Overview

overview

10

Static

static

10

taskHostw.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    172s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-01-2025 15:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    taskHostw.exe

  • Size

    1.1MB

  • MD5

    9acac2f1709100c4f471c5c4d9a6559a

  • SHA1

    b0de7b3d1340bb3edc9b67a6ae2be9d25f1e6172

  • SHA256

    e7fe25f706806440e04205b7fbe8c4dc0bef064327770b7ba7682917090509f5

  • SHA512

    196cea984b335b1cd03032d9002d799cb9bc85fb252f102510da8d3b14e0f02c15627f82c64cdc6ce086cf91e1960c0e3d6fc1bc539c657f1b0ff2e94276f1b8

  • SSDEEP

    24576:U2G/nvxW3Ww0tGyuDFfYdKDe17qJSZLQ+r/kDIdCCj:UbA30yFbaqerDPdF

Score
10/10
dcratdefense_evasiondiscoveryinfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Process spawned unexpected child process 44 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    defense_evasiontrojan
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    defense_evasiontrojan
  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 6 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\taskHostw.exe
    "C:\Users\Admin\AppData\Local\Temp\taskHostw.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:844
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\webfontSessionBrokerHost\Ur1NipdNxN.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:396
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\webfontSessionBrokerHost\SpdD9zKqJDT3l.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3052
        • C:\webfontSessionBrokerHost\Bridgebrokerperf.exe
          "C:\webfontSessionBrokerHost\Bridgebrokerperf.exe"
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:916
          • C:\Program Files\Windows Photo Viewer\en-US\csrss.exe
            "C:\Program Files\Windows Photo Viewer\en-US\csrss.exe"
            5⤵
            • Modifies WinLogon for persistence
            • UAC bypass
            • Checks computer location settings
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Drops autorun.inf file
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2152
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat" "
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2832
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:1132
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\en-US\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1784
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:64
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\en-US\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3360
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Music\cmd.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3484
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\Music\cmd.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1596
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\cmd.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5036
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\Registry.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1988
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\L2Schemas\Registry.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3188
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\Registry.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4932
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\TextInputHost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2572
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\TextInputHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4552
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\TextInputHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4956
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5092
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3532
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4440
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\de-DE\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5008
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\de-DE\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2136
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\de-DE\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:408
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:184
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4620
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1864
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5064
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1008
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3312
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\sihost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2548
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\sihost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4420
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\sihost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3384
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:32
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\de-DE\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4760
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\de-DE\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2620
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "Bridgebrokerperf" /f
      1⤵
      • Process spawned unexpected child process
      PID:3672
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "BridgebrokerperfB" /f
      1⤵
      • Process spawned unexpected child process
      PID:1864
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "csrss" /f
      1⤵
      • Process spawned unexpected child process
      PID:2080
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "csrssc" /f
      1⤵
      • Process spawned unexpected child process
      PID:2324
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "cmd" /f
      1⤵
      • Process spawned unexpected child process
      PID:4604
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "cmdc" /f
      1⤵
      • Process spawned unexpected child process
      PID:4884
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "dllhost" /f
      1⤵
      • Process spawned unexpected child process
      PID:4168
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "dllhostd" /f
      1⤵
      • Process spawned unexpected child process
      PID:32
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "RuntimeBroker" /f
      1⤵
      • Process spawned unexpected child process
      PID:692
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "RuntimeBrokerR" /f
      1⤵
      • Process spawned unexpected child process
      PID:5116
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "sihost" /f
      1⤵
      • Process spawned unexpected child process
      PID:216
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "sihosts" /f
      1⤵
      • Process spawned unexpected child process
      PID:1748
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "csrss" /f
      1⤵
      • Process spawned unexpected child process
      PID:2932
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /delete /tn "csrssc" /f
      1⤵
      • Process spawned unexpected child process
      PID:2728

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Replication Through Removable Media

    1
    T1091

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    1
    T1547

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Replication Through Removable Media

    1
    T1091

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Windows Defender\ja-JP\5940a34987c991
      Filesize

      511B

      MD5

      6dab694701b631a67a68ce70ac0fba37

      SHA1

      86ac87bd36a9e9d34a6fe83faa29384f6f87bde9

      SHA256

      3615ccd932d223a6d1485fe8b78c8c8acd3546bef761defde8425029b3298c5c

      SHA512

      e2dcb223c691597ecaddd007e0354ac7bf467235b3275b3c37a3c92dabe3a429dc43235e5eef05dd69b762042418d6bf0abc2abdfd56f91f071c1bffb704d96a

      Download Submit

    • C:\Program Files\MSBuild\22eafd247d37c3
      Filesize

      822B

      MD5

      d8edd458d7319ffd0ab9cd40a21125d1

      SHA1

      a3b6dbf7c03de53513c4ecea3054446f518e3030

      SHA256

      3fc2957eff55615adb76e8e18f8b6dc148341ce8be0523230bffb9d58b406248

      SHA512

      2aaf0a52d4ffd2283fc7516426dbc7f11c268ab6bd625e49c8849c1cc33121e7fcfed09edb560b21247dff2dc20d7a7728c303337da7b93df21afd4e5d081b8f

      Download Submit

    • C:\Program Files\Windows Media Player\de-DE\886983d96e3d3e
      Filesize

      714B

      MD5

      438c554a8cd748fe964557cbe2c2b776

      SHA1

      6d0caeee28bd37bdc884271d0e7ce4eedb418581

      SHA256

      d3dab7a0b5be25ce1cfb486b7fcae2093aae4f81537e88cb155b295007db6cd2

      SHA512

      0c5f538063c2295e338aec82aa5cf08c6765bfd6bd07da43491a4ccb94ea37b2623b53b69f73f0413f826b53f50358242b51f4201280a8cbfe9040a1564d9fc3

      Download Submit

    • C:\Program Files\Windows Photo Viewer\en-US\886983d96e3d3e
      Filesize

      760B

      MD5

      3d81dd588d3e5c4e3f14efd746a22d04

      SHA1

      cf2d0522f41cf69254e8bdfee04e6cd395b0e75d

      SHA256

      366129d7fd7ddc1548703755c70bb5c85d5763bf9087b71f65b5ac21ee5a1fae

      SHA512

      a02a3dafbf694087da6b3eeb353e8b13e5f8817ec25ab09f3e710efae5e50bbd55341fcb3c1e22b86ae64652303758832b0e4161d651aeaaaa957fc05f7a4c04

      Download Submit

    • C:\Recovery\WindowsRE\9e8d7a4ca61bd9
      Filesize

      67B

      MD5

      145d19ba0335687d32fb47366c9ce9ab

      SHA1

      921a9e040d5292d960f264b992919e003ab42570

      SHA256

      513e716578ded861a735d1f89b7172b08f1269c908f91b586ddb614697f18679

      SHA512

      1187f04bdedfcfd5c92e79d3ce23d39aba6589e284481b850b5fbcde58b56ff1cc36598aaa384bb5c0fde88dec2d45071c78b773b9705725bb4c1e840b9b8d00

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat
      Filesize

      297B

      MD5

      6592153d8c9ed9dcb2129fb2c5ce17e0

      SHA1

      4a332986fcf8be0c43e0ae225ef3a28dc52b61ee

      SHA256

      1bfba54f1715e3955780414b906a295f85b0b28d76152af3eaa05c415c1dff69

      SHA512

      43a4e723ef3b57f166c0aa153839634b712915b47db586d42aa71ba4f324aa0851ca3c08cf5a6e5ce84ccde89c9cd7e46707d6191ced5faa6684e3184852f07c

      Download Submit

    • C:\Users\Admin\Music\ebf1f9fa8afd6d
      Filesize

      984B

      MD5

      0e957b0b46a173ddbb61da75c9ad00ae

      SHA1

      891eda656ed68b30012e14dc0c4a8e481961c810

      SHA256

      b58e05b917f80d37cffdd556d52807da1ba46651b0c27bc4bc5dac562b9d068e

      SHA512

      477bc0788da05e35972407acdfa67399be9f4d186c070789e1e217a763b360906a7994b6775713ca193f3d66d38e85fdb48c6bcd46bc9bd6d628ff348c07cde9

      Download Submit

    • C:\Users\Public\Pictures\66fc9ff0ee96c2
      Filesize

      375B

      MD5

      fd5953a590691e4974bc837f9aa57b5b

      SHA1

      2c5b002ddd4b6e15e66eb7b09b27ec59ebe98baa

      SHA256

      db1935147b61e72bde2991607c179da2190544d7913436c48019df3decdbec39

      SHA512

      1cd6137c1042e63fd43d5f181dfa234bd5f52b499752b524f8663b515a47f47c4cf0e1c4d32e7a68c0b89a69fac9981df1d64d91cf10cc637047b947a7ec2553

      Download Submit

    • C:\Windows\L2Schemas\ee2ad38f3d4382
      Filesize

      850B

      MD5

      b210b403d847e7fef6c61e106cb1820b

      SHA1

      9d8777579d8546eb62dfdde79fc605a008fdc4c1

      SHA256

      eab65bbfc685f360b115515130f9035700cd7c07b49e0c1be9eff4043c393bf3

      SHA512

      c1f1a654c22ad5e39e24b028793b1d9afd929c78c7c995b3044b5194170b635e0dcd562ecabd05406eb9c492cfa10a194090763054c162b6b4efcd1a21042de3

      Download Submit

    • C:\Windows\de-DE\f3b6ecef712a24
      Filesize

      275B

      MD5

      eb563c54684e9cc3e6b21538514bb845

      SHA1

      b4266cfcf5d60042c7944bb7e78dd8135d3c0c88

      SHA256

      b7eed7943acef1245f6b05a9bc6e328251009dd55c2b6a53d6ea6dbaeab0fc3b

      SHA512

      7f53002be03e4ee7f11105d16c5e20eb78379ac0e2b7f3e3872d3e0ef065f38ebb33feff567a18607490fd09435120f98341b7552ad3e06fd7a1a11d932b4b2d

      Download Submit

    • C:\webfontSessionBrokerHost\Bridgebrokerperf.exe
      Filesize

      865KB

      MD5

      1465b464ff78a41cf8af12d58ca62588

      SHA1

      9c4904b19b2b111c9c96cb0aba28aa3413b54c83

      SHA256

      485228dc5bfeb7694133fd50861f0c48f314003f8ee1030db3d063d07930bd3a

      SHA512

      c609086d161150a3754240aab9f76904a221314374b7b5c373bd9548bce6ec1cce509564523c9b8b2a16710f8ecbe558dd7b8f62adecc2007fe83320a19bdb0b

      Download Submit

    • C:\webfontSessionBrokerHost\SpdD9zKqJDT3l.bat
      Filesize

      50B

      MD5

      37e781c64e1e5057220cc587925258d4

      SHA1

      3cd34c35d3d528b8ec2952d6c616cc3896b2dc66

      SHA256

      24510bbfd8f20c029b17d88853e82dbc2d2637b52dc76be8ceebf57243cac344

      SHA512

      3fa6c68ea554401af69bdf21061b17d9c068a2e7f42b2901c4a3e18d14aae7b52706fd24edc2f2da06db806a8b3d00dbdbfe3b963d72945af0801c8c3c9840ba

      Download Submit

    • C:\webfontSessionBrokerHost\Ur1NipdNxN.vbe
      Filesize

      215B

      MD5

      56f8dfb763248f67943afcc431c9a28c

      SHA1

      b31a8e990b3971d27bbb0ff1c9bcff6fbaf33211

      SHA256

      db5202acf3a53d23f14faa846e27c2415cb33c26b5ac151a298209a0e7a1e4ac

      SHA512

      c0a81de45024a042abfc5876f3fde486b2ae809ac2d5ff099cd2d288ba863b0bff86cf4d6fda335a7eb40a2c26218e3ffb417d20b7167c9dd54be4b74e921b6b

      Download Submit

    • memory/916-14-0x0000000002F60000-0x0000000002F6A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/916-13-0x0000000000D50000-0x0000000000E30000-memory.dmp

      Filesize

      896KB

      Download

    • memory/916-12-0x00007FF855753000-0x00007FF855755000-memory.dmp

      Filesize

      8KB

      Download