dcrat | e3695272fa7651aa35324249135e6ea4f10166a20fc896fbe67d9c4e3eaa28f4

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e79948761051a1e17f02524190df4a72.exe
Size

6.8MB
MD5

e79948761051a1e17f02524190df4a72
SHA1

de5e022a20d3042f86cc32c0094ed8c289d16af1
SHA256

e3695272fa7651aa35324249135e6ea4f10166a20fc896fbe67d9c4e3eaa28f4
SHA512

de9d9cd0caec960af644c26517ec5a726295b4f7847849092de28ecbe04ae97ac4636ce2335974dc0b6c8e1455b0192248e3abf3c8befc4ae809e14f9f7b27dc
SSDEEP

196608:T/HMlS2JxmYcmcg7XGqb6Msq51GPfe7qfGAb:7slSDVoXGe1GrfPb

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat 52 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exee79948761051a1e17f02524190df4a72.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1292	schtasks.exe
1860	schtasks.exe
3012	schtasks.exe
1364	schtasks.exe
1216	schtasks.exe
848	schtasks.exe
1712	schtasks.exe
2300	schtasks.exe
2644	schtasks.exe
2364	schtasks.exe
1536	schtasks.exe
2768	schtasks.exe
1792	schtasks.exe
2088	schtasks.exe
772	schtasks.exe
1760	schtasks.exe
2936	schtasks.exe
3056	schtasks.exe
1748	schtasks.exe
2852	schtasks.exe
2424	schtasks.exe
800	schtasks.exe
1576	schtasks.exe
2336	schtasks.exe
2732	schtasks.exe
684	schtasks.exe
1444	schtasks.exe
1424	schtasks.exe
2712	schtasks.exe
864	schtasks.exe
2864	schtasks.exe
400	schtasks.exe
1720	schtasks.exe
1276	schtasks.exe
1416	schtasks.exe
1528	schtasks.exe
1772	schtasks.exe
Key opened	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Office\14.0\Common	e79948761051a1e17f02524190df4a72.exe
1956	schtasks.exe
2216	schtasks.exe
2052	schtasks.exe
1692	schtasks.exe
844	schtasks.exe
2104	schtasks.exe
2248	schtasks.exe
1940	schtasks.exe
2344	schtasks.exe
1512	schtasks.exe
2568	schtasks.exe
924	schtasks.exe
2904	schtasks.exe
576	schtasks.exe

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2588	schtasks.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\build.exe	dcrat
behavioral1/memory/2084-9-0x0000000000400000-0x0000000000AD7000-memory.dmp	dcrat
C:\sessionperf\chainproviderbroker.exe	dcrat
behavioral1/memory/2560-24-0x0000000001340000-0x0000000001474000-memory.dmp	dcrat
behavioral1/memory/2180-77-0x0000000000850000-0x0000000000984000-memory.dmp	dcrat

Executes dropped EXE 3 IoCs

Processes:

build.exechainproviderbroker.exetaskhost.exe

pid process

2344 build.exe
2560 chainproviderbroker.exe
2180 taskhost.exe
Loads dropped DLL 3 IoCs

Processes:

e79948761051a1e17f02524190df4a72.execmd.exe

pid process

2084 e79948761051a1e17f02524190df4a72.exe
2484 cmd.exe
2484 cmd.exe

pid	process
2344	build.exe
2560	chainproviderbroker.exe
2180	taskhost.exe

pid	process
2084	e79948761051a1e17f02524190df4a72.exe
2484	cmd.exe
2484	cmd.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in Program Files directory 12 IoCs

Processes:

chainproviderbroker.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Temp\taskhost.exe	chainproviderbroker.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\explorer.exe	chainproviderbroker.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\7a0fd90576e088	chainproviderbroker.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\taskhost.exe	chainproviderbroker.exe
File created	C:\Program Files\Windows Portable Devices\27d1bcfc3c54e0	chainproviderbroker.exe
File created	C:\Program Files\Windows Portable Devices\System.exe	chainproviderbroker.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\Idle.exe	chainproviderbroker.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\6ccacd8608530f	chainproviderbroker.exe
File created	C:\Program Files (x86)\Google\Temp\b75386f1303e64	chainproviderbroker.exe
File created	C:\Program Files\Windows Media Player\ja-JP\taskhost.exe	chainproviderbroker.exe
File created	C:\Program Files\Windows Media Player\ja-JP\b75386f1303e64	chainproviderbroker.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\b75386f1303e64	chainproviderbroker.exe

Drops file in Windows directory 6 IoCs

Processes:

chainproviderbroker.exe

description	ioc	process
File created	C:\Windows\BitLockerDiscoveryVolumeContents\winlogon.exe	chainproviderbroker.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\cc11b995f2a76d	chainproviderbroker.exe
File created	C:\Windows\system\lsass.exe	chainproviderbroker.exe
File created	C:\Windows\system\6203df4a6bafc7	chainproviderbroker.exe
File created	C:\Windows\AppPatch\es-ES\dwm.exe	chainproviderbroker.exe
File created	C:\Windows\AppPatch\es-ES\6cb0b6c459d5d3	chainproviderbroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2216	schtasks.exe
2336	schtasks.exe
2936	schtasks.exe
2864	schtasks.exe
2904	schtasks.exe
684	schtasks.exe
2364	schtasks.exe
3012	schtasks.exe
1528	schtasks.exe
1364	schtasks.exe
576	schtasks.exe
1576	schtasks.exe
1772	schtasks.exe
1792	schtasks.exe
1512	schtasks.exe
1956	schtasks.exe
1720	schtasks.exe
2712	schtasks.exe
2052	schtasks.exe
400	schtasks.exe
2344	schtasks.exe
3056	schtasks.exe
1692	schtasks.exe
2568	schtasks.exe
844	schtasks.exe
772	schtasks.exe
1276	schtasks.exe
2088	schtasks.exe
2852	schtasks.exe
864	schtasks.exe
1712	schtasks.exe
1216	schtasks.exe
848	schtasks.exe
2424	schtasks.exe
2768	schtasks.exe
2644	schtasks.exe
2300	schtasks.exe
800	schtasks.exe
1748	schtasks.exe
1760	schtasks.exe
1536	schtasks.exe
1424	schtasks.exe
2248	schtasks.exe
1416	schtasks.exe
1292	schtasks.exe
1940	schtasks.exe
924	schtasks.exe
1444	schtasks.exe
2104	schtasks.exe
2732	schtasks.exe
1860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

chainproviderbroker.exetaskhost.exe

pid	process
2560	chainproviderbroker.exe
2560	chainproviderbroker.exe
2560	chainproviderbroker.exe
2560	chainproviderbroker.exe
2560	chainproviderbroker.exe
2560	chainproviderbroker.exe
2560	chainproviderbroker.exe
2180	taskhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

msiexec.exe

pid process

1172 msiexec.exe

pid	process
1172	msiexec.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

msiexec.exechainproviderbroker.exetaskhost.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1172	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1172	msiexec.exe
Token: SeDebugPrivilege	2560	chainproviderbroker.exe
Token: SeDebugPrivilege	2180	taskhost.exe
Token: SeRestorePrivilege	2380	msiexec.exe
Token: SeTakeOwnershipPrivilege	2380	msiexec.exe
Token: SeSecurityPrivilege	2380	msiexec.exe
Token: SeCreateTokenPrivilege	1172	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1172	msiexec.exe
Token: SeLockMemoryPrivilege	1172	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1172	msiexec.exe
Token: SeMachineAccountPrivilege	1172	msiexec.exe
Token: SeTcbPrivilege	1172	msiexec.exe
Token: SeSecurityPrivilege	1172	msiexec.exe
Token: SeTakeOwnershipPrivilege	1172	msiexec.exe
Token: SeLoadDriverPrivilege	1172	msiexec.exe
Token: SeSystemProfilePrivilege	1172	msiexec.exe
Token: SeSystemtimePrivilege	1172	msiexec.exe
Token: SeProfSingleProcessPrivilege	1172	msiexec.exe
Token: SeIncBasePriorityPrivilege	1172	msiexec.exe
Token: SeCreatePagefilePrivilege	1172	msiexec.exe
Token: SeCreatePermanentPrivilege	1172	msiexec.exe
Token: SeBackupPrivilege	1172	msiexec.exe
Token: SeRestorePrivilege	1172	msiexec.exe
Token: SeShutdownPrivilege	1172	msiexec.exe
Token: SeDebugPrivilege	1172	msiexec.exe
Token: SeAuditPrivilege	1172	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1172	msiexec.exe
Token: SeChangeNotifyPrivilege	1172	msiexec.exe
Token: SeRemoteShutdownPrivilege	1172	msiexec.exe
Token: SeUndockPrivilege	1172	msiexec.exe
Token: SeSyncAgentPrivilege	1172	msiexec.exe
Token: SeEnableDelegationPrivilege	1172	msiexec.exe
Token: SeManageVolumePrivilege	1172	msiexec.exe
Token: SeImpersonatePrivilege	1172	msiexec.exe
Token: SeCreateGlobalPrivilege	1172	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

1172 msiexec.exe

pid	process
1172	msiexec.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

e79948761051a1e17f02524190df4a72.exebuild.exeWScript.execmd.exechainproviderbroker.execmd.exe

description	pid	process	target process
PID 2084 wrote to memory of 1172	2084	e79948761051a1e17f02524190df4a72.exe	msiexec.exe
PID 2084 wrote to memory of 1172	2084	e79948761051a1e17f02524190df4a72.exe	msiexec.exe
PID 2084 wrote to memory of 1172	2084	e79948761051a1e17f02524190df4a72.exe	msiexec.exe
PID 2084 wrote to memory of 1172	2084	e79948761051a1e17f02524190df4a72.exe	msiexec.exe
PID 2084 wrote to memory of 1172	2084	e79948761051a1e17f02524190df4a72.exe	msiexec.exe
PID 2084 wrote to memory of 1172	2084	e79948761051a1e17f02524190df4a72.exe	msiexec.exe
PID 2084 wrote to memory of 1172	2084	e79948761051a1e17f02524190df4a72.exe	msiexec.exe
PID 2084 wrote to memory of 2344	2084	e79948761051a1e17f02524190df4a72.exe	build.exe
PID 2084 wrote to memory of 2344	2084	e79948761051a1e17f02524190df4a72.exe	build.exe
PID 2084 wrote to memory of 2344	2084	e79948761051a1e17f02524190df4a72.exe	build.exe
PID 2084 wrote to memory of 2344	2084	e79948761051a1e17f02524190df4a72.exe	build.exe
PID 2344 wrote to memory of 2120	2344	build.exe	WScript.exe
PID 2344 wrote to memory of 2120	2344	build.exe	WScript.exe
PID 2344 wrote to memory of 2120	2344	build.exe	WScript.exe
PID 2344 wrote to memory of 2120	2344	build.exe	WScript.exe
PID 2120 wrote to memory of 2484	2120	WScript.exe	cmd.exe
PID 2120 wrote to memory of 2484	2120	WScript.exe	cmd.exe
PID 2120 wrote to memory of 2484	2120	WScript.exe	cmd.exe
PID 2120 wrote to memory of 2484	2120	WScript.exe	cmd.exe
PID 2484 wrote to memory of 2560	2484	cmd.exe	chainproviderbroker.exe
PID 2484 wrote to memory of 2560	2484	cmd.exe	chainproviderbroker.exe
PID 2484 wrote to memory of 2560	2484	cmd.exe	chainproviderbroker.exe
PID 2484 wrote to memory of 2560	2484	cmd.exe	chainproviderbroker.exe
PID 2560 wrote to memory of 804	2560	chainproviderbroker.exe	cmd.exe
PID 2560 wrote to memory of 804	2560	chainproviderbroker.exe	cmd.exe
PID 2560 wrote to memory of 804	2560	chainproviderbroker.exe	cmd.exe
PID 804 wrote to memory of 2652	804	cmd.exe	w32tm.exe
PID 804 wrote to memory of 2652	804	cmd.exe	w32tm.exe
PID 804 wrote to memory of 2652	804	cmd.exe	w32tm.exe
PID 804 wrote to memory of 2180	804	cmd.exe	taskhost.exe
PID 804 wrote to memory of 2180	804	cmd.exe	taskhost.exe
PID 804 wrote to memory of 2180	804	cmd.exe	taskhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e79948761051a1e17f02524190df4a72.exe
"C:\Users\Admin\AppData\Local\Temp\e79948761051a1e17f02524190df4a72.exe"
1⤵
- DcRat
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Modrinth App_0.7.1_x64_en-US.msi"
2⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1172

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\sessionperf\StDKs.vbe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\sessionperf\Bzp9ojfmO6NhLVjwIYSLn.bat" "
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484

C:\sessionperf\chainproviderbroker.exe
"C:\sessionperf\chainproviderbroker.exe"
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\30YUXC5niV.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:2652

C:\Program Files\Windows Media Player\ja-JP\taskhost.exe
"C:\Program Files\Windows Media Player\ja-JP\taskhost.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Libraries\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\sessionperf\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\sessionperf\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\sessionperf\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Temp\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\sessionperf\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\sessionperf\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\sessionperf\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\system\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\system\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\system\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\ja-JP\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\ja-JP\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\sessionperf\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\sessionperf\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\sessionperf\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\AppPatch\es-ES\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\AppPatch\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\cmd.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2380

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\30YUXC5niV.bat
Filesize
221B

MD5
4c944db27bcc5337883078d4a14909cf

SHA1
cf15a35587f81084ade49e6e1d4238104d25a084

SHA256
8979b7a13cc8abf103e74de0077ecb19cc874c890342606ad23d8131399c04a1

SHA512
19166d0325da242fbdcce89f20defb7607c69b3253ac07342b0a872446761c99fa4dbcf3ee6989a76c856521aad0de7bc86b7549779c0b002646256696208e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab73CB.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Modrinth App_0.7.1_x64_en-US.msi
Filesize
5.0MB

MD5
5003486a784143bc96c3577172bbb44a

SHA1
9a960998807126041fae5b4fe9488d7ff3c5ca42

SHA256
b1ac36000cee14b9c36aea4cef7f53ed2e7c18c9534b4ff66f07da11e8c07b59

SHA512
3fd871414cffe35ae649dbb02935eddcad75ee094f2d61f2cef48827dfb852ff3b8e4211f913bf65e4619b2a4989a2807d876a920a105735ac3e59362802ee19

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC161.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\sessionperf\Bzp9ojfmO6NhLVjwIYSLn.bat
Filesize
40B

MD5
468d6e383a53e8afb1cfdef13eb2fa32

SHA1
767d71bdb1ec23d24fd902f32507c475acf2460c

SHA256
57305997be6d5e00a4286bc17a4506f87eca5b91fea8d5d3f9807c4d0fab0724

SHA512
8866a9d48004660a3b39cd5e193d3919a55e5aed83cdfa64d52f91fcf5ae89913ba3c6c7ee65ced9e07dc895594273459ea2dbabbdf77f041bffd289f857f88d

Download Submit
C:\sessionperf\StDKs.vbe
Filesize
209B

MD5
cd32e77669dd6e08056e373ff84e2cb7

SHA1
71367f3fa0bcab49aa2194f26bdbd6b6a238037e

SHA256
ffd98e10c26d00fa3512ead5a0a1a35011db7894cff3d4c53e568a28ea5d03aa

SHA512
4227711947cdcb1e3dd8eb1e8e19c91da0ef1fa6356c5b06cb5b4626a636acc54d1f767073d5cca57eb2f732d058b6a12b51b3b4a6fb52097f2a94eef99d5d7e

Download Submit
C:\sessionperf\chainproviderbroker.exe
Filesize
1.2MB

MD5
0ba781a9b64961c8ab3f72067a1deb5a

SHA1
233e7541fa084f0319c8d7f4b8ee5e0fe72757f6

SHA256
b6bd78da32ef81f729dbb620ff22882f6a90ca5128127c944b5e1759b33fcdfc

SHA512
358ecf3e0baac77976def258552d25eb2334032150ae658e29fcde60452c046966cb6dd686bfa97192436ad5e8c3819b3051ae335bf39f286d73b9e6f09f10af

Download Submit
\Users\Admin\AppData\Local\Temp\build.exe
Filesize
1.6MB

MD5
3d90f45673132f332a6c78a52dc531f7

SHA1
fd7ed3856c9946c87afdab26148935f2604794e3

SHA256
2ad72b8a6ffcf7a104f5e9c2aab20271394b25af5afd798a0e731e9f5fd293d7

SHA512
0f376f9e4fa4ac28151f24efb5cf1f3ee8bac7da6c6be0cf4a3a89980cf8c7b7930be2f7591af751fcef04102c3bfbe370ac10f46ca2107b4fd9e7ec75b32ac4

Download Submit
memory/2084-9-0x0000000000400000-0x0000000000AD7000-memory.dmp

Filesize
6.8MB

Download
memory/2180-77-0x0000000000850000-0x0000000000984000-memory.dmp

Filesize
1.2MB

Download
memory/2560-24-0x0000000001340000-0x0000000001474000-memory.dmp

Filesize
1.2MB

Download
memory/2560-26-0x0000000000460000-0x0000000000468000-memory.dmp

Filesize
32KB

Download
memory/2560-27-0x0000000000470000-0x0000000000486000-memory.dmp

Filesize
88KB

Download
memory/2560-28-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/2560-25-0x0000000000440000-0x000000000045C000-memory.dmp

Filesize
112KB

Download