Overview

overview

10

Static

static

3

DCRatBuild.exe

windows7-x64

10

DCRatBuild.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    29-10-2024 15:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DCRatBuild.exe

  • Size

    1.8MB

  • MD5

    013bc21b187fbf033bdeec699b2263b5

  • SHA1

    78a44777f96bdd338e037fc87c548fe9b6e7f241

  • SHA256

    191d579dcc73daaca18b2442b8411f05d50ad19ea1ba834a0e2c67414edfdaf5

  • SHA512

    332b58b80ed3b88bbaaf59c4b3ab8735af56e6377ed36d8da625fd8c139d5607a7f5de603d85ba155dd78fdaca46e3a456693afd32b5cb1d88567e765a35abf0

  • SSDEEP

    24576:2TbBv5rUyXVuTutB3BpIRgMS/JiVQZph3Ute6XjQ+O34nNRB2PfC0xOhAjKEge1o:IBJuTu3ERX2Ysh30Ep34NKTxOWjKECd

Score
10/10
dcratdiscoveryevasionexecutioninfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Driverruntimeperfdll\m71jv3paESEH9S1QA3ZsNaBNLB28NhVlZEjuWU.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Driverruntimeperfdll\uPDozmlRKjrXNChMTgfGYis2.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2220
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2252
        • C:\Driverruntimeperfdll\surrogatesavesBrokerhost.exe
          "C:\Driverruntimeperfdll/surrogatesavesBrokerhost.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2572
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xfidkczv\xfidkczv.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:1444
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50BF.tmp" "c:\Windows\System32\CSCF492066B204E759059B9831156BE95.TMP"
              6⤵
                PID:2936
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1160
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1592
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:364
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Driverruntimeperfdll/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1628
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1832
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2232
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1980
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1960
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1028
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1732
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2152
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:784
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1724
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\Idle.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:916
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\fr-FR\System.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1256
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:112
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\services.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2380
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\fr-FR\smss.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1540
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Driverruntimeperfdll\surrogatesavesBrokerhost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:780
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gM9PT83G56.bat"
              5⤵
                PID:1812
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  6⤵
                    PID:2736
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    6⤵
                      PID:1640
                    • C:\Program Files (x86)\Internet Explorer\fr-FR\smss.exe
                      "C:\Program Files (x86)\Internet Explorer\fr-FR\smss.exe"
                      6⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2184
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\CRMLog\Idle.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2596
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1060
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\CRMLog\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1944
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\fr-FR\System.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1208
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\fr-FR\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2812
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\fr-FR\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1736
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2224
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1984
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:320
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\services.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:472
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1740
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2188
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\smss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2388
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\smss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1344
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\smss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2200
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "surrogatesavesBrokerhosts" /sc MINUTE /mo 6 /tr "'C:\Driverruntimeperfdll\surrogatesavesBrokerhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3068
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "surrogatesavesBrokerhost" /sc ONLOGON /tr "'C:\Driverruntimeperfdll\surrogatesavesBrokerhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:760
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "surrogatesavesBrokerhosts" /sc MINUTE /mo 10 /tr "'C:\Driverruntimeperfdll\surrogatesavesBrokerhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1468

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Modify Registry

          3
          T1112

          Credential Access

          Credentials from Password Stores

          1
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          1
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Driverruntimeperfdll\m71jv3paESEH9S1QA3ZsNaBNLB28NhVlZEjuWU.vbe
            Filesize

            222B

            MD5

            b6b3920b58d924e219828c67336f9202

            SHA1

            cb1edfba46ed630f75d694921ee738880dffd095

            SHA256

            f16ba871ed12b8a447a30c861a27a1324a11346541aabdc38469adcce6d3adaa

            SHA512

            04e583eb72e34c3f5ebf7b24cc4fe97d52e4a1e2b8deeef20210bcf82161e7cfeebf467767e246c0b4af948a71ca1768ab61e416e915f72eba55e7cca23cab3b

            Download Submit

          • C:\Driverruntimeperfdll\uPDozmlRKjrXNChMTgfGYis2.bat
            Filesize

            222B

            MD5

            132d5c788d06205db0e25a0b3c6bf78e

            SHA1

            d729095f4934409561af630b79c5ec3272d452b5

            SHA256

            ae76410765fd16a45a999b3a5a60a89a61c0edaa453144127664142fb360699c

            SHA512

            899f1ed8d047b5d9aad48239e78d7025d9aeb305514fa3c23e1d692a3a24f9358ebe98e9bdce8054df25c728d355260230b4d8858a4987030793dfd8f9f0597b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RES50BF.tmp
            Filesize

            1KB

            MD5

            ab0e0964665eba895947d2fc28834d8f

            SHA1

            f8b1b432b9c78becb0589a290577912530da32e9

            SHA256

            ad7e9969f4c61c63b1b00adf86202cf3b3c36e1a5a1dec7a38b06ceb88cd9731

            SHA512

            954ce50f30a944d3cc35e0b6ad4bee0acef75fd8a3cae7df2e416de064fbb846d8aff766cf960bead2aa398506f637540f47514d0af3672a63d83f46970443ba

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\gM9PT83G56.bat
            Filesize

            231B

            MD5

            25928f78beb91b04a0d0ff6b6ece8cb5

            SHA1

            c4d0c1c86d881143cb4925b0f9d62c776643fc1d

            SHA256

            7d9b62e3b32620eda01aade44d593672dddc5d4796db036612988a95fe47eb0d

            SHA512

            12b7db31d9a08a8fc6e43fdf450aafc8966cb6775069a2d30aa5c26835d7af505261b7ce439d3a9a9f1a40d8c04185d67f4ff2565da91737962c73d56723270d

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            5df1c97f1512cc839f546d8ce40943fc

            SHA1

            9a00cb8e779bae264bdbba52e57d57b6f7dcf184

            SHA256

            03548185908850b341eb304aba425deee954860f5f26c2e84bbdd450d6b80e0e

            SHA512

            1f77c4b783ebd19d6954b47318ea64b6f6e58f9c4d27cd2888dd953962d07851872ff18da8eb72bc05981d0f41908a866311e36a23f912f3686fe1c7628a2c53

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\xfidkczv\xfidkczv.0.cs
            Filesize

            371B

            MD5

            f2b37d9fc915781ebf3328fe421b4555

            SHA1

            80a95bf8ab2603fd87dc4b097a84f435612686a7

            SHA256

            7ef115a4c0dd8c6f37deeafa25daa094fc334fc0badec03aa6d95bd5fa0bf264

            SHA512

            225e5f5aa344792758a731fcea26f62ed314fe7bfccc4a9153938e044d1d51f08a5b88e85167110d844125dc7ff9b8c0abe8affd9befe87c172d5ee2d49ebfeb

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\xfidkczv\xfidkczv.cmdline
            Filesize

            235B

            MD5

            24eafb55daec192f4bbd74f671f010b8

            SHA1

            0a7604c1f959d658d3788299d9a95eedf8634c73

            SHA256

            febcd73247d5376f867580d7ab472c0f712c7a771a0dad52f7fc693cd57425d1

            SHA512

            f4be2c6f898d407cf592ba58b2e4dff3a9bf28180f6dc1db08c1fb8aaa80da500731df68fc2c641d68aa2a6b8ba7a0c67474b01acbd2964afd2e2ea2a3a71392

            Download Submit

          • \??\c:\Windows\System32\CSCF492066B204E759059B9831156BE95.TMP
            Filesize

            1KB

            MD5

            60a1ebb8f840aad127346a607d80fc19

            SHA1

            c8b7e9ad601ac19ab90b3e36f811960e8badf354

            SHA256

            9d6a9d38b7a86cc88e551a0c1172a3fb387b1a5f928ac13993ec3387d39cc243

            SHA512

            44830cefb264bac520174b4b884312dd0393be33a193d4f0fee3cc3c14deb86ca39e43ef281232f9169fd204d19b22e8a7aad72fa448ca52d5cbc3ee1dbb18a4

            Download Submit

          • \Driverruntimeperfdll\surrogatesavesBrokerhost.exe
            Filesize

            1.9MB

            MD5

            967181542acac77f5b13f46542e84812

            SHA1

            09fbf9cfb636459cc4d54308b5b1c91d32a29f22

            SHA256

            277b0b668d401e4fcabdc18fbdde331b0db64f9b62bfa4b76b83b6179f3a57d2

            SHA512

            323023582fcc14c30aca827db68bb91204a5e6dc894bb1228370a3c925bb28559778f09a0b3d4581d462921630cede3ac1cd4c864357ee5b4928698e5bbdf082

            Download Submit

          • memory/1028-72-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/1592-73-0x0000000002460000-0x0000000002468000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2184-138-0x0000000000ED0000-0x00000000010BE000-memory.dmp

            Filesize

            1.9MB

            Download

          • memory/2572-15-0x00000000006F0000-0x00000000006FE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2572-25-0x0000000000730000-0x000000000073C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2572-23-0x0000000000720000-0x000000000072E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2572-21-0x0000000000700000-0x000000000070C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2572-19-0x0000000000760000-0x0000000000778000-memory.dmp

            Filesize

            96KB

            Download

          • memory/2572-17-0x0000000000740000-0x000000000075C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/2572-13-0x0000000000260000-0x000000000044E000-memory.dmp

            Filesize

            1.9MB

            Download