dcrat | eb058bb526ec0e8b9d477425af771f9c13dd68ed6a120ac19d8920403253326a

Analysis

max time kernel
133s
max time network
149s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
20/08/2023, 20:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.6MB
MD5

cd4ee1a7a160a3c103e775ec9136f10a
SHA1

53bedd6edbba3e0a56268362b3451e9a1fdc1627
SHA256

eb058bb526ec0e8b9d477425af771f9c13dd68ed6a120ac19d8920403253326a
SHA512

220101710ac33527532d1b1c153ce8bd477b3b7a282fbb1a5e3139b8cd5f064fee305ef16b77b228970ce31cc378c3e9cdb57def29f36b978a4ba7f362db5d59
SSDEEP

24576:T2G/nvxW3WjfexVOsf1916TKXVF6A/fIreiReAqzEqB+qLzqb3nxBzP4U1xg:TbA3Gn6L9QeVAqzEqPOFBzPXu

Score

10^/10

dcrat evasion infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2452	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2452	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2452	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2452	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2452	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2452	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2452	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2452	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2452	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2452	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2452	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2452	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2452	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2452	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2452	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2452	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2452	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2452	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2452	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2452	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2452	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2452	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2452	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2452	schtasks.exe	33

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000152b3-71.dat	dcrat
behavioral1/files/0x00070000000152b3-70.dat	dcrat
behavioral1/files/0x00070000000152b3-69.dat	dcrat
behavioral1/files/0x00070000000152b3-68.dat	dcrat
behavioral1/memory/2720-72-0x00000000001F0000-0x0000000000342000-memory.dmp	dcrat
behavioral1/memory/2720-74-0x000000001AEF0000-0x000000001AF70000-memory.dmp	dcrat
behavioral1/files/0x0006000000015e57-84.dat	dcrat
behavioral1/files/0x0006000000016acc-102.dat	dcrat
behavioral1/files/0x0006000000016acc-103.dat	dcrat
behavioral1/memory/1692-104-0x0000000001030000-0x0000000001182000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
2720	BlockPerfmonitor.exe
1692	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2732	cmd.exe
2732	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe	BlockPerfmonitor.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\6cb0b6c459d5d3	BlockPerfmonitor.exe
File created	C:\Program Files (x86)\Windows Defender\audiodg.exe	BlockPerfmonitor.exe
File created	C:\Program Files (x86)\Windows Defender\42af1c969fbb7b	BlockPerfmonitor.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe	BlockPerfmonitor.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\69ddcba757bf72	BlockPerfmonitor.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\diagnostics\cmd.exe	BlockPerfmonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1500	schtasks.exe
3024	schtasks.exe
2928	schtasks.exe
1276	schtasks.exe
2936	schtasks.exe
1688	schtasks.exe
2908	schtasks.exe
764	schtasks.exe
2600	schtasks.exe
2116	schtasks.exe
2924	schtasks.exe
2164	schtasks.exe
1956	schtasks.exe
604	schtasks.exe
2932	schtasks.exe
1648	schtasks.exe
2052	schtasks.exe
2676	schtasks.exe
1624	schtasks.exe
2168	schtasks.exe
1980	schtasks.exe
1060	schtasks.exe
2476	schtasks.exe
2248	schtasks.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
664	reg.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2720	BlockPerfmonitor.exe
2720	BlockPerfmonitor.exe
2720	BlockPerfmonitor.exe
2720	BlockPerfmonitor.exe
2720	BlockPerfmonitor.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1692	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	BlockPerfmonitor.exe
Token: SeDebugPrivilege	1692	explorer.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 1800	2088	tmp.exe	28
PID 2088 wrote to memory of 1800	2088	tmp.exe	28
PID 2088 wrote to memory of 1800	2088	tmp.exe	28
PID 2088 wrote to memory of 1800	2088	tmp.exe	28
PID 2088 wrote to memory of 2964	2088	tmp.exe	29
PID 2088 wrote to memory of 2964	2088	tmp.exe	29
PID 2088 wrote to memory of 2964	2088	tmp.exe	29
PID 2088 wrote to memory of 2964	2088	tmp.exe	29
PID 1800 wrote to memory of 2732	1800	WScript.exe	30
PID 1800 wrote to memory of 2732	1800	WScript.exe	30
PID 1800 wrote to memory of 2732	1800	WScript.exe	30
PID 1800 wrote to memory of 2732	1800	WScript.exe	30
PID 2732 wrote to memory of 2720	2732	cmd.exe	32
PID 2732 wrote to memory of 2720	2732	cmd.exe	32
PID 2732 wrote to memory of 2720	2732	cmd.exe	32
PID 2732 wrote to memory of 2720	2732	cmd.exe	32
PID 2720 wrote to memory of 2348	2720	BlockPerfmonitor.exe	58
PID 2720 wrote to memory of 2348	2720	BlockPerfmonitor.exe	58
PID 2720 wrote to memory of 2348	2720	BlockPerfmonitor.exe	58
PID 2348 wrote to memory of 1848	2348	cmd.exe	60
PID 2348 wrote to memory of 1848	2348	cmd.exe	60
PID 2348 wrote to memory of 1848	2348	cmd.exe	60
PID 2732 wrote to memory of 664	2732	cmd.exe	61
PID 2732 wrote to memory of 664	2732	cmd.exe	61
PID 2732 wrote to memory of 664	2732	cmd.exe	61
PID 2732 wrote to memory of 664	2732	cmd.exe	61
PID 2348 wrote to memory of 1692	2348	cmd.exe	62
PID 2348 wrote to memory of 1692	2348	cmd.exe	62
PID 2348 wrote to memory of 1692	2348	cmd.exe	62

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\MscomSurrogatebrokerCrt\bCHfvnOhpBFuYP7qZ.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\MscomSurrogatebrokerCrt\zIFGDdD.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\MscomSurrogatebrokerCrt\BlockPerfmonitor.exe
      "C:\MscomSurrogatebrokerCrt\BlockPerfmonitor.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4ulGDTFZSq.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2348
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1848
      - C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:664
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\MscomSurrogatebrokerCrt\file.vbs"
  2⤵
  PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f4a7982-20ee-11ee-888b-d66763f08456\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\8f4a7982-20ee-11ee-888b-d66763f08456\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f4a7982-20ee-11ee-888b-d66763f08456\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MscomSurrogatebrokerCrt\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MscomSurrogatebrokerCrt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MscomSurrogatebrokerCrt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MscomSurrogatebrokerCrt\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MscomSurrogatebrokerCrt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MscomSurrogatebrokerCrt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\MscomSurrogatebrokerCrt\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MscomSurrogatebrokerCrt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\MscomSurrogatebrokerCrt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe

Filesize
1.3MB

MD5
8d9bb44ab073997b8a010e84a3689d67

SHA1
f2c56a1bc31106556f50f17d6ca807861c20e778

SHA256
dee537c42e982f63dd054631f3a34f12ad7bafc92ae2bfb23c21f209cee08048

SHA512
0b6cfd046e170413798f00ad21d91342209dd674c14cf618ebb3826bdea755ce77328ed4ffd969729502e3d75ea80bc2312a59f735dbe216aeb5c395886e0e52

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe

Filesize
1.3MB

MD5
8d9bb44ab073997b8a010e84a3689d67

SHA1
f2c56a1bc31106556f50f17d6ca807861c20e778

SHA256
dee537c42e982f63dd054631f3a34f12ad7bafc92ae2bfb23c21f209cee08048

SHA512
0b6cfd046e170413798f00ad21d91342209dd674c14cf618ebb3826bdea755ce77328ed4ffd969729502e3d75ea80bc2312a59f735dbe216aeb5c395886e0e52

Download Submit
C:\MscomSurrogatebrokerCrt\BlockPerfmonitor.exe

Filesize
1.3MB

MD5
8d9bb44ab073997b8a010e84a3689d67

SHA1
f2c56a1bc31106556f50f17d6ca807861c20e778

SHA256
dee537c42e982f63dd054631f3a34f12ad7bafc92ae2bfb23c21f209cee08048

SHA512
0b6cfd046e170413798f00ad21d91342209dd674c14cf618ebb3826bdea755ce77328ed4ffd969729502e3d75ea80bc2312a59f735dbe216aeb5c395886e0e52

Download Submit
C:\MscomSurrogatebrokerCrt\BlockPerfmonitor.exe

Filesize
1.3MB

MD5
8d9bb44ab073997b8a010e84a3689d67

SHA1
f2c56a1bc31106556f50f17d6ca807861c20e778

SHA256
dee537c42e982f63dd054631f3a34f12ad7bafc92ae2bfb23c21f209cee08048

SHA512
0b6cfd046e170413798f00ad21d91342209dd674c14cf618ebb3826bdea755ce77328ed4ffd969729502e3d75ea80bc2312a59f735dbe216aeb5c395886e0e52

Download Submit
C:\MscomSurrogatebrokerCrt\bCHfvnOhpBFuYP7qZ.vbe

Filesize
207B

MD5
95ced681f6ed091e814560cfd6263b67

SHA1
5ce23afdddf770d7db461d949be98bafdad7927d

SHA256
acaf58fd6f360831e6af609791bea73077ffe1b976b28fd8d7640f2a63be783a

SHA512
d2ef86bd18da42befe83fa3e06857303f43c39cc9b1bd4a887f2839c948966a5f953b390a2c27733b60acf3a62191bcd8d41a513f36816ce268995362e997b91

Download Submit
C:\MscomSurrogatebrokerCrt\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\MscomSurrogatebrokerCrt\wininit.exe

Filesize
1.3MB

MD5
8d9bb44ab073997b8a010e84a3689d67

SHA1
f2c56a1bc31106556f50f17d6ca807861c20e778

SHA256
dee537c42e982f63dd054631f3a34f12ad7bafc92ae2bfb23c21f209cee08048

SHA512
0b6cfd046e170413798f00ad21d91342209dd674c14cf618ebb3826bdea755ce77328ed4ffd969729502e3d75ea80bc2312a59f735dbe216aeb5c395886e0e52

Download Submit
C:\MscomSurrogatebrokerCrt\zIFGDdD.bat

Filesize
161B

MD5
ae30d28aebaf9f4d8e0f0a5322a49a9c

SHA1
99096c4cb201ebe50adf30ce7849fac2d424f634

SHA256
aeabc11a80ec4da62577d0e529009cbf15d5258ca5fb3f0bfcc07ca472699f8d

SHA512
234db49cb976a1487286efdc4d53964188bab6766d37ab0676a86c91c00e942c5ed98f4facc4d629b5efaa8f8b33bbc781675e148279bff81b0ac7c2c764caf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ulGDTFZSq.bat

Filesize
240B

MD5
5b3225fbe9a5e0690e0227a4c160d7bc

SHA1
aececec085e81db881e0fd654bcc388f062aeed7

SHA256
715e58e0c99b8f8e5d9ead1fb1fdda8bb232cc9b0dcea95f5fcf24ef5fab8380

SHA512
4fd38be8da17a58863024d5756a94c940f51f5ba2332fa71e67b917d6af463bdfc9305872797a15907ee1aae521b6bc2a1ac759aa3c621970c553aca37eba106

Download Submit
\MscomSurrogatebrokerCrt\BlockPerfmonitor.exe

Filesize
1.3MB

MD5
8d9bb44ab073997b8a010e84a3689d67

SHA1
f2c56a1bc31106556f50f17d6ca807861c20e778

SHA256
dee537c42e982f63dd054631f3a34f12ad7bafc92ae2bfb23c21f209cee08048

SHA512
0b6cfd046e170413798f00ad21d91342209dd674c14cf618ebb3826bdea755ce77328ed4ffd969729502e3d75ea80bc2312a59f735dbe216aeb5c395886e0e52

Download Submit
\MscomSurrogatebrokerCrt\BlockPerfmonitor.exe

Filesize
1.3MB

MD5
8d9bb44ab073997b8a010e84a3689d67

SHA1
f2c56a1bc31106556f50f17d6ca807861c20e778

SHA256
dee537c42e982f63dd054631f3a34f12ad7bafc92ae2bfb23c21f209cee08048

SHA512
0b6cfd046e170413798f00ad21d91342209dd674c14cf618ebb3826bdea755ce77328ed4ffd969729502e3d75ea80bc2312a59f735dbe216aeb5c395886e0e52

Download Submit
memory/1692-139-0x000000001AF10000-0x000000001AF90000-memory.dmp

Filesize
512KB

Download
memory/1692-112-0x000000001AF10000-0x000000001AF90000-memory.dmp

Filesize
512KB

Download
memory/1692-113-0x000000001AF10000-0x000000001AF90000-memory.dmp

Filesize
512KB

Download
memory/1692-107-0x000007FEF52B0000-0x000007FEF5C9C000-memory.dmp

Filesize
9.9MB

Download
memory/1692-106-0x000000001AF10000-0x000000001AF90000-memory.dmp

Filesize
512KB

Download
memory/1692-105-0x000007FEF52B0000-0x000007FEF5C9C000-memory.dmp

Filesize
9.9MB

Download
memory/1692-104-0x0000000001030000-0x0000000001182000-memory.dmp

Filesize
1.3MB

Download
memory/2720-79-0x0000000001FE0000-0x0000000001FE8000-memory.dmp

Filesize
32KB

Download
memory/2720-72-0x00000000001F0000-0x0000000000342000-memory.dmp

Filesize
1.3MB

Download
memory/2720-101-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp

Filesize
9.9MB

Download
memory/2720-73-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp

Filesize
9.9MB

Download
memory/2720-74-0x000000001AEF0000-0x000000001AF70000-memory.dmp

Filesize
512KB

Download
memory/2720-75-0x0000000000650000-0x000000000066C000-memory.dmp

Filesize
112KB

Download
memory/2720-78-0x0000000000710000-0x000000000071E000-memory.dmp

Filesize
56KB

Download
memory/2720-77-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2720-76-0x00000000006F0000-0x0000000000706000-memory.dmp

Filesize
88KB

Download