Overview

overview

10

Static

static

PZCheat.exe

windows7-x64

10

PZCheat.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-02-2023 03:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PZCheat.exe

  • Size

    1.5MB

  • MD5

    164ba5ee6f6b30539e874248ccfa4c05

  • SHA1

    6b14ed8dab712359453779f2896e1cbad78871d7

  • SHA256

    fc7ca5dbd9e3d228416ea9725c7283d105d75533f7a4e069d89f2632840e1a5d

  • SHA512

    c9b2eef0e4499832f9c4eca8b503f17f4cc7589d0d2b12fe82572ad5df23e85cef9267bdc24928b7ac6df0fff70fe49d2422d6e9a549f07a74c8f9bd47892cfc

  • SSDEEP

    24576:B2G/nvxW3WLRnhzLfSRyBWkNUk9tJIzxIq2+kt3S5wFAiQuwV4ilByjNTVu1:BbA3+p9SRyBW0Tty2E5wFzQuo4iupRu1

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 7 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PZCheat.exe
    "C:\Users\Admin\AppData\Local\Temp\PZCheat.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4988
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\surrogateContainerhostcrtDll\qAjDBhKogos2S0J68ty6.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1896
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\surrogateContainerhostcrtDll\fba6WO2dA9UqWb6NlbxSa.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3312
        • C:\surrogateContainerhostcrtDll\containersavesCrt.exe
          "C:\surrogateContainerhostcrtDll\containersavesCrt.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5004
          • C:\surrogateContainerhostcrtDll\containersavesCrt.exe
            "C:\surrogateContainerhostcrtDll\containersavesCrt.exe"
            5⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4644
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Qt9IGSx6FQ.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4456
              • C:\Windows\SysWOW64\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:4968
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  8⤵
                    PID:4524
                • C:\surrogateContainerhostcrtDll\upfc.exe
                  "C:\surrogateContainerhostcrtDll\upfc.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:4484
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\AppReadiness\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4752
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\AppReadiness\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4728
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\AppReadiness\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4480
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "containersavesCrtc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\containersavesCrt.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4924
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "containersavesCrt" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\containersavesCrt.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4636
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "containersavesCrtc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\containersavesCrt.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4548
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4964
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\TAPI\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4092
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4064
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\it-IT\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3100
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5048
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\it-IT\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4464
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "containersavesCrtc" /sc MINUTE /mo 14 /tr "'C:\Windows\Media\Characters\containersavesCrt.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2728
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "containersavesCrt" /sc ONLOGON /tr "'C:\Windows\Media\Characters\containersavesCrt.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1412
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "containersavesCrtc" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Characters\containersavesCrt.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1144
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\surrogateContainerhostcrtDll\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4664
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\surrogateContainerhostcrtDll\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1016
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\surrogateContainerhostcrtDll\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4912
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1084
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2448
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2420
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4404
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:208
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3768
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\odt\OfficeClickToRun.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2168
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2396
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1164
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3760
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3828
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4408
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3624
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4932
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3468
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\surrogateContainerhostcrtDll\upfc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5084
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\surrogateContainerhostcrtDll\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4612
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\surrogateContainerhostcrtDll\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5104
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\surrogateContainerhostcrtDll\fontdrvhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4128
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\surrogateContainerhostcrtDll\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3916
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\surrogateContainerhostcrtDll\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4852
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:800
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3424
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5092
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Provisioning\Autopilot\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2412
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Provisioning\Autopilot\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3784
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Provisioning\Autopilot\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2424

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\containersavesCrt.exe.log
      Filesize

      1KB

      MD5

      d56746574a07d336d54eecc2a75626b7

      SHA1

      69f9eb5d18fec3bdff15fe2230783e405efffafb

      SHA256

      90ae7d9d7baf1855a980d2ce2ec58754c1664d9626cfa76ecc8eb0701d737e81

      SHA512

      001086afbe6aebb17cfd272a7fe6e3c737eb2946f385f14046d1a6f2a01dce3365de30072ba6b5029ec47a4bc850d42df293efb41c4a513e861253a4d863f12e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Qt9IGSx6FQ.bat
      Filesize

      205B

      MD5

      c218e1a9afc104e2a4548f4a886777bb

      SHA1

      de505f3154d091c477705e3db73bbe81939e2649

      SHA256

      5280b43f085d5190b84382104ad1096812ef9fdbf94a92d5cf9ec9f84fbfb763

      SHA512

      871f744f1a38ac8898047dd821ac05df697a280919a80aa9af55a629c402899e001d7eab2ddd5369da5e2a076141dc30368b029cb1553fe635f627d26ef6eb3b

      Download Submit
    • C:\surrogateContainerhostcrtDll\containersavesCrt.exe
      Filesize

      1.2MB

      MD5

      963f8f811b559d489ac8f0f5128acb7a

      SHA1

      91b273936ab1e1f562d29893f18bfe13a8be6448

      SHA256

      a3add9edc4b19b2b4e1061b0f1e685c2738bed0be41a5b6bfb6f85b66f21d923

      SHA512

      6c969271651bb4480d66c17665155e3a9590f41cc59091f2219b9f54bd86eabd6dee0deb758a12980b98740aa3859e670bf0cffa889702b3e038b1f9131a94c7

      Download Submit
    • C:\surrogateContainerhostcrtDll\containersavesCrt.exe
      Filesize

      1.2MB

      MD5

      963f8f811b559d489ac8f0f5128acb7a

      SHA1

      91b273936ab1e1f562d29893f18bfe13a8be6448

      SHA256

      a3add9edc4b19b2b4e1061b0f1e685c2738bed0be41a5b6bfb6f85b66f21d923

      SHA512

      6c969271651bb4480d66c17665155e3a9590f41cc59091f2219b9f54bd86eabd6dee0deb758a12980b98740aa3859e670bf0cffa889702b3e038b1f9131a94c7

      Download Submit
    • C:\surrogateContainerhostcrtDll\containersavesCrt.exe
      Filesize

      1.2MB

      MD5

      963f8f811b559d489ac8f0f5128acb7a

      SHA1

      91b273936ab1e1f562d29893f18bfe13a8be6448

      SHA256

      a3add9edc4b19b2b4e1061b0f1e685c2738bed0be41a5b6bfb6f85b66f21d923

      SHA512

      6c969271651bb4480d66c17665155e3a9590f41cc59091f2219b9f54bd86eabd6dee0deb758a12980b98740aa3859e670bf0cffa889702b3e038b1f9131a94c7

      Download Submit
    • C:\surrogateContainerhostcrtDll\fba6WO2dA9UqWb6NlbxSa.bat
      Filesize

      55B

      MD5

      f1a7c3c3ddb14918973adcec0ca793e5

      SHA1

      cd8dc923af6be2083d0a41f69fb32c9a08b2ea7a

      SHA256

      ed360b14dbbe3a7a03e882f0bd9b892af8357642fcbb296e62bac96112d4a526

      SHA512

      472f2d9d775d7b3a9a17fc8327040438e591ffbaaf87be8353a4e02446bd5ee805ce39fa2c57f1b32ca6f971210fba6532d3b993b7f861a6dd49edb0986dbccf

      Download Submit
    • C:\surrogateContainerhostcrtDll\qAjDBhKogos2S0J68ty6.vbe
      Filesize

      226B

      MD5

      6a5882c4cb8293cb361d7f95c51de59e

      SHA1

      48662867659024019cfc01e2e4731f9efaa83c67

      SHA256

      1ce3ab815dfa8ab817dab9bb42c012e940041735fa4f2064f780cd44b7a5c0a2

      SHA512

      e5c5940e4f1358688df06cb84ab1b9ea3a26a336ccbef7b02b0c40cb6477894855c8513f037ec602b4fce7a72f4a54b4f4ccf314437b595521aa4b3d4f21fe9f

      Download Submit
    • C:\surrogateContainerhostcrtDll\upfc.exe
      Filesize

      1.2MB

      MD5

      963f8f811b559d489ac8f0f5128acb7a

      SHA1

      91b273936ab1e1f562d29893f18bfe13a8be6448

      SHA256

      a3add9edc4b19b2b4e1061b0f1e685c2738bed0be41a5b6bfb6f85b66f21d923

      SHA512

      6c969271651bb4480d66c17665155e3a9590f41cc59091f2219b9f54bd86eabd6dee0deb758a12980b98740aa3859e670bf0cffa889702b3e038b1f9131a94c7

      Download Submit
    • C:\surrogateContainerhostcrtDll\upfc.exe
      Filesize

      1.2MB

      MD5

      963f8f811b559d489ac8f0f5128acb7a

      SHA1

      91b273936ab1e1f562d29893f18bfe13a8be6448

      SHA256

      a3add9edc4b19b2b4e1061b0f1e685c2738bed0be41a5b6bfb6f85b66f21d923

      SHA512

      6c969271651bb4480d66c17665155e3a9590f41cc59091f2219b9f54bd86eabd6dee0deb758a12980b98740aa3859e670bf0cffa889702b3e038b1f9131a94c7

      Download Submit
    • memory/1896-132-0x0000000000000000-mapping.dmp
      Download
    • memory/3312-135-0x0000000000000000-mapping.dmp
      Download
    • memory/4456-150-0x0000000000000000-mapping.dmp
      Download
    • memory/4484-155-0x0000000000000000-mapping.dmp
      Download
    • memory/4484-158-0x0000000000E60000-0x000000000121C000-memory.dmp
      Filesize

      3.7MB

      Download
    • memory/4484-159-0x0000000000E60000-0x000000000121C000-memory.dmp
      Filesize

      3.7MB

      Download
    • memory/4484-160-0x0000000006F90000-0x0000000007022000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4484-161-0x0000000000E60000-0x000000000121C000-memory.dmp
      Filesize

      3.7MB

      Download
    • memory/4524-154-0x0000000000000000-mapping.dmp
      Download
    • memory/4644-143-0x0000000000000000-mapping.dmp
      Download
    • memory/4644-146-0x0000000000930000-0x0000000000CEC000-memory.dmp
      Filesize

      3.7MB

      Download
    • memory/4644-148-0x0000000000930000-0x0000000000CEC000-memory.dmp
      Filesize

      3.7MB

      Download
    • memory/4644-149-0x0000000000930000-0x0000000000CEC000-memory.dmp
      Filesize

      3.7MB

      Download
    • memory/4644-151-0x0000000000930000-0x0000000000CEC000-memory.dmp
      Filesize

      3.7MB

      Download
    • memory/4968-153-0x0000000000000000-mapping.dmp
      Download
    • memory/5004-145-0x0000000000930000-0x0000000000CEC000-memory.dmp
      Filesize

      3.7MB

      Download
    • memory/5004-142-0x0000000006490000-0x00000000064F6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/5004-141-0x0000000006890000-0x0000000006E34000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/5004-140-0x0000000000930000-0x0000000000CEC000-memory.dmp
      Filesize

      3.7MB

      Download
    • memory/5004-139-0x0000000000930000-0x0000000000CEC000-memory.dmp
      Filesize

      3.7MB

      Download
    • memory/5004-136-0x0000000000000000-mapping.dmp
      Download