	4328	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	4328	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	4328	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	4328	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	4328	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	4328	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	4328	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	4328	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	4328	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	4328	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	4328	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	4328	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	4328	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	4328	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	4328	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4276	4328	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	4328	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	4328	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	4328	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	4328	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	4328	schtasks.exe	90

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000b000000023b93-23.dat	dcrat
behavioral2/memory/3636-47-0x0000000000400000-0x000000000587C000-memory.dmp	dcrat
behavioral2/files/0x0007000000023cff-959.dat	dcrat
behavioral2/memory/1120-960-0x0000000000540000-0x0000000000616000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	3476cd061ca60baffd1a9cf0bbaed40e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	FastBombMode.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	surrogatecontainerbroker.exe

Executes dropped EXE 6 IoCs

pid	Process
1632	BloodLustDesk.exe
556	FastBombMode.exe
1120	surrogatecontainerbroker.exe
652	BloodLustDesk.exe
4332	flet.exe
1668	taskhostw.exe

Loads dropped DLL 51 IoCs

pid	Process
652	BloodLustDesk.exe
652	BloodLustDesk.exe
652	BloodLustDesk.exe
652	BloodLustDesk.exe
652	BloodLustDesk.exe
652	BloodLustDesk.exe
652	BloodLustDesk.exe
652	BloodLustDesk.exe
652	BloodLustDesk.exe
652	BloodLustDesk.exe
652	BloodLustDesk.exe
652	BloodLustDesk.exe
652	BloodLustDesk.exe
652	BloodLustDesk.exe
652	BloodLustDesk.exe
652	BloodLustDesk.exe
652	BloodLustDesk.exe
652	BloodLustDesk.exe
652	BloodLustDesk.exe
652	BloodLustDesk.exe
652	BloodLustDesk.exe
652	BloodLustDesk.exe
652	BloodLustDesk.exe
652	BloodLustDesk.exe
652	BloodLustDesk.exe
652	BloodLustDesk.exe
652	BloodLustDesk.exe
652	BloodLustDesk.exe
652	BloodLustDesk.exe
652	BloodLustDesk.exe
4332	flet.exe
4332	flet.exe
4332	flet.exe
4332	flet.exe
4332	flet.exe
4332	flet.exe
4332	flet.exe
4332	flet.exe
4332	flet.exe
4332	flet.exe
4332	flet.exe
4332	flet.exe
4332	flet.exe
4332	flet.exe
4332	flet.exe
4332	flet.exe
4332	flet.exe
4332	flet.exe
4332	flet.exe
4332	flet.exe
4332	flet.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\55b276f4edf653	surrogatecontainerbroker.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe	surrogatecontainerbroker.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\56085415360792	surrogatecontainerbroker.exe
File created	C:\Program Files (x86)\MSBuild\StartMenuExperienceHost.exe	surrogatecontainerbroker.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Setup\State\winlogon.exe	surrogatecontainerbroker.exe
File created	C:\Windows\Setup\State\cc11b995f2a76d	surrogatecontainerbroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3476cd061ca60baffd1a9cf0bbaed40e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FastBombMode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	FastBombMode.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	surrogatecontainerbroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
884	schtasks.exe
3640	schtasks.exe
4276	schtasks.exe
4384	schtasks.exe
932	schtasks.exe
3960	schtasks.exe
4836	schtasks.exe
3224	schtasks.exe
448	schtasks.exe
784	schtasks.exe
2056	schtasks.exe
4780	schtasks.exe
3676	schtasks.exe
2904	schtasks.exe
1864	schtasks.exe
2208	schtasks.exe
3412	schtasks.exe
2392	schtasks.exe
2312	schtasks.exe
768	schtasks.exe
4488	schtasks.exe
3412	schtasks.exe
2516	schtasks.exe
1268	schtasks.exe
3948	schtasks.exe
3648	schtasks.exe
1480	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1120	surrogatecontainerbroker.exe
1120	surrogatecontainerbroker.exe
1120	surrogatecontainerbroker.exe
1120	surrogatecontainerbroker.exe
1120	surrogatecontainerbroker.exe
1120	surrogatecontainerbroker.exe
1120	surrogatecontainerbroker.exe
1120	surrogatecontainerbroker.exe
1120	surrogatecontainerbroker.exe
1120	surrogatecontainerbroker.exe
1668	taskhostw.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1120	surrogatecontainerbroker.exe
Token: SeDebugPrivilege	1668	taskhostw.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4332	flet.exe
4332	flet.exe
4332	flet.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 1632	3636	3476cd061ca60baffd1a9cf0bbaed40e.exe	84
PID 3636 wrote to memory of 1632	3636	3476cd061ca60baffd1a9cf0bbaed40e.exe	84
PID 3636 wrote to memory of 556	3636	3476cd061ca60baffd1a9cf0bbaed40e.exe	85
PID 3636 wrote to memory of 556	3636	3476cd061ca60baffd1a9cf0bbaed40e.exe	85
PID 3636 wrote to memory of 556	3636	3476cd061ca60baffd1a9cf0bbaed40e.exe	85
PID 556 wrote to memory of 3240	556	FastBombMode.exe	86
PID 556 wrote to memory of 3240	556	FastBombMode.exe	86
PID 556 wrote to memory of 3240	556	FastBombMode.exe	86
PID 3240 wrote to memory of 4480	3240	WScript.exe	87
PID 3240 wrote to memory of 4480	3240	WScript.exe	87
PID 3240 wrote to memory of 4480	3240	WScript.exe	87
PID 4480 wrote to memory of 1120	4480	cmd.exe	89
PID 4480 wrote to memory of 1120	4480	cmd.exe	89
PID 1632 wrote to memory of 652	1632	BloodLustDesk.exe	113
PID 1632 wrote to memory of 652	1632	BloodLustDesk.exe	113
PID 1120 wrote to memory of 4848	1120	surrogatecontainerbroker.exe	119
PID 1120 wrote to memory of 4848	1120	surrogatecontainerbroker.exe	119
PID 4848 wrote to memory of 1124	4848	cmd.exe	121
PID 4848 wrote to memory of 1124	4848	cmd.exe	121
PID 652 wrote to memory of 4332	652	BloodLustDesk.exe	125
PID 652 wrote to memory of 4332	652	BloodLustDesk.exe	125
PID 4848 wrote to memory of 1668	4848	cmd.exe	126
PID 4848 wrote to memory of 1668	4848	cmd.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3476cd061ca60baffd1a9cf0bbaed40e.exe
"C:\Users\Admin\AppData\Local\Temp\3476cd061ca60baffd1a9cf0bbaed40e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Users\Admin\AppData\Local\Temp\BloodLustDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\BloodLustDesk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Users\Admin\AppData\Local\Temp\BloodLustDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\BloodLustDesk.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:652
  - - C:\Users\Admin\AppData\Local\Temp\_MEI16322\flet\bin\flet\flet.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI16322\flet\bin\flet\flet.exe tcp://localhost:54649 C:\Users\Admin\AppData\Local\Temp\JdGvqMocFj5KcmpSJj64 C:\Users\Admin\AppData\Local\Temp\_MEI16322\assets
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:4332
- C:\Users\Admin\AppData\Local\Temp\FastBombMode.exe
  "C:\Users\Admin\AppData\Local\Temp\FastBombMode.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Componenthostnet\TvxC3PUKAKzjvlu.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3240
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Componenthostnet\VE2B2eC4lgdcy8a.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4480
    - - C:\Componenthostnet\surrogatecontainerbroker.exe
        
        "C:\Componenthostnet\surrogatecontainerbroker.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1120
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FlD5FAbny6.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1124
        
        C:\Users\Default\Recent\taskhostw.exe
        
        "C:\Users\Default\Recent\taskhostw.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Recent\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\Recent\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Recent\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\S-1-5-21-4050598569-1597076380-177084960-1000\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\S-1-5-21-4050598569-1597076380-177084960-1000\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\S-1-5-21-4050598569-1597076380-177084960-1000\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Setup\State\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Setup\State\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\Setup\State\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\AccountPictures\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\AccountPictures\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Users\Public\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Public\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Users\Public\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Componenthostnet\TvxC3PUKAKzjvlu.vbe

Filesize
208B

MD5
d23133ca3691f7d9d1d32cab028e355c

SHA1
67ebcd77cfa01c68ff71f8b33210a83ab9165c84

SHA256
113c31301fd382d7a23d9f9d7e7090ac299581f347bb666047ba6997e54bf427

SHA512
d202ef559bbbf5e0027c1f4ed9d36cff1fe961465d1431c9ffa9cdb873fb84d840f71be390949f768e241ff51b8ec7cf1442850747ae0563555f0a09b9a444fa

Download Submit
C:\Componenthostnet\VE2B2eC4lgdcy8a.bat

Filesize
50B

MD5
5edec98915bab0d6d5fc7f48099ef999

SHA1
beff0ae385f235bc88841555740063fe1ba36999

SHA256
b369dda05f06bf6a67327cb15d9d566e9301c08261e5252b7e1da57c98dfecd2

SHA512
6d46f0b4a8e46e2f96018751e337ff3de82cb17eade47a05971c086ba5c18ad64f9c4eb37b3e9c9850d955e860828167ae9afad738b5396e70e50005f3d63e34

Download Submit
C:\Componenthostnet\surrogatecontainerbroker.exe

Filesize
827KB

MD5
cb58babe6cf8d4bbf6d4ff43509d1b57

SHA1
e3f30374679890b1ff56737085e34e3713828ddc

SHA256
fcddce25418e3c1ebfc98373185c1e201980d060bf24ed3cc2055adfb2fff255

SHA512
009dd43521c14b36bcae6ee1421ca89e0a1874b6850ac933e28ce4cc4c42391615cc59a094a1b5b2ba96b39f19e234921ab46e80c8f1f66b08670ab290f87797

Download Submit
C:\Users\Admin\AppData\Local\Temp\FastBombMode.exe

Filesize
1.1MB

MD5
14e58615a68163596b9963cf2546cac5

SHA1
708224797285d1d018bbb9de930d6fba72213b3b

SHA256
38e7a2d869e2ba24d63c146ef9be98f6039953b17dcbca6e4f7ac98aacadb048

SHA512
f4facd1983d63b32ae18e4de2c2364f5150211e8c81dc8e5fb02f3bf4a2fe638830ea208f93bbc3e8eb1d761955c145d95fe3f07373c8b8ee30a0f84e5ac1743

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\VCRUNTIME140.dll

Filesize
116KB

MD5
699dd61122d91e80abdfcc396ce0ec10

SHA1
7b23a6562e78e1d4be2a16fc7044bdcea724855e

SHA256
f843cd00d9aff9a902dd7c98d6137639a10bd84904d81a085c28a3b29f8223c1

SHA512
2517e52f7f03580afd8f928c767d264033a191e831a78eed454ea35c9514c0f0df127f49a306088d766908af7880f713f5009c31ce6b0b1e4d0b67e49447bfff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\_ctypes.pyd

Filesize
122KB

MD5
29da9b022c16da461392795951ce32d9

SHA1
0e514a8f88395b50e797d481cbbed2b4ae490c19

SHA256
3b4012343ef7a266db0b077bbb239833779192840d1e2c43dfcbc48ffd4c5372

SHA512
5c7d83823f1922734625cf69a481928a5c47b6a3bceb7f24c9197175665b2e06bd1cfd745c55d1c5fe1572f2d8da2a1dcc1c1f5de0903477bb927aca22ecb26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-core-console-l1-1-0.dll

Filesize
11KB

MD5
07ebe4d5cef3301ccf07430f4c3e32d8

SHA1
3b878b2b2720915773f16dba6d493dab0680ac5f

SHA256
8f8b79150e850acc92fd6aab614f6e3759bea875134a62087d5dd65581e3001f

SHA512
6c7e4df62ebae9934b698f231cf51f54743cf3303cd758573d00f872b8ecc2af1f556b094503aae91100189c0d0a93eaf1b7cafec677f384a1d7b4fda2eee598

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-core-datetime-l1-1-0.dll

Filesize
11KB

MD5
557405c47613de66b111d0e2b01f2fdb

SHA1
de116ed5de1ffaa900732709e5e4eef921ead63c

SHA256
913eaaa7997a6aee53574cffb83f9c9c1700b1d8b46744a5e12d76a1e53376fd

SHA512
c2b326f555b2b7acb7849402ac85922880105857c616ef98f7fb4bbbdc2cd7f2af010f4a747875646fcc272ab8aa4ce290b6e09a9896ce1587e638502bd4befb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-core-debug-l1-1-0.dll

Filesize
11KB

MD5
624401f31a706b1ae2245eb19264dc7f

SHA1
8d9def3750c18ddfc044d5568e3406d5d0fb9285

SHA256
58a8d69df60ecbee776cd9a74b2a32b14bf2b0bd92d527ec5f19502a0d3eb8e9

SHA512
3353734b556d6eebc57734827450ce3b34d010e0c033e95a6e60800c0fda79a1958ebf9053f12054026525d95d24eec541633186f00f162475cec19f07a0d817

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
11KB

MD5
2db5666d3600a4abce86be0099c6b881

SHA1
63d5dda4cec0076884bc678c691bdd2a4fa1d906

SHA256
46079c0a1b660fc187aafd760707f369d0b60d424d878c57685545a3fce95819

SHA512
7c6e1e022db4217a85a4012c8e4daee0a0f987e4fba8a4c952424ef28e250bac38b088c242d72b4641157b7cc882161aefa177765a2e23afcdc627188a084345

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-core-fibers-l1-1-0.dll

Filesize
20KB

MD5
ee3f0d24e7e32e661ac407c60b84b7db

SHA1
09107fb9ace59a1ac3a8b8dbb4ff00b91182929b

SHA256
c86ebc9f48e2db659e80d9c7ad5f29e6b6c850eea58813c041baeff496ae4f18

SHA512
c3fbba7fad4fe03a3a763ad86681655f1bb04d6dd9f64c0083aaa0262ce18f82970365532337825d44ec92b3d79b3212817b25f188537a3771807ad17e7f8d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-core-file-l1-1-0.dll

Filesize
14KB

MD5
0f7d418c05128246afa335a1fb400cb9

SHA1
f6313e371ed5a1dffe35815cc5d25981184d0368

SHA256
5c9bc70586ad538b0df1fcf5d6f1f3527450ae16935aa34bd7eb494b4f1b2db9

SHA512
7555d9d3311c8622df6782748c2186a3738c4807fc58df2f75e539729fc4069db23739f391950303f12e0d25df9f065b4c52e13b2ebb6d417ca4c12cfdeca631

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
5a72a803df2b425d5aaff21f0f064011

SHA1
4b31963d981c07a7ab2a0d1a706067c539c55ec5

SHA256
629e52ba4e2dca91b10ef7729a1722888e01284eed7dda6030d0a1ec46c94086

SHA512
bf44997c405c2ba80100eb0f2ff7304938fc69e4d7ae3eac52b3c236c3188e80c9f18bda226b5f4fde0112320e74c198ad985f9ffd7cea99aca22980c39c7f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
721b60b85094851c06d572f0bd5d88cd

SHA1
4d0ee4d717aeb9c35da8621a545d3e2b9f19b4e7

SHA256
dac867476caa42ff8df8f5dfe869ffd56a18dadee17d47889afb69ed6519afbf

SHA512
430a91fcecde4c8cc4ac7eb9b4c6619243ab244ee88c34c9e93ca918e54bd42b08aca8ea4475d4c0f5fa95241e4aacb3206cbae863e92d15528c8e7c9f45601b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-core-handle-l1-1-0.dll

Filesize
11KB

MD5
d1df480505f2d23c0b5c53df2e0e2a1a

SHA1
207db9568afd273e864b05c87282987e7e81d0ba

SHA256
0b3dfb8554ead94d5da7859a12db353942406f9d1dfe3fac3d48663c233ea99d

SHA512
f14239420f5dd84a15ff5fca2fad81d0aa9280c566fa581122a018e10ebdf308ac0bf1d3fcfc08634c1058c395c767130c5abca55540295c68df24ffd931ca0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-core-heap-l1-1-0.dll

Filesize
11KB

MD5
73433ebfc9a47ed16ea544ddd308eaf8

SHA1
ac1da1378dd79762c6619c9a63fd1ebe4d360c6f

SHA256
c43075b1d2386a8a262de628c93a65350e52eae82582b27f879708364b978e29

SHA512
1c28cc0d3d02d4c308a86e9d0bc2da88333dfa8c92305ec706f3e389f7bb6d15053040afd1c4f0aa3383f3549495343a537d09fe882db6ed12b7507115e5a263

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
11KB

MD5
7c7b61ffa29209b13d2506418746780b

SHA1
08f3a819b5229734d98d58291be4bfa0bec8f761

SHA256
c23fe8d5c3ca89189d11ec8df983cc144d168cb54d9eab5d9532767bcb2f1fa3

SHA512
6e5e3485d980e7e2824665cbfe4f1619b3e61ce3bcbf103979532e2b1c3d22c89f65bcfbddbb5fe88cddd096f8fd72d498e8ee35c3c2307bacecc6debbc1c97f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
12KB

MD5
6d0550d3a64bd3fd1d1b739133efb133

SHA1
c7596fde7ea1c676f0cc679ced8ba810d15a4afe

SHA256
f320f9c0463de641b396ce7561af995de32211e144407828b117088cf289df91

SHA512
5da9d490ef54a1129c94ce51349399b9012fc0d4b575ae6c9f1bafcfcf7f65266f797c539489f882d4ad924c94428b72f5137009a851ecb541fe7fb9de12feb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-core-localization-l1-2-0.dll

Filesize
14KB

MD5
1ed0b196ab58edb58fcf84e1739c63ce

SHA1
ac7d6c77629bdee1df7e380cc9559e09d51d75b7

SHA256
8664222823e122fca724620fd8b72187fc5336c737d891d3cef85f4f533b8de2

SHA512
e1fa7f14f39c97aaa3104f3e13098626b5f7cfd665ba52dcb2312a329639aaf5083a9177e4686d11c4213e28acc40e2c027988074b6cc13c5016d5c5e9ef897b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-core-memory-l1-1-0.dll

Filesize
11KB

MD5
721baea26a27134792c5ccc613f212b2

SHA1
2a27dcd2436df656a8264a949d9ce00eab4e35e8

SHA256
5d9767d8cca0fbfd5801bff2e0c2adddd1baaaa8175543625609abce1a9257bd

SHA512
9fd6058407aa95058ed2fda9d391b7a35fa99395ec719b83c5116e91c9b448a6d853ecc731d0bdf448d1436382eecc1fa9101f73fa242d826cc13c4fd881d9bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
11KB

MD5
b3f887142f40cb176b59e58458f8c46d

SHA1
a05948aba6f58eb99bbac54fa3ed0338d40cbfad

SHA256
8e015cdf2561450ed9a0773be1159463163c19eab2b6976155117d16c36519da

SHA512
7b762319ec58e3fcb84b215ae142699b766fa9d5a26e1a727572ee6ed4f5d19c859efb568c0268846b4aa5506422d6dd9b4854da2c9b419bfec754f547203f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
12KB

MD5
89f35cb1212a1fd8fbe960795c92d6e8

SHA1
061ae273a75324885dd098ee1ff4246a97e1e60c

SHA256
058eb7ce88c22d2ff7d3e61e6593ca4e3d6df449f984bf251d9432665e1517d1

SHA512
f9e81f1feab1535128b16e9ff389bd3daaab8d1dabf64270f9e563be9d370c023de5d5306dd0de6d27a5a099e7c073d17499442f058ec1d20b9d37f56bcfe6d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
13KB

MD5
0c933a4b3c2fcf1f805edd849428c732

SHA1
b8b19318dbb1d2b7d262527abd1468d099de3fb6

SHA256
a5b733e3dce21ab62bd4010f151b3578c6f1246da4a96d51ac60817865648dd3

SHA512
b25ed54345a5b14e06aa9dadd07b465c14c23225023d7225e04fbd8a439e184a7d43ab40df80e3f8a3c0f2d5c7a79b402ddc6b9093d0d798e612f4406284e39d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
7e8b61d27a9d04e28d4dae0bfa0902ed

SHA1
861a7b31022915f26fb49c79ac357c65782c9f4b

SHA256
1ef06c600c451e66e744b2ca356b7f4b7b88ba2f52ec7795858d21525848ac8c

SHA512
1c5b35026937b45beb76cb8d79334a306342c57a8e36cc15d633458582fc8f7d9ab70ace7a92144288c6c017f33ecfc20477a04432619b40a21c9cda8d249f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-core-profile-l1-1-0.dll

Filesize
11KB

MD5
8d12ffd920314b71f2c32614cc124fec

SHA1
251a98f2c75c2e25ffd0580f90657a3ea7895f30

SHA256
e63550608dd58040304ea85367e9e0722038ba8e7dc7bf9d91c4d84f0ec65887

SHA512
5084c739d7de465a9a78bcdbb8a3bd063b84a68dcfd3c9ef1bfa224c1cc06580e2a2523fd4696cfc48e9fd068a2c44dbc794dd9bdb43dc74b4e854c82ecd3ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
11KB

MD5
9fa3fc24186d912b0694a572847d6d74

SHA1
93184e00cbddacab7f2ad78447d0eac1b764114d

SHA256
91508ab353b90b30ff2551020e9755d7ab0e860308f16c2f6417dfb2e9a75014

SHA512
95ad31c9082f57ea57f5b4c605331fcad62735a1862afb01ef8a67fea4e450154c1ae0c411cf3ac5b9cd35741f8100409cc1910f69c1b2d807d252389812f594

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-core-string-l1-1-0.dll

Filesize
11KB

MD5
c9cbad5632d4d42a1bc25ccfa8833601

SHA1
09f37353a89f1bfe49f7508559da2922b8efeb05

SHA256
f3a7a9c98ebe915b1b57c16e27fffd4ddf31a82f0f21c06fe292878e48f5883e

SHA512
2412e0affdc6db069de7bd9666b7baa1cd76aa8d976c9649a4c2f1ffce27f8269c9b02da5fd486ec86b54231b1a5ebf6a1c72790815b7c253fee1f211086892f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-core-synch-l1-1-0.dll

Filesize
13KB

MD5
4ccde2d1681217e282996e27f3d9ed2e

SHA1
8eda134b0294ed35e4bbac4911da620301a3f34d

SHA256
d6708d1254ed88a948871771d6d1296945e1aa3aeb7e33e16cc378f396c61045

SHA512
93fe6ae9a947ac88cc5ed78996e555700340e110d12b2651f11956db7cee66322c269717d31fccb31744f4c572a455b156b368f08b70eda9effec6de01dbab23

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-core-synch-l1-2-0.dll

Filesize
11KB

MD5
e86cfc5e1147c25972a5eefed7be989f

SHA1
0075091c0b1f2809393c5b8b5921586bdd389b29

SHA256
72c639d1afda32a65143bcbe016fe5d8b46d17924f5f5190eb04efe954c1199a

SHA512
ea58a8d5aa587b7f5bde74b4d394921902412617100ed161a7e0bef6b3c91c5dae657065ea7805a152dd76992997017e070f5415ef120812b0d61a401aa8c110

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
12KB

MD5
206adcb409a1c9a026f7afdfc2933202

SHA1
bb67e1232a536a4d1ae63370bd1a9b5431335e77

SHA256
76d8e4ed946deefeefa0d0012c276f0b61f3d1c84af00533f4931546cbb2f99e

SHA512
727aa0c4cd1a0b7e2affdced5da3a0e898e9bae3c731ff804406ad13864cee2b27e5baac653bab9a0d2d961489915d4fcad18557d4383ecb0a066902276955a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
91a2ae3c4eb79cf748e15a58108409ad

SHA1
d402b9df99723ea26a141bfc640d78eaf0b0111b

SHA256
b0eda99eabd32fefecc478fd9fe7439a3f646a864fdab4ec3c1f18574b5f8b34

SHA512
8527af610c1e2101b6f336a142b1a85ac9c19bb3af4ad4a245cfb6fd602dc185da0f7803358067099475102f3a8f10a834dc75b56d3e6ded2ed833c00ad217ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-core-util-l1-1-0.dll

Filesize
11KB

MD5
1e4c4c8e643de249401e954488744997

SHA1
db1c4c0fc907100f204b21474e8cd2db0135bc61

SHA256
f28a8fe2cd7e8e00b6d2ec273c16db6e6eea9b6b16f7f69887154b6228af981e

SHA512
ef8411fd321c0e363c2e5742312cc566e616d4b0a65eff4fb6f1b22fdbea3410e1d75b99e889939ff70ad4629c84cedc88f6794896428c5f0355143443fdc3a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
4ec4790281017e616af632da1dc624e1

SHA1
342b15c5d3e34ab4ac0b9904b95d0d5b074447b7

SHA256
5cf5bbb861608131b5f560cbf34a3292c80886b7c75357acc779e0bf98e16639

SHA512
80c4e20d37eff29c7577b2d0ed67539a9c2c228edb48ab05d72648a6ed38f5ff537715c130342beb0e3ef16eb11179b9b484303354a026bda3a86d5414d24e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
7a859e91fdcf78a584ac93aa85371bc9

SHA1
1fa9d9cad7cc26808e697373c1f5f32aaf59d6b7

SHA256
b7ee468f5b6c650dada7db3ad9e115a0e97135b3df095c3220dfd22ba277b607

SHA512
a368f21eca765afca86e03d59cf953500770f4a5bff8b86b2ac53f1b5174c627e061ce9a1f781dc56506774e0d0b09725e9698d4dc2d3a59e93da7ef3d900887

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
972544ade7e32bfdeb28b39bc734cdee

SHA1
87816f4afabbdec0ec2cfeb417748398505c5aa9

SHA256
7102f8d9d0f3f689129d7fe071b234077fba4dd3687071d1e2aeaa137b123f86

SHA512
5e1131b405e0c7a255b1c51073aff99e2d5c0d28fd3e55cabc04d463758a575a954008ea1ba5b4e2b345b49af448b93ad21dfc4a01573b3cb6e7256d9ecceef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
8906279245f7385b189a6b0b67df2d7c

SHA1
fcf03d9043a2daafe8e28dee0b130513677227e4

SHA256
f5183b8d7462c01031992267fe85680ab9c5b279bedc0b25ab219f7c2184766f

SHA512
67cac89ae58cc715976107f3bdf279b1e78945afd07e6f657e076d78e92ee1a98e3e7b8feae295af5ce35e00c804f3f53a890895badb1eed32377d85c21672b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
dd8176e132eedea3322443046ac35ca2

SHA1
d13587c7cc52b2c6fbcaa548c8ed2c771a260769

SHA256
2eb96422375f1a7b687115b132a4005d2e7d3d5dc091fb0eb22a6471e712848e

SHA512
77cb8c44c8cc8dd29997fba4424407579ac91176482db3cf7bc37e1f9f6aa4c4f5ba14862d2f3a9c05d1fdd7ca5a043b5f566bd0e9a9e1ed837da9c11803b253

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-crt-math-l1-1-0.dll

Filesize
20KB

MD5
a6a3d6d11d623e16866f38185853facd

SHA1
fbeadd1e9016908ecce5753de1d435d6fcf3d0b5

SHA256
a768339f0b03674735404248a039ec8591fcba6ff61a3c6812414537badd23b0

SHA512
abbf32ceb35e5ec6c1562f9f3b2652b96b7dbd97bfc08d918f987c0ec0503e8390dd697476b2a2389f0172cd8cf16029fd2ec5f32a9ba3688bf2ebeefb081b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-crt-private-l1-1-0.dll

Filesize
62KB

MD5
d76e7aaecb3d1ca9948c31bdae52eb9d

SHA1
142a2bb0084faa2a25d0028846921545f09d9ae9

SHA256
785c49fd9f99c6eb636d78887aa186233e9304921dd835dee8f72e2609ff65c4

SHA512
52da403286659cf201c72fa0ab3c506ade86c7e2fef679f35876a5cec4aee97afbc5bb13a259c51efb8706f6ae7f5a6a3800176b89f424b6a4e9f3d5b8289620

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
f1a23c251fcbb7041496352ec9bcffbe

SHA1
be4a00642ec82465bc7b3d0cc07d4e8df72094e8

SHA256
d899c2f061952b3b97ab9cdbca2450290b0f005909ddd243ed0f4c511d32c198

SHA512
31f8c5cd3b6e153073e2e2edf0ca8072d0f787784f1611a57219349c1d57d6798a3adbd6942b0f16cef781634dd8691a5ec0b506df21b24cb70aee5523a03fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
55b2eb7f17f82b2096e94bca9d2db901

SHA1
44d85f1b1134ee7a609165e9c142188c0f0b17e0

SHA256
f9d3f380023a4c45e74170fe69b32bca506ee1e1fbe670d965d5b50c616da0cb

SHA512
0cf0770f5965a83f546253decfa967d8f85c340b5f6ea220d3caa14245f3cdb37c53bf8d3da6c35297b22a3fa88e7621202634f6b3649d7d9c166a221d3456a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
9b79965f06fd756a5efde11e8d373108

SHA1
3b9de8bf6b912f19f7742ad34a875cbe2b5ffa50

SHA256
1a916c0db285deb02c0b9df4d08dad5ea95700a6a812ea067bd637a91101a9f6

SHA512
7d4155c00d65c3554e90575178a80d20dc7c80d543c4b5c4c3f508f0811482515638fe513e291b82f958b4d7a63c9876be4e368557b07ff062961197ed4286fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
1d48a3189a55b632798f0e859628b0fb

SHA1
61569a8e4f37adc353986d83efc90dc043cdc673

SHA256
b56bc94e8539603dd2f0fea2f25efd17966315067442507db4bffafcbc2955b0

SHA512
47f329102b703bfbb1ebaeb5203d1c8404a0c912019193c93d150a95bb0c5ba8dc101ac56d3283285f9f91239fc64a66a5357afe428a919b0be7194bada1f64f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\api-ms-win-crt-utility-l1-1-0.dll

Filesize
11KB

MD5
dbc27d384679916ba76316fb5e972ea6

SHA1
fb9f021f2220c852f6ff4ea94e8577368f0616a4

SHA256
dd14133adf5c534539298422f6c4b52739f80aca8c5a85ca8c966dea9964ceb1

SHA512
cc0d8c56749ccb9d007b6d3f5c4a8f1d4e368bb81446ebcd7cc7b40399bbd56d0acaba588ca172ecb7472a8cbddbd4c366ffa38094a832f6d7e343b813ba565e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\audioplayers_windows_plugin.dll

Filesize
190KB

MD5
4a344378f7fb7cc21a5aa77383d77e32

SHA1
d3bbaa3facf2033b122feb3fc0e5aa54744966a1

SHA256
da525c476759c8e5d3f5e485c2e5e040a57ef05b26d915fe94b5534a658f2d65

SHA512
6173191b85291ebc32e902a42fb1a58c9151ec7441a3976329b79b2947d1cf5312b8c9c5957418fce68b157f680019efe21a2cb0183842e3f06eedd519847163

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\base_library.zip

Filesize
822KB

MD5
926a792570946c8d2c013aef825f6d18

SHA1
c4e70d3b2123d45772af90a70c492a907c17942a

SHA256
a97f6fd52b31ff5dbd0168aaf589d1c07f54bff2fe9a660c7893626d52eef259

SHA512
f5a104606e99ccf36bc3c5fb3d34537ba5630f36d8307d02977acb998c42be9146969e243ce29e5f88b65e40f6a1fe28534de6fc510c243b029cc6957ff24802

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\flutter_windows.dll

Filesize
17.1MB

MD5
bdc442a5daf2700fca8185cab5db4db2

SHA1
8cc833b0f9023585626fbbd9a4644a727cc3fa87

SHA256
2a8008aa91f3bec8722115fd9a7603790b347cdd9883a35463689045b16eed75

SHA512
4dd2744dda549462ae2555375a3c5a3b85a2a5b9113c63bcdd761592d9ef13d00de23cf47a4204d0afa4ab977018c70176705ab9bdd320443425d7a74f88ccaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\libEGL.dll

Filesize
461KB

MD5
0f61da7cea39e89861117f3cb4620dae

SHA1
9ca286bf6d5617eb38101d5e166edac29497c9c5

SHA256
b2590bd0692f0381fc45c20bf1c7f7f713c9ea19c7ea6bab62efdd1fadc4eaac

SHA512
7dc2bbce9808e00122ae0d960ad6b0156d201494aedf4c4c9e261f50986b72dd19b41d443138ffdf1b2e5b8e29614f0a1e909e4c867262eab311f6675618369d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\libGLESv2.dll

Filesize
7.1MB

MD5
d22c92bee4e7a14d6c74e7376eca7605

SHA1
0592d72d5e0e38e5cfd9a090309260962bf8c4d9

SHA256
620bb6e38d7ed6c760a0cf4a8eb6a8f64b259b96ff286551cd32cefc6c35ca39

SHA512
2aeec8ccf9db442a2b1e3b391e6c3e899de1266199e6ee6040aceeaf8931e1d10c55ea1ab9ebbd3cc662bf56aea698c09e38f75c7b3e8b0b27c02af63d36993f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\libcrypto-1_1.dll

Filesize
3.2MB

MD5
cc4cbf715966cdcad95a1e6c95592b3d

SHA1
d5873fea9c084bcc753d1c93b2d0716257bea7c3

SHA256
594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1

SHA512
3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\libmpv-2.dll

Filesize
28.4MB

MD5
3a6bd0dc9ab32d7b450f06bca2359274

SHA1
b2be6a73be23b60f1d23543363ea559438218c72

SHA256
d5f0694b08c124e785d858d00082f3e3b158dd9138bfc48c0382bf1eb443a5fc

SHA512
4c8133321833bc94c8a2f1ddc83523fd554d9699efa09d8dea6ef4aa9bbca0a4f041a10e4793b6424c8cffc4583e36c2a96039017f29465458a9a2e5510631ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\python39.dll

Filesize
4.3MB

MD5
11c051f93c922d6b6b4829772f27a5be

SHA1
42fbdf3403a4bc3d46d348ca37a9f835e073d440

SHA256
0eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c

SHA512
1cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\pytz\zoneinfo\Africa\Conakry

Filesize
148B

MD5
09a9397080948b96d97819d636775e33

SHA1
5cc9b028b5bd2222200e20091a18868ea62c4f18

SHA256
d2efac4e5f23d88c95d72c1db42807170f52f43dd98a205af5a92a91b9f2d997

SHA512
2eccf2515599ed261e96da3fbcfbab0b6a2dfc86a1d87e3814091709f0bfe2f600c3044c8555ed027978a8ae9045666ee639a8c249f48d665d8e5c60f0597799

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\pytz\zoneinfo\Africa\Djibouti

Filesize
265B

MD5
86dcc322e421bc8bdd14925e9d61cd6c

SHA1
289d1fb5a419107bc1d23a84a9e06ad3f9ee8403

SHA256
c89b2e253a8926a6cecf7eff34e4bfcdb7fe24daff22d84718c30deec0ea4968

SHA512
d32771be8629fb3186723c8971f06c3803d31389438b29bf6baa958b3f9db9a38971019583ba272c7a8f5eb4a633dfc467bfcb6f76faa8e290bad4fd7366bb2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\pytz\zoneinfo\Africa\Kigali

Filesize
149B

MD5
b77fb20b4917d76b65c3450a7117023c

SHA1
b99f3115100292d9884a22ed9aef9a9c43b31ccd

SHA256
93f19e9551d58868ae5820752d2c93a486124c364463dc9c9489d0458f8bc682

SHA512
a088c2a4c7d72717257c3125c7c2aca28463d68306ea452afaad75b8a0f9e5730a8d9c430d14668809717a672dc63c4816762acb046b339da662da421a6d65df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\pytz\zoneinfo\Africa\Lagos

Filesize
235B

MD5
8244c4cc8508425b6612fa24df71e603

SHA1
30ba925b4670235915dddfa1dd824dd9d7295eac

SHA256
cffeb0282ccbd7fba0e493ff8677a1e5a6dd5197885042e437f95a773f844846

SHA512
560c7581dcb2c800eae779005e41406beaf15d24efc763304e3111b9bb6074fe0ba59c48b5a2c5511245551b94418bbc35934d9bd46313fcc6e383323056668c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\pytz\zoneinfo\America\Curacao

Filesize
246B

MD5
adf95d436701b9774205f9315ec6e4a4

SHA1
fcf8be5296496a5dd3a7a97ed331b0bb5c861450

SHA256
8491e557ff801a8306516b8ca5946ff5f2e6821af31477eb47d7d191cc5a6497

SHA512
f8fceff3c346224d693315af1ab12433eb046415200abaa6cdd65fd0ad40673fdddf67b83563d351e4aa520565881a4226fb37d578d3ba88a135e596ebb9b348

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\pytz\zoneinfo\America\Toronto

Filesize
3KB

MD5
8dabdbbb4e33dcb0683c8a2db78fedc4

SHA1
a6d038ecff7126ee19ebb08a40d157c9a79964cd

SHA256
a587a1a1607439f7bac283e1815f2bdbafb9649a453d18e06c2e44e6996d888f

SHA512
35bfd5182535f5257d7ee693eb6827751993915129d7f3cc276783926b1f4db7a00d8f0b44a95ac80c294a9cc1b84bda6418134c2a5c10ba6c89946bd8ef97a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\pytz\zoneinfo\Etc\Greenwich

Filesize
114B

MD5
9cd2aef183c064f630dfcf6018551374

SHA1
2a8483df5c2809f1dfe0c595102c474874338379

SHA256
6d9f378883c079f86c0387a5547a92c449869d806e07de10084ab04f0249018d

SHA512
dafa0cb9d0a8e0ff75a19be499751ad85372aafa856ff06dd68ecf2b1c5578bb98a040becaecf0aed2c3e4ff7372ff200fe7614334756d19fe79dd61c01d4e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\pytz\zoneinfo\Europe\London

Filesize
3KB

MD5
a40006ee580ef0a4b6a7b925fee2e11f

SHA1
1beba7108ea93c7111dabc9d7f4e4bfdea383992

SHA256
c85495070dca42687df6a1c3ee780a27cbcb82f1844750ea6f642833a44d29b4

SHA512
316ecacc34136294ce11dcb6d0f292570ad0515f799fd59fbff5e7121799860b1347d802b6439a291f029573a3715e043009e2c1d5275f38957be9e04f92e62e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\pytz\zoneinfo\Europe\Oslo

Filesize
2KB

MD5
7db6c3e5031eaf69e6d1e5583ab2e870

SHA1
918341ad71f9d3acd28997326e42d5b00fba41e0

SHA256
5ee475f71a0fc1a32faeb849f8c39c6e7aa66d6d41ec742b97b3a7436b3b0701

SHA512
688eaa6d3001192addaa49d4e15f57aa59f3dd9dc511c063aa2687f36ffd28ffef01d937547926be6477bba8352a8006e8295ee77690be935f76d977c3ea12fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\pytz\zoneinfo\Europe\Skopje

Filesize
1KB

MD5
6213fc0a706f93af6ff6a831fecbc095

SHA1
961a2223fd1573ab344930109fbd905336175c5f

SHA256
3a95adb06156044fd2fa662841c0268c2b5af47c1b19000d9d299563d387093a

SHA512
8149de3fd09f8e0f5a388f546ffe8823bdcda662d3e285b5cebc92738f0c6548ccb6ed2a5d086fd738cb3edc8e9e1f81c5e2e48edb0571e7ea7f131675b99327

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\pytz\zoneinfo\PRC

Filesize
561B

MD5
09dd479d2f22832ce98c27c4db7ab97c

SHA1
79360e38e040eaa15b6e880296c1d1531f537b6f

SHA256
64ffc2e43a94435a043c040d1d3af7e92d031adc78e7737af1861baa4eeef3e6

SHA512
f88ae25f3f04c7d5d5f98aafecc03cc7e4e56f1cd4c8deba6afd043f0fb7fe67b4d50e4df5493e77c6b34ba183e019442e736a13f784ba8c2847c06fd74ff200

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\pytz\zoneinfo\Pacific\Wallis

Filesize
152B

MD5
5bdd7374e21e3df324a5b3d178179715

SHA1
244ed7d52bc39d915e1f860727ecfe3f4b1ae121

SHA256
53268a8a6b11f0b8e02fc67683ae48d074efaf7b4c66e036c1478107afd9a7d7

SHA512
9c76f39e8795c50e6c5b384a7ff1f308a1c5173f42f810759b36cdeae7d33d1dac4934efeed580c59d988c152e2d7f8d9b8eb2073ab1fc15e4b9c10900c7b383

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\pytz\zoneinfo\Pacific\Yap

Filesize
172B

MD5
ec972f59902432836f93737f75c5116f

SHA1
331542d6faf6ab15ffd364d57fbaa62629b52b94

SHA256
9c1dfa1c15994dd8774e53f40cb14dcf529143468721f1dba7b2c2e14ae9f5f0

SHA512
e8e8c8f6d096c352d1244280254e4c6ecf93f7c2ff69ecc6fa4363a6be8a2daf6cfcd7f0d96bc2669268ced5565532fa06be348a139b0742ccccb83953c6324d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\pytz\zoneinfo\UCT

Filesize
114B

MD5
38bb24ba4d742dd6f50c1cba29cd966a

SHA1
d0b8991654116e9395714102c41d858c1454b3bd

SHA256
8b85846791ab2c8a5463c83a5be3c043e2570d7448434d41398969ed47e3e6f2

SHA512
194867d0cf66c2de4969dbfeb58c775964ecb2132acdc1b000b5ef0998cefde4a2979ffc04ec8b7dcb430e43326a79d9cedb28ecea184345aa7d742eaf9234ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16322\ucrtbase.dll

Filesize
1011KB

MD5
849959a003fa63c5a42ae87929fcd18b

SHA1
d1b80b3265e31a2b5d8d7da6183146bbd5fb791b

SHA256
6238cbfe9f57c142b75e153c399c478d492252fda8cb40ee539c2dcb0f2eb232

SHA512
64958dabdb94d21b59254c2f074db5d51e914ddbc8437452115dff369b0c134e50462c3fdbbc14b6fa809a6ee19ab2fb83d654061601cc175cddcb7d74778e09

Download Submit
memory/1120-960-0x0000000000540000-0x0000000000616000-memory.dmp

Filesize
856KB

Download
memory/3636-47-0x0000000000400000-0x000000000587C000-memory.dmp

Filesize
84.5MB

Download
memory/4332-1713-0x000002ABD29F0000-0x000002ABD29F1000-memory.dmp

Filesize
4KB

Download
memory/4332-1714-0x000002ABD2A00000-0x000002ABD37F1000-memory.dmp

Filesize
13.9MB

Download
memory/4332-1717-0x000002ABD3800000-0x000002ABD3801000-memory.dmp

Filesize
4KB

Download
memory/4332-1715-0x000002ABD2A00000-0x000002ABD37F1000-memory.dmp

Filesize
13.9MB

Download
memory/4332-1716-0x000002ABD2A00000-0x000002ABD37F1000-memory.dmp

Filesize
13.9MB

Download