Analysis
-
max time kernel
90s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2023 11:51
Behavioral task
behavioral1
Sample
HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exe
Resource
win10v2004-20220901-en
General
-
Target
HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exe
-
Size
1.4MB
-
MD5
dd32729dcf73c31a478099c25da5789c
-
SHA1
dad05d17829936c6136d16962c38d2981e56bb21
-
SHA256
6aedcdfc3f6fdc1ca86554a6ba351d9dbccec6c0ab5a0aec82ef583a4e690f0e
-
SHA512
fcf113386c292d03c39071587907f0700936d0ac060c8b96f1ce71683b5e78b1c4b730fdc79b35bb1fe097010844e237034a4184e32fc0b4566ef2f31d382fc0
-
SSDEEP
24576:U2G/nvxW3Ww0tdGyavpdrgnar7l2odPdcsZHpa+AGO05d2GqXW+lWR++40:UbA30alr7tcsZHpaVwulmJ
Malware Config
Signatures
-
DcRat 9 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exe 2128 schtasks.exe 1936 schtasks.exe 2420 schtasks.exe 3656 schtasks.exe 3532 schtasks.exe 1992 schtasks.exe 3808 schtasks.exe 856 schtasks.exe -
Process spawned unexpected child process 8 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3656 4412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3532 4412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 4412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3808 4412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 4412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 4412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 4412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 856 4412 schtasks.exe -
Processes:
resource yara_rule C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe dcrat C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe dcrat behavioral2/memory/3968-139-0x0000000000520000-0x0000000000642000-memory.dmp dcrat C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe dcrat C:\Windows\System32\werdiagcontroller\fontdrvhost.exe dcrat C:\Windows\System32\werdiagcontroller\fontdrvhost.exe dcrat -
Executes dropped EXE 3 IoCs
Processes:
winPerfdhcpCommonSvcsavesperfMonitor.exewinPerfdhcpCommonSvcsavesperfMonitor.exefontdrvhost.exepid process 3968 winPerfdhcpCommonSvcsavesperfMonitor.exe 3308 winPerfdhcpCommonSvcsavesperfMonitor.exe 1844 fontdrvhost.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exeWScript.exewinPerfdhcpCommonSvcsavesperfMonitor.exewinPerfdhcpCommonSvcsavesperfMonitor.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation winPerfdhcpCommonSvcsavesperfMonitor.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation winPerfdhcpCommonSvcsavesperfMonitor.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
winPerfdhcpCommonSvcsavesperfMonitor.exewinPerfdhcpCommonSvcsavesperfMonitor.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\werdiagcontroller\\fontdrvhost.exe\"" winPerfdhcpCommonSvcsavesperfMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" winPerfdhcpCommonSvcsavesperfMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winPerfdhcpCommonSvcsavesperfMonitor = "\"C:\\winPerfdhcpCommonSvc\\qBt7GIlH160\\winPerfdhcpCommonSvcsavesperfMonitor.exe\"" winPerfdhcpCommonSvcsavesperfMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\resources\\SearchApp.exe\"" winPerfdhcpCommonSvcsavesperfMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\odt\\wininit.exe\"" winPerfdhcpCommonSvcsavesperfMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\PeerDistHttpTrans\\RuntimeBroker.exe\"" winPerfdhcpCommonSvcsavesperfMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\RuntimeBroker.exe\"" winPerfdhcpCommonSvcsavesperfMonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\wincredui\\taskhostw.exe\"" winPerfdhcpCommonSvcsavesperfMonitor.exe -
Drops file in System32 directory 6 IoCs
Processes:
winPerfdhcpCommonSvcsavesperfMonitor.exewinPerfdhcpCommonSvcsavesperfMonitor.exedescription ioc process File created C:\Windows\System32\werdiagcontroller\5b884080fd4f94e2695da25c503f9e33b9605b83 winPerfdhcpCommonSvcsavesperfMonitor.exe File created C:\Windows\System32\PeerDistHttpTrans\RuntimeBroker.exe winPerfdhcpCommonSvcsavesperfMonitor.exe File created C:\Windows\System32\PeerDistHttpTrans\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d winPerfdhcpCommonSvcsavesperfMonitor.exe File created C:\Windows\System32\wincredui\taskhostw.exe winPerfdhcpCommonSvcsavesperfMonitor.exe File created C:\Windows\System32\wincredui\ea9f0e6c9e2dcd4dfacdaf29ba21541fb815a988 winPerfdhcpCommonSvcsavesperfMonitor.exe File created C:\Windows\System32\werdiagcontroller\fontdrvhost.exe winPerfdhcpCommonSvcsavesperfMonitor.exe -
Drops file in Program Files directory 3 IoCs
Processes:
winPerfdhcpCommonSvcsavesperfMonitor.exedescription ioc process File opened for modification C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe winPerfdhcpCommonSvcsavesperfMonitor.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d winPerfdhcpCommonSvcsavesperfMonitor.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe winPerfdhcpCommonSvcsavesperfMonitor.exe -
Drops file in Windows directory 3 IoCs
Processes:
winPerfdhcpCommonSvcsavesperfMonitor.exedescription ioc process File created C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\resources\SearchApp.exe winPerfdhcpCommonSvcsavesperfMonitor.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\resources\SearchApp.exe winPerfdhcpCommonSvcsavesperfMonitor.exe File created C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\resources\38384e6a620884a6b69bcc56f80d556f9200171c winPerfdhcpCommonSvcsavesperfMonitor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1992 schtasks.exe 3808 schtasks.exe 2128 schtasks.exe 1936 schtasks.exe 2420 schtasks.exe 856 schtasks.exe 3656 schtasks.exe 3532 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
winPerfdhcpCommonSvcsavesperfMonitor.exewinPerfdhcpCommonSvcsavesperfMonitor.exefontdrvhost.exepid process 3968 winPerfdhcpCommonSvcsavesperfMonitor.exe 3308 winPerfdhcpCommonSvcsavesperfMonitor.exe 3308 winPerfdhcpCommonSvcsavesperfMonitor.exe 3308 winPerfdhcpCommonSvcsavesperfMonitor.exe 3308 winPerfdhcpCommonSvcsavesperfMonitor.exe 3308 winPerfdhcpCommonSvcsavesperfMonitor.exe 3308 winPerfdhcpCommonSvcsavesperfMonitor.exe 3308 winPerfdhcpCommonSvcsavesperfMonitor.exe 3308 winPerfdhcpCommonSvcsavesperfMonitor.exe 3308 winPerfdhcpCommonSvcsavesperfMonitor.exe 3308 winPerfdhcpCommonSvcsavesperfMonitor.exe 1844 fontdrvhost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
winPerfdhcpCommonSvcsavesperfMonitor.exewinPerfdhcpCommonSvcsavesperfMonitor.exefontdrvhost.exedescription pid process Token: SeDebugPrivilege 3968 winPerfdhcpCommonSvcsavesperfMonitor.exe Token: SeDebugPrivilege 3308 winPerfdhcpCommonSvcsavesperfMonitor.exe Token: SeDebugPrivilege 1844 fontdrvhost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exeWScript.execmd.exewinPerfdhcpCommonSvcsavesperfMonitor.exewinPerfdhcpCommonSvcsavesperfMonitor.exedescription pid process target process PID 4252 wrote to memory of 2404 4252 HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exe WScript.exe PID 4252 wrote to memory of 2404 4252 HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exe WScript.exe PID 4252 wrote to memory of 2404 4252 HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exe WScript.exe PID 2404 wrote to memory of 216 2404 WScript.exe cmd.exe PID 2404 wrote to memory of 216 2404 WScript.exe cmd.exe PID 2404 wrote to memory of 216 2404 WScript.exe cmd.exe PID 216 wrote to memory of 3968 216 cmd.exe winPerfdhcpCommonSvcsavesperfMonitor.exe PID 216 wrote to memory of 3968 216 cmd.exe winPerfdhcpCommonSvcsavesperfMonitor.exe PID 3968 wrote to memory of 3308 3968 winPerfdhcpCommonSvcsavesperfMonitor.exe winPerfdhcpCommonSvcsavesperfMonitor.exe PID 3968 wrote to memory of 3308 3968 winPerfdhcpCommonSvcsavesperfMonitor.exe winPerfdhcpCommonSvcsavesperfMonitor.exe PID 3308 wrote to memory of 1844 3308 winPerfdhcpCommonSvcsavesperfMonitor.exe fontdrvhost.exe PID 3308 wrote to memory of 1844 3308 winPerfdhcpCommonSvcsavesperfMonitor.exe fontdrvhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exe"1⤵
- DcRat
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\winPerfdhcpCommonSvc\nuhjZzEl1l8CltfoWi77.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\winPerfdhcpCommonSvc\qBt7GIlH160.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe"C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe"C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\werdiagcontroller\fontdrvhost.exe"C:\Windows\System32\werdiagcontroller\fontdrvhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\resources\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\PeerDistHttpTrans\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\wincredui\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\werdiagcontroller\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winPerfdhcpCommonSvcsavesperfMonitor" /sc ONLOGON /tr "'C:\winPerfdhcpCommonSvc\qBt7GIlH160\winPerfdhcpCommonSvcsavesperfMonitor.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winPerfdhcpCommonSvcsavesperfMonitor.exe.logFilesize
1KB
MD5b7c0c43fc7804baaa7dc87152cdc9554
SHA11bab62bd56af745678d4e967d91e1ccfdeed4038
SHA25646386a61f3aaf1b1c2e6efc9fc7e9e9ff16cd13ae58b8d856835771fedb6d457
SHA5129fda3dd00a3406137e0113f13f78e77b20a76512b35820d38df696842cbbf2e2ebabfb99a3846c9637ecb54af858ec1551521187e379872973006426a253f769
-
C:\Windows\System32\werdiagcontroller\fontdrvhost.exeFilesize
1.1MB
MD54f85fd9da0e6d825b520f09905b16301
SHA111b96ca925a09cd96569c4be2930b9b2bad9dd07
SHA256fd9e479531a11076bfa97269d4562bda4571f3f03f00e049e3e125d82099e942
SHA512cd7d31d8cec1f0aca5597216baffa5fbdaa7b4cf8134f8b0de7f2ed0b97c24c5964cf0508dc115360d5264e093436081970d7acfa6917e0d1a14d34a4774003e
-
C:\Windows\System32\werdiagcontroller\fontdrvhost.exeFilesize
1.1MB
MD54f85fd9da0e6d825b520f09905b16301
SHA111b96ca925a09cd96569c4be2930b9b2bad9dd07
SHA256fd9e479531a11076bfa97269d4562bda4571f3f03f00e049e3e125d82099e942
SHA512cd7d31d8cec1f0aca5597216baffa5fbdaa7b4cf8134f8b0de7f2ed0b97c24c5964cf0508dc115360d5264e093436081970d7acfa6917e0d1a14d34a4774003e
-
C:\winPerfdhcpCommonSvc\nuhjZzEl1l8CltfoWi77.vbeFilesize
205B
MD5abd20005732c70524b80234027cf0db4
SHA1d0cdbcfce900f87af778847ef0d3cab111d81a96
SHA256a3f95542fdf730753c47edb849267864f0cff972bfa20cab36065c24953c45d6
SHA512c3a71016fa58d8d1cd173c9b9ba32c157d2277535fd8f658cc87981cc4721d7c04e822b96a58d8f31d87724237b24c81635c13bb746dc12db1f2379e4867f7ba
-
C:\winPerfdhcpCommonSvc\qBt7GIlH160.batFilesize
66B
MD558afc535c3d36e78abb3677a61dc4737
SHA1bd3914278bba89d1b88dac33ca2b1ca9c04c3aa4
SHA256ebdb6f3c9799886ce3dd7e9ed19333446b94303c8ad00d5b49d744a0c867d4d4
SHA5128f609700f10ce525feee7a3e7bd1799e573bd6b1e67783478cf5e1390a18de5eb37bf179bbd805532f7e05d12602205af00e7b3c214d09516bdcbd90c25aa4b3
-
C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exeFilesize
1.1MB
MD54f85fd9da0e6d825b520f09905b16301
SHA111b96ca925a09cd96569c4be2930b9b2bad9dd07
SHA256fd9e479531a11076bfa97269d4562bda4571f3f03f00e049e3e125d82099e942
SHA512cd7d31d8cec1f0aca5597216baffa5fbdaa7b4cf8134f8b0de7f2ed0b97c24c5964cf0508dc115360d5264e093436081970d7acfa6917e0d1a14d34a4774003e
-
C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exeFilesize
1.1MB
MD54f85fd9da0e6d825b520f09905b16301
SHA111b96ca925a09cd96569c4be2930b9b2bad9dd07
SHA256fd9e479531a11076bfa97269d4562bda4571f3f03f00e049e3e125d82099e942
SHA512cd7d31d8cec1f0aca5597216baffa5fbdaa7b4cf8134f8b0de7f2ed0b97c24c5964cf0508dc115360d5264e093436081970d7acfa6917e0d1a14d34a4774003e
-
C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exeFilesize
1.1MB
MD54f85fd9da0e6d825b520f09905b16301
SHA111b96ca925a09cd96569c4be2930b9b2bad9dd07
SHA256fd9e479531a11076bfa97269d4562bda4571f3f03f00e049e3e125d82099e942
SHA512cd7d31d8cec1f0aca5597216baffa5fbdaa7b4cf8134f8b0de7f2ed0b97c24c5964cf0508dc115360d5264e093436081970d7acfa6917e0d1a14d34a4774003e
-
memory/216-135-0x0000000000000000-mapping.dmp
-
memory/1844-146-0x0000000000000000-mapping.dmp
-
memory/1844-150-0x00007FF8F91A0000-0x00007FF8F9C61000-memory.dmpFilesize
10.8MB
-
memory/1844-151-0x00007FF8F91A0000-0x00007FF8F9C61000-memory.dmpFilesize
10.8MB
-
memory/2404-132-0x0000000000000000-mapping.dmp
-
memory/3308-141-0x0000000000000000-mapping.dmp
-
memory/3308-145-0x00007FF8F91A0000-0x00007FF8F9C61000-memory.dmpFilesize
10.8MB
-
memory/3308-149-0x00007FF8F91A0000-0x00007FF8F9C61000-memory.dmpFilesize
10.8MB
-
memory/3968-140-0x00007FF8F91A0000-0x00007FF8F9C61000-memory.dmpFilesize
10.8MB
-
memory/3968-139-0x0000000000520000-0x0000000000642000-memory.dmpFilesize
1.1MB
-
memory/3968-144-0x00007FF8F91A0000-0x00007FF8F9C61000-memory.dmpFilesize
10.8MB
-
memory/3968-136-0x0000000000000000-mapping.dmp