dcrat | eb058bb526ec0e8b9d477425af771f9c13dd68ed6a120ac19d8920403253326a

Analysis

max time kernel
297s
max time network
303s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
21-08-2023 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb058bb526ec0e8b9d477425af771f9c13dd68ed6a120ac19d8920403253326a.exe
Size

1.6MB
MD5

cd4ee1a7a160a3c103e775ec9136f10a
SHA1

53bedd6edbba3e0a56268362b3451e9a1fdc1627
SHA256

eb058bb526ec0e8b9d477425af771f9c13dd68ed6a120ac19d8920403253326a
SHA512

220101710ac33527532d1b1c153ce8bd477b3b7a282fbb1a5e3139b8cd5f064fee305ef16b77b228970ce31cc378c3e9cdb57def29f36b978a4ba7f362db5d59
SSDEEP

24576:T2G/nvxW3WjfexVOsf1916TKXVF6A/fIreiReAqzEqB+qLzqb3nxBzP4U1xg:TbA3Gn6L9QeVAqzEqPOFBzPXu

Score

10^/10

dcrat evasion infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2720	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2720	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2720	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	2720	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	2720	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2720	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2720	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2720	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2720	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2720	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2720	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2720	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2720	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2720	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2720	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2720	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2720	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2720	schtasks.exe	33

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000155f3-68.dat	dcrat
behavioral1/files/0x00070000000155f3-70.dat	dcrat
behavioral1/files/0x00070000000155f3-71.dat	dcrat
behavioral1/files/0x00070000000155f3-69.dat	dcrat
behavioral1/memory/2292-72-0x0000000000250000-0x00000000003A2000-memory.dmp	dcrat
behavioral1/files/0x0006000000015c77-84.dat	dcrat
behavioral1/files/0x0006000000015dc6-98.dat	dcrat
behavioral1/files/0x0006000000015dc6-99.dat	dcrat
behavioral1/memory/1796-100-0x0000000000800000-0x0000000000952000-memory.dmp	dcrat
behavioral1/memory/1796-105-0x0000000002170000-0x00000000021F0000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
2292	BlockPerfmonitor.exe
1796	audiodg.exe

Loads dropped DLL 2 IoCs

pid	Process
2876	cmd.exe
2876	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\schemas\WCN\sppsvc.exe	BlockPerfmonitor.exe
File created	C:\Windows\schemas\WCN\0a1fd5f707cd16	BlockPerfmonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2276	schtasks.exe
1176	schtasks.exe
592	schtasks.exe
2436	schtasks.exe
2196	schtasks.exe
2792	schtasks.exe
600	schtasks.exe
3036	schtasks.exe
640	schtasks.exe
1784	schtasks.exe
2896	schtasks.exe
2964	schtasks.exe
1704	schtasks.exe
2508	schtasks.exe
2500	schtasks.exe
2932	schtasks.exe
1060	schtasks.exe
1516	schtasks.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1952	reg.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2292	BlockPerfmonitor.exe
1796	audiodg.exe
1796	audiodg.exe
1796	audiodg.exe
1796	audiodg.exe
1796	audiodg.exe
1796	audiodg.exe
1796	audiodg.exe
1796	audiodg.exe
1796	audiodg.exe
1796	audiodg.exe
1796	audiodg.exe
1796	audiodg.exe
1796	audiodg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1796	audiodg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	BlockPerfmonitor.exe
Token: SeDebugPrivilege	1796	audiodg.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 3068	2384	eb058bb526ec0e8b9d477425af771f9c13dd68ed6a120ac19d8920403253326a.exe	28
PID 2384 wrote to memory of 3068	2384	eb058bb526ec0e8b9d477425af771f9c13dd68ed6a120ac19d8920403253326a.exe	28
PID 2384 wrote to memory of 3068	2384	eb058bb526ec0e8b9d477425af771f9c13dd68ed6a120ac19d8920403253326a.exe	28
PID 2384 wrote to memory of 3068	2384	eb058bb526ec0e8b9d477425af771f9c13dd68ed6a120ac19d8920403253326a.exe	28
PID 2384 wrote to memory of 2504	2384	eb058bb526ec0e8b9d477425af771f9c13dd68ed6a120ac19d8920403253326a.exe	29
PID 2384 wrote to memory of 2504	2384	eb058bb526ec0e8b9d477425af771f9c13dd68ed6a120ac19d8920403253326a.exe	29
PID 2384 wrote to memory of 2504	2384	eb058bb526ec0e8b9d477425af771f9c13dd68ed6a120ac19d8920403253326a.exe	29
PID 2384 wrote to memory of 2504	2384	eb058bb526ec0e8b9d477425af771f9c13dd68ed6a120ac19d8920403253326a.exe	29
PID 3068 wrote to memory of 2876	3068	WScript.exe	30
PID 3068 wrote to memory of 2876	3068	WScript.exe	30
PID 3068 wrote to memory of 2876	3068	WScript.exe	30
PID 3068 wrote to memory of 2876	3068	WScript.exe	30
PID 2876 wrote to memory of 2292	2876	cmd.exe	32
PID 2876 wrote to memory of 2292	2876	cmd.exe	32
PID 2876 wrote to memory of 2292	2876	cmd.exe	32
PID 2876 wrote to memory of 2292	2876	cmd.exe	32
PID 2292 wrote to memory of 1964	2292	BlockPerfmonitor.exe	52
PID 2292 wrote to memory of 1964	2292	BlockPerfmonitor.exe	52
PID 2292 wrote to memory of 1964	2292	BlockPerfmonitor.exe	52
PID 1964 wrote to memory of 1960	1964	cmd.exe	54
PID 1964 wrote to memory of 1960	1964	cmd.exe	54
PID 1964 wrote to memory of 1960	1964	cmd.exe	54
PID 2876 wrote to memory of 1952	2876	cmd.exe	55
PID 2876 wrote to memory of 1952	2876	cmd.exe	55
PID 2876 wrote to memory of 1952	2876	cmd.exe	55
PID 2876 wrote to memory of 1952	2876	cmd.exe	55
PID 1964 wrote to memory of 1796	1964	cmd.exe	56
PID 1964 wrote to memory of 1796	1964	cmd.exe	56
PID 1964 wrote to memory of 1796	1964	cmd.exe	56

C:\Users\Admin\AppData\Local\Temp\eb058bb526ec0e8b9d477425af771f9c13dd68ed6a120ac19d8920403253326a.exe
"C:\Users\Admin\AppData\Local\Temp\eb058bb526ec0e8b9d477425af771f9c13dd68ed6a120ac19d8920403253326a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\MscomSurrogatebrokerCrt\bCHfvnOhpBFuYP7qZ.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\MscomSurrogatebrokerCrt\zIFGDdD.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\MscomSurrogatebrokerCrt\BlockPerfmonitor.exe
      "C:\MscomSurrogatebrokerCrt\BlockPerfmonitor.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2292
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FG349hXlHd.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1964
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1960
      - C:\MscomSurrogatebrokerCrt\audiodg.exe
        
        "C:\MscomSurrogatebrokerCrt\audiodg.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:1952
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\MscomSurrogatebrokerCrt\file.vbs"
  2⤵
  PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f4a7982-20ee-11ee-888b-d66763f08456\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\8f4a7982-20ee-11ee-888b-d66763f08456\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f4a7982-20ee-11ee-888b-d66763f08456\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\schemas\WCN\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\schemas\WCN\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\schemas\WCN\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Documents\My Music\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Music\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Documents\My Music\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MscomSurrogatebrokerCrt\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MscomSurrogatebrokerCrt\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MscomSurrogatebrokerCrt\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MscomSurrogatebrokerCrt\BlockPerfmonitor.exe

Filesize
1.3MB

MD5
8d9bb44ab073997b8a010e84a3689d67

SHA1
f2c56a1bc31106556f50f17d6ca807861c20e778

SHA256
dee537c42e982f63dd054631f3a34f12ad7bafc92ae2bfb23c21f209cee08048

SHA512
0b6cfd046e170413798f00ad21d91342209dd674c14cf618ebb3826bdea755ce77328ed4ffd969729502e3d75ea80bc2312a59f735dbe216aeb5c395886e0e52

Download Submit
C:\MscomSurrogatebrokerCrt\BlockPerfmonitor.exe

Filesize
1.3MB

MD5
8d9bb44ab073997b8a010e84a3689d67

SHA1
f2c56a1bc31106556f50f17d6ca807861c20e778

SHA256
dee537c42e982f63dd054631f3a34f12ad7bafc92ae2bfb23c21f209cee08048

SHA512
0b6cfd046e170413798f00ad21d91342209dd674c14cf618ebb3826bdea755ce77328ed4ffd969729502e3d75ea80bc2312a59f735dbe216aeb5c395886e0e52

Download Submit
C:\MscomSurrogatebrokerCrt\audiodg.exe

Filesize
1.3MB

MD5
8d9bb44ab073997b8a010e84a3689d67

SHA1
f2c56a1bc31106556f50f17d6ca807861c20e778

SHA256
dee537c42e982f63dd054631f3a34f12ad7bafc92ae2bfb23c21f209cee08048

SHA512
0b6cfd046e170413798f00ad21d91342209dd674c14cf618ebb3826bdea755ce77328ed4ffd969729502e3d75ea80bc2312a59f735dbe216aeb5c395886e0e52

Download Submit
C:\MscomSurrogatebrokerCrt\audiodg.exe

Filesize
1.3MB

MD5
8d9bb44ab073997b8a010e84a3689d67

SHA1
f2c56a1bc31106556f50f17d6ca807861c20e778

SHA256
dee537c42e982f63dd054631f3a34f12ad7bafc92ae2bfb23c21f209cee08048

SHA512
0b6cfd046e170413798f00ad21d91342209dd674c14cf618ebb3826bdea755ce77328ed4ffd969729502e3d75ea80bc2312a59f735dbe216aeb5c395886e0e52

Download Submit
C:\MscomSurrogatebrokerCrt\bCHfvnOhpBFuYP7qZ.vbe

Filesize
207B

MD5
95ced681f6ed091e814560cfd6263b67

SHA1
5ce23afdddf770d7db461d949be98bafdad7927d

SHA256
acaf58fd6f360831e6af609791bea73077ffe1b976b28fd8d7640f2a63be783a

SHA512
d2ef86bd18da42befe83fa3e06857303f43c39cc9b1bd4a887f2839c948966a5f953b390a2c27733b60acf3a62191bcd8d41a513f36816ce268995362e997b91

Download Submit
C:\MscomSurrogatebrokerCrt\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\MscomSurrogatebrokerCrt\zIFGDdD.bat

Filesize
161B

MD5
ae30d28aebaf9f4d8e0f0a5322a49a9c

SHA1
99096c4cb201ebe50adf30ce7849fac2d424f634

SHA256
aeabc11a80ec4da62577d0e529009cbf15d5258ca5fb3f0bfcc07ca472699f8d

SHA512
234db49cb976a1487286efdc4d53964188bab6766d37ab0676a86c91c00e942c5ed98f4facc4d629b5efaa8f8b33bbc781675e148279bff81b0ac7c2c764caf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FG349hXlHd.bat

Filesize
203B

MD5
fde9422947aa370390d5f90f287d3876

SHA1
29d3673c5a76dc45dc912b3a34e11cc4b31a67fd

SHA256
03bedac9a20c035ad89573597597b83cc510813ba6d609e0be2438767b46f03b

SHA512
e8286de776b563ea31ad2cc0b5b3b63297dd0f116e4b948bf122a6fca6d531bf404c30546346702155621b15bb502fdf332a587c8912184d01a49dcc76ca3885

Download Submit
C:\Windows\schemas\WCN\sppsvc.exe

Filesize
1.3MB

MD5
8d9bb44ab073997b8a010e84a3689d67

SHA1
f2c56a1bc31106556f50f17d6ca807861c20e778

SHA256
dee537c42e982f63dd054631f3a34f12ad7bafc92ae2bfb23c21f209cee08048

SHA512
0b6cfd046e170413798f00ad21d91342209dd674c14cf618ebb3826bdea755ce77328ed4ffd969729502e3d75ea80bc2312a59f735dbe216aeb5c395886e0e52

Download Submit
\MscomSurrogatebrokerCrt\BlockPerfmonitor.exe

Filesize
1.3MB

MD5
8d9bb44ab073997b8a010e84a3689d67

SHA1
f2c56a1bc31106556f50f17d6ca807861c20e778

SHA256
dee537c42e982f63dd054631f3a34f12ad7bafc92ae2bfb23c21f209cee08048

SHA512
0b6cfd046e170413798f00ad21d91342209dd674c14cf618ebb3826bdea755ce77328ed4ffd969729502e3d75ea80bc2312a59f735dbe216aeb5c395886e0e52

Download Submit
\MscomSurrogatebrokerCrt\BlockPerfmonitor.exe

Filesize
1.3MB

MD5
8d9bb44ab073997b8a010e84a3689d67

SHA1
f2c56a1bc31106556f50f17d6ca807861c20e778

SHA256
dee537c42e982f63dd054631f3a34f12ad7bafc92ae2bfb23c21f209cee08048

SHA512
0b6cfd046e170413798f00ad21d91342209dd674c14cf618ebb3826bdea755ce77328ed4ffd969729502e3d75ea80bc2312a59f735dbe216aeb5c395886e0e52

Download Submit
memory/1796-100-0x0000000000800000-0x0000000000952000-memory.dmp

Filesize
1.3MB

Download
memory/1796-101-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/1796-135-0x0000000002170000-0x00000000021F0000-memory.dmp

Filesize
512KB

Download
memory/1796-105-0x0000000002170000-0x00000000021F0000-memory.dmp

Filesize
512KB

Download
memory/1796-104-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/1796-103-0x00000000007F0000-0x0000000000802000-memory.dmp

Filesize
72KB

Download
memory/1796-102-0x0000000002170000-0x00000000021F0000-memory.dmp

Filesize
512KB

Download
memory/2292-73-0x000007FEF6070000-0x000007FEF6A5C000-memory.dmp

Filesize
9.9MB

Download
memory/2292-72-0x0000000000250000-0x00000000003A2000-memory.dmp

Filesize
1.3MB

Download
memory/2292-77-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2292-79-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/2292-96-0x000007FEF6070000-0x000007FEF6A5C000-memory.dmp

Filesize
9.9MB

Download
memory/2292-74-0x000000001A960000-0x000000001A9E0000-memory.dmp

Filesize
512KB

Download
memory/2292-75-0x0000000000530000-0x000000000054C000-memory.dmp

Filesize
112KB

Download
memory/2292-76-0x0000000000670000-0x0000000000686000-memory.dmp

Filesize
88KB

Download
memory/2292-78-0x00000000003B0000-0x00000000003BE000-memory.dmp

Filesize
56KB

Download