dcrat | 6aedcdfc3f6fdc1ca86554a6ba351d9dbccec6c0ab5a0aec82ef583a4e690f0e

Analysis

max time kernel
28s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02-02-2023 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exe
Size

1.4MB
MD5

dd32729dcf73c31a478099c25da5789c
SHA1

dad05d17829936c6136d16962c38d2981e56bb21
SHA256

6aedcdfc3f6fdc1ca86554a6ba351d9dbccec6c0ab5a0aec82ef583a4e690f0e
SHA512

fcf113386c292d03c39071587907f0700936d0ac060c8b96f1ce71683b5e78b1c4b730fdc79b35bb1fe097010844e237034a4184e32fc0b4566ef2f31d382fc0
SSDEEP

24576:U2G/nvxW3Ww0tdGyavpdrgnar7l2odPdcsZHpa+AGO05d2GqXW+lWR++40:UbA30alr7tcsZHpaVwulmJ

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 10 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exewinPerfdhcpCommonSvcsavesperfMonitor.exeschtasks.exeschtasks.exe

pid	process
1252	schtasks.exe
800	schtasks.exe
916	schtasks.exe
1548	schtasks.exe
1464	schtasks.exe
1072	schtasks.exe
1520	schtasks.exe
File created	C:\Windows\System32\pdhui\lsass.exe	winPerfdhcpCommonSvcsavesperfMonitor.exe
2036	schtasks.exe
996	schtasks.exe

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	1912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	1912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	1912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	1912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	1912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	1912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	1912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	1912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	1912	schtasks.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe	dcrat
\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe	dcrat
C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe	dcrat
C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe	dcrat
behavioral1/memory/576-65-0x0000000000FA0000-0x00000000010C2000-memory.dmp	dcrat
C:\Documents and Settings\WmiPrvSE.exe	dcrat
C:\Users\WmiPrvSE.exe	dcrat
behavioral1/memory/972-73-0x0000000000CF0000-0x0000000000E12000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

winPerfdhcpCommonSvcsavesperfMonitor.exeWmiPrvSE.exe

pid process

576 winPerfdhcpCommonSvcsavesperfMonitor.exe
972 WmiPrvSE.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

432 cmd.exe
432 cmd.exe

pid	process
576	winPerfdhcpCommonSvcsavesperfMonitor.exe
972	WmiPrvSE.exe

pid	process
432	cmd.exe
432	cmd.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winPerfdhcpCommonSvcsavesperfMonitor.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\normnfc\\winlogon.exe\""	winPerfdhcpCommonSvcsavesperfMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\taskhost.exe\""	winPerfdhcpCommonSvcsavesperfMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Documents and Settings\\WmiPrvSE.exe\""	winPerfdhcpCommonSvcsavesperfMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\rasctrnm\\csrss.exe\""	winPerfdhcpCommonSvcsavesperfMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\FXST30\\sppsvc.exe\""	winPerfdhcpCommonSvcsavesperfMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\api-ms-win-core-localregistry-l1-1-0\\lsm.exe\""	winPerfdhcpCommonSvcsavesperfMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\calc\\dwm.exe\""	winPerfdhcpCommonSvcsavesperfMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\WmiPrvSE.exe\""	winPerfdhcpCommonSvcsavesperfMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\pdhui\\lsass.exe\""	winPerfdhcpCommonSvcsavesperfMonitor.exe

Drops file in System32 directory 13 IoCs

Processes:

winPerfdhcpCommonSvcsavesperfMonitor.exe

description	ioc	process
File opened for modification	C:\Windows\System32\pdhui\lsass.exe	winPerfdhcpCommonSvcsavesperfMonitor.exe
File created	C:\Windows\System32\pdhui\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	winPerfdhcpCommonSvcsavesperfMonitor.exe
File created	C:\Windows\System32\FXST30\sppsvc.exe	winPerfdhcpCommonSvcsavesperfMonitor.exe
File created	C:\Windows\System32\FXST30\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c	winPerfdhcpCommonSvcsavesperfMonitor.exe
File created	C:\Windows\System32\rasctrnm\csrss.exe	winPerfdhcpCommonSvcsavesperfMonitor.exe
File created	C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0\lsm.exe	winPerfdhcpCommonSvcsavesperfMonitor.exe
File created	C:\Windows\System32\normnfc\winlogon.exe	winPerfdhcpCommonSvcsavesperfMonitor.exe
File created	C:\Windows\System32\pdhui\lsass.exe	winPerfdhcpCommonSvcsavesperfMonitor.exe
File created	C:\Windows\System32\calc\dwm.exe	winPerfdhcpCommonSvcsavesperfMonitor.exe
File created	C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0\101b941d020240259ca4912829b53995ad543df6	winPerfdhcpCommonSvcsavesperfMonitor.exe
File created	C:\Windows\System32\normnfc\cc11b995f2a76da408ea6a601e682e64743153ad	winPerfdhcpCommonSvcsavesperfMonitor.exe
File created	C:\Windows\System32\calc\6cb0b6c459d5d3455a3da700e713f2e2529862ff	winPerfdhcpCommonSvcsavesperfMonitor.exe
File created	C:\Windows\System32\rasctrnm\886983d96e3d3e31032c679b2d4ea91b6c05afef	winPerfdhcpCommonSvcsavesperfMonitor.exe

Drops file in Program Files directory 4 IoCs

Processes:

winPerfdhcpCommonSvcsavesperfMonitor.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\b75386f1303e64d8139363b71e44ac16341adf4e	winPerfdhcpCommonSvcsavesperfMonitor.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe	winPerfdhcpCommonSvcsavesperfMonitor.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\24dbde2999530ef5fd907494bc374d663924116c	winPerfdhcpCommonSvcsavesperfMonitor.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe	winPerfdhcpCommonSvcsavesperfMonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1464	schtasks.exe
1252	schtasks.exe
996	schtasks.exe
800	schtasks.exe
916	schtasks.exe
1548	schtasks.exe
1520	schtasks.exe
2036	schtasks.exe
1072	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

winPerfdhcpCommonSvcsavesperfMonitor.exeWmiPrvSE.exe

pid process

576 winPerfdhcpCommonSvcsavesperfMonitor.exe
972 WmiPrvSE.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

winPerfdhcpCommonSvcsavesperfMonitor.exeWmiPrvSE.exe

description pid process

Token: SeDebugPrivilege 576 winPerfdhcpCommonSvcsavesperfMonitor.exe
Token: SeDebugPrivilege 972 WmiPrvSE.exe

pid	process
576	winPerfdhcpCommonSvcsavesperfMonitor.exe
972	WmiPrvSE.exe

description	pid	process
Token: SeDebugPrivilege	576	winPerfdhcpCommonSvcsavesperfMonitor.exe
Token: SeDebugPrivilege	972	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exeWScript.execmd.exewinPerfdhcpCommonSvcsavesperfMonitor.execmd.exe

description	pid	process	target process
PID 1112 wrote to memory of 520	1112	HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exe	WScript.exe
PID 1112 wrote to memory of 520	1112	HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exe	WScript.exe
PID 1112 wrote to memory of 520	1112	HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exe	WScript.exe
PID 1112 wrote to memory of 520	1112	HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exe	WScript.exe
PID 520 wrote to memory of 432	520	WScript.exe	cmd.exe
PID 520 wrote to memory of 432	520	WScript.exe	cmd.exe
PID 520 wrote to memory of 432	520	WScript.exe	cmd.exe
PID 520 wrote to memory of 432	520	WScript.exe	cmd.exe
PID 432 wrote to memory of 576	432	cmd.exe	winPerfdhcpCommonSvcsavesperfMonitor.exe
PID 432 wrote to memory of 576	432	cmd.exe	winPerfdhcpCommonSvcsavesperfMonitor.exe
PID 432 wrote to memory of 576	432	cmd.exe	winPerfdhcpCommonSvcsavesperfMonitor.exe
PID 432 wrote to memory of 576	432	cmd.exe	winPerfdhcpCommonSvcsavesperfMonitor.exe
PID 576 wrote to memory of 1696	576	winPerfdhcpCommonSvcsavesperfMonitor.exe	cmd.exe
PID 576 wrote to memory of 1696	576	winPerfdhcpCommonSvcsavesperfMonitor.exe	cmd.exe
PID 576 wrote to memory of 1696	576	winPerfdhcpCommonSvcsavesperfMonitor.exe	cmd.exe
PID 1696 wrote to memory of 952	1696	cmd.exe	chcp.com
PID 1696 wrote to memory of 952	1696	cmd.exe	chcp.com
PID 1696 wrote to memory of 952	1696	cmd.exe	chcp.com
PID 1696 wrote to memory of 1732	1696	cmd.exe	w32tm.exe
PID 1696 wrote to memory of 1732	1696	cmd.exe	w32tm.exe
PID 1696 wrote to memory of 1732	1696	cmd.exe	w32tm.exe
PID 1696 wrote to memory of 972	1696	cmd.exe	WmiPrvSE.exe
PID 1696 wrote to memory of 972	1696	cmd.exe	WmiPrvSE.exe
PID 1696 wrote to memory of 972	1696	cmd.exe	WmiPrvSE.exe

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\winPerfdhcpCommonSvc\nuhjZzEl1l8CltfoWi77.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\winPerfdhcpCommonSvc\qBt7GIlH160.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:432

C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe
"C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe"
4⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aaAiyLVhrv.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:952

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:1732

C:\Documents and Settings\WmiPrvSE.exe
"C:\Documents and Settings\WmiPrvSE.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\pdhui\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\FXST30\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\rasctrnm\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\normnfc\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\calc\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Documents and Settings\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\WmiPrvSE.exe
Filesize
1.1MB

MD5
4f85fd9da0e6d825b520f09905b16301

SHA1
11b96ca925a09cd96569c4be2930b9b2bad9dd07

SHA256
fd9e479531a11076bfa97269d4562bda4571f3f03f00e049e3e125d82099e942

SHA512
cd7d31d8cec1f0aca5597216baffa5fbdaa7b4cf8134f8b0de7f2ed0b97c24c5964cf0508dc115360d5264e093436081970d7acfa6917e0d1a14d34a4774003e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaAiyLVhrv.bat
Filesize
254B

MD5
51f7699fe7a81b2c729b9f9dc96b9142

SHA1
c82ebeed2abfc3bcdf9ab83cc86408528ec3674e

SHA256
926865ab5164d88b43a551f4acdc5781156ec22c2a11fd8a06ae0ef62d887d2a

SHA512
a091471296efe829332150d93cb40c0e1a2911a631e3174084d90bb76f1f52eae8356777c6ba68a15cfcb377ed386dc314c7381226cd51c2770504a155148ca0

Download Submit
C:\Users\WmiPrvSE.exe
Filesize
1.1MB

MD5
4f85fd9da0e6d825b520f09905b16301

SHA1
11b96ca925a09cd96569c4be2930b9b2bad9dd07

SHA256
fd9e479531a11076bfa97269d4562bda4571f3f03f00e049e3e125d82099e942

SHA512
cd7d31d8cec1f0aca5597216baffa5fbdaa7b4cf8134f8b0de7f2ed0b97c24c5964cf0508dc115360d5264e093436081970d7acfa6917e0d1a14d34a4774003e

Download Submit
C:\winPerfdhcpCommonSvc\nuhjZzEl1l8CltfoWi77.vbe
Filesize
205B

MD5
abd20005732c70524b80234027cf0db4

SHA1
d0cdbcfce900f87af778847ef0d3cab111d81a96

SHA256
a3f95542fdf730753c47edb849267864f0cff972bfa20cab36065c24953c45d6

SHA512
c3a71016fa58d8d1cd173c9b9ba32c157d2277535fd8f658cc87981cc4721d7c04e822b96a58d8f31d87724237b24c81635c13bb746dc12db1f2379e4867f7ba

Download Submit
C:\winPerfdhcpCommonSvc\qBt7GIlH160.bat
Filesize
66B

MD5
58afc535c3d36e78abb3677a61dc4737

SHA1
bd3914278bba89d1b88dac33ca2b1ca9c04c3aa4

SHA256
ebdb6f3c9799886ce3dd7e9ed19333446b94303c8ad00d5b49d744a0c867d4d4

SHA512
8f609700f10ce525feee7a3e7bd1799e573bd6b1e67783478cf5e1390a18de5eb37bf179bbd805532f7e05d12602205af00e7b3c214d09516bdcbd90c25aa4b3

Download Submit
C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe
Filesize
1.1MB

MD5
4f85fd9da0e6d825b520f09905b16301

SHA1
11b96ca925a09cd96569c4be2930b9b2bad9dd07

SHA256
fd9e479531a11076bfa97269d4562bda4571f3f03f00e049e3e125d82099e942

SHA512
cd7d31d8cec1f0aca5597216baffa5fbdaa7b4cf8134f8b0de7f2ed0b97c24c5964cf0508dc115360d5264e093436081970d7acfa6917e0d1a14d34a4774003e

Download Submit
C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe
Filesize
1.1MB

MD5
4f85fd9da0e6d825b520f09905b16301

SHA1
11b96ca925a09cd96569c4be2930b9b2bad9dd07

SHA256
fd9e479531a11076bfa97269d4562bda4571f3f03f00e049e3e125d82099e942

SHA512
cd7d31d8cec1f0aca5597216baffa5fbdaa7b4cf8134f8b0de7f2ed0b97c24c5964cf0508dc115360d5264e093436081970d7acfa6917e0d1a14d34a4774003e

Download Submit
\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe
Filesize
1.1MB

MD5
4f85fd9da0e6d825b520f09905b16301

SHA1
11b96ca925a09cd96569c4be2930b9b2bad9dd07

SHA256
fd9e479531a11076bfa97269d4562bda4571f3f03f00e049e3e125d82099e942

SHA512
cd7d31d8cec1f0aca5597216baffa5fbdaa7b4cf8134f8b0de7f2ed0b97c24c5964cf0508dc115360d5264e093436081970d7acfa6917e0d1a14d34a4774003e

Download Submit
\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe
Filesize
1.1MB

MD5
4f85fd9da0e6d825b520f09905b16301

SHA1
11b96ca925a09cd96569c4be2930b9b2bad9dd07

SHA256
fd9e479531a11076bfa97269d4562bda4571f3f03f00e049e3e125d82099e942

SHA512
cd7d31d8cec1f0aca5597216baffa5fbdaa7b4cf8134f8b0de7f2ed0b97c24c5964cf0508dc115360d5264e093436081970d7acfa6917e0d1a14d34a4774003e

Download Submit
memory/432-59-0x0000000000000000-mapping.dmp

Download
memory/520-55-0x0000000000000000-mapping.dmp

Download
memory/576-65-0x0000000000FA0000-0x00000000010C2000-memory.dmp

Filesize
1.1MB

Download
memory/576-63-0x0000000000000000-mapping.dmp

Download
memory/952-68-0x0000000000000000-mapping.dmp

Download
memory/972-71-0x0000000000000000-mapping.dmp

Download
memory/972-73-0x0000000000CF0000-0x0000000000E12000-memory.dmp

Filesize
1.1MB

Download
memory/1112-54-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download
memory/1696-66-0x0000000000000000-mapping.dmp

Download
memory/1732-69-0x0000000000000000-mapping.dmp

Download