Overview

overview

10

Static

static

10

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    301s
  • max time network
    303s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    12/03/2023, 05:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6f21b3590e366009837b47d593fe3b6078a81922799a7eb0262de47c1ebe03c0.exe

  • Size

    1.6MB

  • MD5

    6d7d70595af3ae4115d69718f718b880

  • SHA1

    6b6b3addca0399dd4f2d36548179d96caa25c80a

  • SHA256

    6f21b3590e366009837b47d593fe3b6078a81922799a7eb0262de47c1ebe03c0

  • SHA512

    ae64359e108f51a91d94942d08b273b52b53351c641cb6c7023b77586b37b7efca37c1455aa500b5954d6575639354f78716bd8d8d24c437d756066dadf57add

  • SSDEEP

    24576:U2G/nvxW3Ww0t/QGhgyp3PKgG0reey15j6IaXG6hCqsNbSv0P6N1B:UbA304GhrpFNIO5hCqWPP6Nn

Score
10/10
dcratinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 14 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 11 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f21b3590e366009837b47d593fe3b6078a81922799a7eb0262de47c1ebe03c0.exe
    "C:\Users\Admin\AppData\Local\Temp\6f21b3590e366009837b47d593fe3b6078a81922799a7eb0262de47c1ebe03c0.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1524
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\serverRuntimeperfNet\szYrcjGuYLGmL0L4KP7jJ67pgceF.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:920
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\serverRuntimeperfNet\qmzY6VsVMzatuzX.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1576
        • C:\serverRuntimeperfNet\surrogatefontbroker.exe
          "C:\serverRuntimeperfNet\surrogatefontbroker.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:552
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NJ9yZIXzA0.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1460
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:924
              • C:\Program Files (x86)\Windows NT\TableTextService\en-US\conhost.exe
                "C:\Program Files (x86)\Windows NT\TableTextService\en-US\conhost.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:660
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\lsm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1972
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1940
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1680
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\ehome\lsass.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1220
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\ehome\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1140
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\ehome\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1180
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1876
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:744
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:972
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2004
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:936
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1760
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1136
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1952
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1460
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\serverRuntimeperfNet\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1412
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\serverRuntimeperfNet\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1020
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\serverRuntimeperfNet\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:964
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\lsm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1072
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:920
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1008
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\serverRuntimeperfNet\cmd.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1708
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\serverRuntimeperfNet\cmd.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1000
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\serverRuntimeperfNet\cmd.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1244
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\WMIADAP.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:952
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\WMIADAP.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1888
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\WMIADAP.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1592
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1432
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1680
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1444
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:872
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Templates\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1252
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Templates\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1796
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\conhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1968
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:936
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1564
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "surrogatefontbrokers" /sc MINUTE /mo 14 /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\surrogatefontbroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:308
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "surrogatefontbroker" /sc ONLOGON /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\surrogatefontbroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1340
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "surrogatefontbrokers" /sc MINUTE /mo 10 /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\surrogatefontbroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1636
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\CRMLog\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1736
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1760
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\CRMLog\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1620
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1292
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1136
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:964
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\SysWOW64\migration\es-ES\lsm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:880
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\SysWOW64\migration\es-ES\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:924
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\SysWOW64\migration\es-ES\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1176
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\WMIADAP.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1952
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\WMIADAP.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1392
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\WMIADAP.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:956
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {15521384-7CAE-429E-9EF3-B7528B27C6AD} S-1-5-21-1914912747-3343861975-731272777-1000:TMRJMUQF\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Windows\SysWOW64\migration\es-ES\lsm.exe
        C:\Windows\SysWOW64\migration\es-ES\lsm.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1108

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe
      Filesize

      1.3MB

      MD5

      c809062f8c74c3555143eec236bec626

      SHA1

      ec57ce4a59096421e9a2edad45411cea658f41ad

      SHA256

      28c22038a27c2fef303d27617b00f70244ad1cc4b36d72875d17341e539d4ef1

      SHA512

      4c5cb9dc7b710b34b5de2d56ed9c917c7c15ae0d960ff63a8218d3a1780ca12cf290b25ddcaa87dbb0a18aba998b9572b1a6bad244580ea0d2e2e3aa2dea0cb5

      Download Submit

    • C:\Program Files (x86)\Windows NT\TableTextService\en-US\conhost.exe
      Filesize

      1.3MB

      MD5

      c809062f8c74c3555143eec236bec626

      SHA1

      ec57ce4a59096421e9a2edad45411cea658f41ad

      SHA256

      28c22038a27c2fef303d27617b00f70244ad1cc4b36d72875d17341e539d4ef1

      SHA512

      4c5cb9dc7b710b34b5de2d56ed9c917c7c15ae0d960ff63a8218d3a1780ca12cf290b25ddcaa87dbb0a18aba998b9572b1a6bad244580ea0d2e2e3aa2dea0cb5

      Download Submit

    • C:\Program Files (x86)\Windows NT\TableTextService\en-US\conhost.exe
      Filesize

      1.3MB

      MD5

      c809062f8c74c3555143eec236bec626

      SHA1

      ec57ce4a59096421e9a2edad45411cea658f41ad

      SHA256

      28c22038a27c2fef303d27617b00f70244ad1cc4b36d72875d17341e539d4ef1

      SHA512

      4c5cb9dc7b710b34b5de2d56ed9c917c7c15ae0d960ff63a8218d3a1780ca12cf290b25ddcaa87dbb0a18aba998b9572b1a6bad244580ea0d2e2e3aa2dea0cb5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\NJ9yZIXzA0.bat
      Filesize

      233B

      MD5

      817846e435d761a8b5e6dddb16e36dfd

      SHA1

      4f35fd2119f46c98b84b62666ab0589e4dc51277

      SHA256

      dc52246965d2f07dacb2818127238a4411d56cdcd8b1e633dc28c73d072e57b4

      SHA512

      992907e4c5d84852263ea419eb5956d029cbbe8462d11f5705d1095fd826236580723df8477769927b3ca3e2984fbb4a7ece39c215fd723155d17d4e04d7a10e

      Download Submit

    • C:\Windows\SysWOW64\migration\es-ES\lsm.exe
      Filesize

      1.3MB

      MD5

      c809062f8c74c3555143eec236bec626

      SHA1

      ec57ce4a59096421e9a2edad45411cea658f41ad

      SHA256

      28c22038a27c2fef303d27617b00f70244ad1cc4b36d72875d17341e539d4ef1

      SHA512

      4c5cb9dc7b710b34b5de2d56ed9c917c7c15ae0d960ff63a8218d3a1780ca12cf290b25ddcaa87dbb0a18aba998b9572b1a6bad244580ea0d2e2e3aa2dea0cb5

      Download Submit

    • C:\Windows\SysWOW64\migration\es-ES\lsm.exe
      Filesize

      1.3MB

      MD5

      c809062f8c74c3555143eec236bec626

      SHA1

      ec57ce4a59096421e9a2edad45411cea658f41ad

      SHA256

      28c22038a27c2fef303d27617b00f70244ad1cc4b36d72875d17341e539d4ef1

      SHA512

      4c5cb9dc7b710b34b5de2d56ed9c917c7c15ae0d960ff63a8218d3a1780ca12cf290b25ddcaa87dbb0a18aba998b9572b1a6bad244580ea0d2e2e3aa2dea0cb5

      Download Submit

    • C:\serverRuntimeperfNet\qmzY6VsVMzatuzX.bat
      Filesize

      49B

      MD5

      8cfb56e485ff86e82d6f9e7a319617ab

      SHA1

      d071fb71ca118caeab9bda297ddd60190460dcd2

      SHA256

      58e393022079288275223afe82aabff34db169d74fa288ae01ecd619b166e023

      SHA512

      5e366b4b91854a0cf59419d663bf2cc2c36306acd3a659275e43d26fbe6e0695f33b0f514020e47ef2077a13b9cdbddb1d8e157dd54bdb84a2dfa522223cdd5d

      Download Submit

    • C:\serverRuntimeperfNet\surrogatefontbroker.exe
      Filesize

      1.3MB

      MD5

      c809062f8c74c3555143eec236bec626

      SHA1

      ec57ce4a59096421e9a2edad45411cea658f41ad

      SHA256

      28c22038a27c2fef303d27617b00f70244ad1cc4b36d72875d17341e539d4ef1

      SHA512

      4c5cb9dc7b710b34b5de2d56ed9c917c7c15ae0d960ff63a8218d3a1780ca12cf290b25ddcaa87dbb0a18aba998b9572b1a6bad244580ea0d2e2e3aa2dea0cb5

      Download Submit

    • C:\serverRuntimeperfNet\surrogatefontbroker.exe
      Filesize

      1.3MB

      MD5

      c809062f8c74c3555143eec236bec626

      SHA1

      ec57ce4a59096421e9a2edad45411cea658f41ad

      SHA256

      28c22038a27c2fef303d27617b00f70244ad1cc4b36d72875d17341e539d4ef1

      SHA512

      4c5cb9dc7b710b34b5de2d56ed9c917c7c15ae0d960ff63a8218d3a1780ca12cf290b25ddcaa87dbb0a18aba998b9572b1a6bad244580ea0d2e2e3aa2dea0cb5

      Download Submit

    • C:\serverRuntimeperfNet\szYrcjGuYLGmL0L4KP7jJ67pgceF.vbe
      Filesize

      212B

      MD5

      ac5d5bb02e03d9f968b07f0e3d9207fd

      SHA1

      8d0e6bf882fff66333a289aa46dd72fe1d3798f2

      SHA256

      51dc3e697cdbf76e5a80c964ca116e80e3cd9ac9daf1ad66a2ccf780380ca0ff

      SHA512

      49a29d78ba3ff006357a5786b4028b17ed4123d8076beaaa72ebc13cbe8b3a92e63e4f4e8e447aab11dbb5cc06c7035c52ac643c6addf21c0653f1af274825a8

      Download Submit

    • \serverRuntimeperfNet\surrogatefontbroker.exe
      Filesize

      1.3MB

      MD5

      c809062f8c74c3555143eec236bec626

      SHA1

      ec57ce4a59096421e9a2edad45411cea658f41ad

      SHA256

      28c22038a27c2fef303d27617b00f70244ad1cc4b36d72875d17341e539d4ef1

      SHA512

      4c5cb9dc7b710b34b5de2d56ed9c917c7c15ae0d960ff63a8218d3a1780ca12cf290b25ddcaa87dbb0a18aba998b9572b1a6bad244580ea0d2e2e3aa2dea0cb5

      Download Submit

    • \serverRuntimeperfNet\surrogatefontbroker.exe
      Filesize

      1.3MB

      MD5

      c809062f8c74c3555143eec236bec626

      SHA1

      ec57ce4a59096421e9a2edad45411cea658f41ad

      SHA256

      28c22038a27c2fef303d27617b00f70244ad1cc4b36d72875d17341e539d4ef1

      SHA512

      4c5cb9dc7b710b34b5de2d56ed9c917c7c15ae0d960ff63a8218d3a1780ca12cf290b25ddcaa87dbb0a18aba998b9572b1a6bad244580ea0d2e2e3aa2dea0cb5

      Download Submit

    • memory/552-67-0x0000000001380000-0x00000000014CC000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/552-72-0x0000000000530000-0x000000000053E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/552-71-0x000000001AF30000-0x000000001AFB0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/552-70-0x00000000004C0000-0x00000000004D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/552-69-0x0000000000500000-0x0000000000516000-memory.dmp

      Filesize

      88KB

      Download

    • memory/552-68-0x00000000004E0000-0x00000000004FC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/660-114-0x0000000000020000-0x000000000016C000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/660-115-0x000000001B2A0000-0x000000001B320000-memory.dmp

      Filesize

      512KB

      Download

    • memory/660-116-0x000000001B2A0000-0x000000001B320000-memory.dmp

      Filesize

      512KB

      Download

    • memory/660-122-0x000000001B2A0000-0x000000001B320000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1108-143-0x0000000000310000-0x000000000045C000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1108-144-0x000000001AFB0000-0x000000001B030000-memory.dmp

      Filesize

      512KB

      Download