dcrat | 132d69a651072381fe311769b255409aba8304c3a5d1fd12037646222ed00700

Analysis

max time kernel
115s
max time network
114s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 08:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

132d69a651072381fe311769b255409aba8304c3a5d1fd12037646222ed00700.exe
Size

2.1MB
MD5

ec146a2e37bd9c70ab7fc5201db99f34
SHA1

dd50c65dfaae886a8d52e6ff4d7db85be23f7409
SHA256

132d69a651072381fe311769b255409aba8304c3a5d1fd12037646222ed00700
SHA512

f52aba728d5a824ebfe028e6a1949cf18ea84b6a424fd190e9539aee04245adfad9e8160e0f83f5d80c0693dcb61c6eefef6c793a34d2eb4e1ed79b5724866d9
SSDEEP

24576:2TbBv5rUyXV5gDkCxpg6CEyXvV/XwNXHOEAlSvZmBraKlTwCg4HNavM1TFvWiPR4:IBJONP2Vw9Z2SvZik34t0qJ/oYehq9+

Score

10^/10

dcrat defense_evasion discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat
Disables Task Manager via registry modification
defense_evasion

Executes dropped EXE 10 IoCs

pid	Process
1804	SurrogateRuntime.exe
2392	taskhost.exe
1832	taskhost.exe
1480	taskhost.exe
3028	taskhost.exe
1112	taskhost.exe
2112	taskhost.exe
2204	taskhost.exe
2788	taskhost.exe
2392	taskhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2760	cmd.exe
2760	cmd.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe	SurrogateRuntime.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\b75386f1303e64	SurrogateRuntime.exe
File created	C:\Program Files (x86)\Uninstall Information\lsass.exe	SurrogateRuntime.exe
File created	C:\Program Files (x86)\Uninstall Information\6203df4a6bafc7	SurrogateRuntime.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	132d69a651072381fe311769b255409aba8304c3a5d1fd12037646222ed00700.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1764	PING.EXE
2872	PING.EXE
2032	PING.EXE
1532	PING.EXE
2688	PING.EXE

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2184	reg.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
2032	PING.EXE
1532	PING.EXE
2688	PING.EXE
1764	PING.EXE
2872	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
1804	SurrogateRuntime.exe
2392	taskhost.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1804	SurrogateRuntime.exe
Token: SeDebugPrivilege	2392	taskhost.exe
Token: SeDebugPrivilege	1832	taskhost.exe
Token: SeDebugPrivilege	1480	taskhost.exe
Token: SeDebugPrivilege	3028	taskhost.exe
Token: SeDebugPrivilege	1112	taskhost.exe
Token: SeDebugPrivilege	2112	taskhost.exe
Token: SeDebugPrivilege	2204	taskhost.exe
Token: SeDebugPrivilege	2788	taskhost.exe
Token: SeDebugPrivilege	2392	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2148	2340	132d69a651072381fe311769b255409aba8304c3a5d1fd12037646222ed00700.exe	30
PID 2340 wrote to memory of 2148	2340	132d69a651072381fe311769b255409aba8304c3a5d1fd12037646222ed00700.exe	30
PID 2340 wrote to memory of 2148	2340	132d69a651072381fe311769b255409aba8304c3a5d1fd12037646222ed00700.exe	30
PID 2340 wrote to memory of 2148	2340	132d69a651072381fe311769b255409aba8304c3a5d1fd12037646222ed00700.exe	30
PID 2148 wrote to memory of 2760	2148	WScript.exe	31
PID 2148 wrote to memory of 2760	2148	WScript.exe	31
PID 2148 wrote to memory of 2760	2148	WScript.exe	31
PID 2148 wrote to memory of 2760	2148	WScript.exe	31
PID 2760 wrote to memory of 2184	2760	cmd.exe	33
PID 2760 wrote to memory of 2184	2760	cmd.exe	33
PID 2760 wrote to memory of 2184	2760	cmd.exe	33
PID 2760 wrote to memory of 2184	2760	cmd.exe	33
PID 2760 wrote to memory of 1804	2760	cmd.exe	34
PID 2760 wrote to memory of 1804	2760	cmd.exe	34
PID 2760 wrote to memory of 1804	2760	cmd.exe	34
PID 2760 wrote to memory of 1804	2760	cmd.exe	34
PID 1804 wrote to memory of 2616	1804	SurrogateRuntime.exe	35
PID 1804 wrote to memory of 2616	1804	SurrogateRuntime.exe	35
PID 1804 wrote to memory of 2616	1804	SurrogateRuntime.exe	35
PID 2616 wrote to memory of 2384	2616	cmd.exe	37
PID 2616 wrote to memory of 2384	2616	cmd.exe	37
PID 2616 wrote to memory of 2384	2616	cmd.exe	37
PID 2616 wrote to memory of 2744	2616	cmd.exe	38
PID 2616 wrote to memory of 2744	2616	cmd.exe	38
PID 2616 wrote to memory of 2744	2616	cmd.exe	38
PID 2616 wrote to memory of 2392	2616	cmd.exe	40
PID 2616 wrote to memory of 2392	2616	cmd.exe	40
PID 2616 wrote to memory of 2392	2616	cmd.exe	40
PID 2392 wrote to memory of 1740	2392	taskhost.exe	41
PID 2392 wrote to memory of 1740	2392	taskhost.exe	41
PID 2392 wrote to memory of 1740	2392	taskhost.exe	41
PID 1740 wrote to memory of 1844	1740	cmd.exe	43
PID 1740 wrote to memory of 1844	1740	cmd.exe	43
PID 1740 wrote to memory of 1844	1740	cmd.exe	43
PID 1740 wrote to memory of 2360	1740	cmd.exe	44
PID 1740 wrote to memory of 2360	1740	cmd.exe	44
PID 1740 wrote to memory of 2360	1740	cmd.exe	44
PID 1740 wrote to memory of 1832	1740	cmd.exe	45
PID 1740 wrote to memory of 1832	1740	cmd.exe	45
PID 1740 wrote to memory of 1832	1740	cmd.exe	45
PID 1832 wrote to memory of 1472	1832	taskhost.exe	46
PID 1832 wrote to memory of 1472	1832	taskhost.exe	46
PID 1832 wrote to memory of 1472	1832	taskhost.exe	46
PID 1472 wrote to memory of 1656	1472	cmd.exe	48
PID 1472 wrote to memory of 1656	1472	cmd.exe	48
PID 1472 wrote to memory of 1656	1472	cmd.exe	48
PID 1472 wrote to memory of 2872	1472	cmd.exe	49
PID 1472 wrote to memory of 2872	1472	cmd.exe	49
PID 1472 wrote to memory of 2872	1472	cmd.exe	49
PID 1472 wrote to memory of 1480	1472	cmd.exe	50
PID 1472 wrote to memory of 1480	1472	cmd.exe	50
PID 1472 wrote to memory of 1480	1472	cmd.exe	50
PID 1480 wrote to memory of 2180	1480	taskhost.exe	51
PID 1480 wrote to memory of 2180	1480	taskhost.exe	51
PID 1480 wrote to memory of 2180	1480	taskhost.exe	51
PID 2180 wrote to memory of 2444	2180	cmd.exe	53
PID 2180 wrote to memory of 2444	2180	cmd.exe	53
PID 2180 wrote to memory of 2444	2180	cmd.exe	53
PID 2180 wrote to memory of 2052	2180	cmd.exe	54
PID 2180 wrote to memory of 2052	2180	cmd.exe	54
PID 2180 wrote to memory of 2052	2180	cmd.exe	54
PID 2180 wrote to memory of 3028	2180	cmd.exe	55
PID 2180 wrote to memory of 3028	2180	cmd.exe	55
PID 2180 wrote to memory of 3028	2180	cmd.exe	55

C:\Users\Admin\AppData\Local\Temp\132d69a651072381fe311769b255409aba8304c3a5d1fd12037646222ed00700.exe
"C:\Users\Admin\AppData\Local\Temp\132d69a651072381fe311769b255409aba8304c3a5d1fd12037646222ed00700.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Surrogateruntime\P9DdGGlS5b2aTSnKWJTJwWrepfgHDTEYIB3UgppvViFu1H.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Surrogateruntime\MVs8VfCVMeW6mREbfqxrHFCitQpyb6DDHebrKL.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2184
  - - C:\Surrogateruntime\SurrogateRuntime.exe
      "C:\Surrogateruntime/SurrogateRuntime.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1804
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QHdFpZJM6i.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2616
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2384
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2744
      - C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lcphCLUtxr.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2360
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9fn0Ky9lyW.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1656
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2872
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4h6CQ3Ghzc.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2052
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SWAv0lnPhs.bat"
        13⤵
        
        PID:1484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:952
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\75OpyD0wFt.bat"
        15⤵
        
        PID:2568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:324
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2032
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mpHYiEZ4vY.bat"
        17⤵
        
        PID:2472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1532
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0wRVFaeuMa.bat"
        19⤵
        
        PID:2724
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2684
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2688
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T0Gv0Jp6QP.bat"
        21⤵
        
        PID:2284
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1764
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3SG4wIGqnh.bat"
        23⤵
        
        PID:1880
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Surrogateruntime\MVs8VfCVMeW6mREbfqxrHFCitQpyb6DDHebrKL.bat

Filesize
201B

MD5
45b1a6bf28d6179761045c903151239d

SHA1
325f6cf7b5d789c87e1b48ac37348d6783ec9ce0

SHA256
554d2ff6a9a200259a28465731c78f1751ca8616573d576ca62e9bd6af2dd571

SHA512
10ddc3cc7dfc5f88a8566593d6da5afc909ac4d60871bb39f8b8a29c7b36dd80f80708c6c0386ca74f525b0b3152990243d30024ce270c7d25b9c0a7f2e3746f

Download Submit
C:\Surrogateruntime\P9DdGGlS5b2aTSnKWJTJwWrepfgHDTEYIB3UgppvViFu1H.vbe

Filesize
233B

MD5
698f8d1e6574a51a4194c13765a8c6cc

SHA1
ca8513908eecc80e3e0361f0223b409119a63093

SHA256
31c88e128698731f3ecc0faba6611a1cf4b114683ef0c525e24b1ec87d9772d7

SHA512
06640e35e883a2c3284e619548727081117f731f5085ea87900514fc505d4ec191faeb5973eceedc13a8e958623af2c31a2d121e0d720f59a6ef13072614016b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0wRVFaeuMa.bat

Filesize
211B

MD5
30df36deb294949c942f7d428bc5e224

SHA1
74c8b00ea99e6fbd768a2408968829bd301798bc

SHA256
b4900a64dfe6a5c494f0af0c4c7983c84916a2d8987825791506d956597048bd

SHA512
c5a761c4cd189b5c1a43e6ceed8e6e5e52749edcfb4b98030c65e0c96d9c487a967aa5643dfc1e60a452d70382c05632f4d545dd6dd074d8220649879a2bd3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3SG4wIGqnh.bat

Filesize
259B

MD5
625f2ca1008f2d2c8fc129ec61ab7bda

SHA1
88e9f62bbd6468298b6debc7d2e245703aea36a0

SHA256
98bce52eb17c6aeb5b5eb8e37eda01c29f6e9c0ac82b82931c1df1277f94d880

SHA512
983048b266cd4f99b8138334e2a6605284693e3f6caf09b034fc0a2c1f913163d7aebf3dbe6b3a58839d9ec797c89e4b3074137584fbb57e1bbee5f2e7738875

Download Submit
C:\Users\Admin\AppData\Local\Temp\4h6CQ3Ghzc.bat

Filesize
259B

MD5
5da067bb611218c3229ceafea8e1ebeb

SHA1
a41defb9e49a720df2ca531dbee7f0ce6f9b2380

SHA256
731bd4089515e256fd0af467b58121a4c24f4d32ad33da9e4c1b65fbe48fc5f7

SHA512
2cbacad248cf523bd9eb682834cdd6dc4370f25bc29aabb76e84a6f298b1ec2d796031d91a94d71a0ea6eaec90bb9808ad20ebca867be48236413785ca7ce2f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\75OpyD0wFt.bat

Filesize
211B

MD5
5ff5369bbea1c2d9f6dbf4b6174895b2

SHA1
1dbb51f91fa0d20b0ed9718b4a98ef4022fc5ca3

SHA256
048b0ebd7d6703cdbbaef7595fa7b4a5503b6843d3612c2d58ab4bd6b5451e99

SHA512
ee029aeea61d9a5ed9ff72f0640053c3a32008a09713b1c4ee0bb205277fbeffe216e30ec62a5c7c82dc7a430b7de15e7884b52b7305a20549c5b802286f106a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9fn0Ky9lyW.bat

Filesize
211B

MD5
4e73d8d0292ab8bf1fae175675bd9242

SHA1
674347cc924389a4980f0b9ec11649e72544de35

SHA256
ec9ac4516ee6f395022559b70676eea5ce0a7857f565f371a02b68f458bb2a1d

SHA512
f3a44f475b353983a82880928a92ac5088c8ffbb50a055f5ec72a87454f2fbed865e9c1ead0eed75b43d6ddbe3201119147cff7b4a1dbc121b9fe6c4898c91b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\QHdFpZJM6i.bat

Filesize
259B

MD5
8c754671ae23db38e85f07771f7b36f0

SHA1
46ddb6efcbe266f5ee4b0f780a8c2e59829aca53

SHA256
7478faa4fc34cf0879d494ead10e43eff406965baf6359649695d3567c86a8bc

SHA512
fb4c1a3185c4448b0cb768b1ef018b6279798a73dae64cf142fe2644fa3bf65096ee002f0b4d27f78a199abbb4b48f1de298ddaada31199f9b92f48315f945d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SWAv0lnPhs.bat

Filesize
259B

MD5
f3b68d4a738b8486391c4f901ce0c658

SHA1
9d4490b8fd4a865e279d54437551f9b633875b10

SHA256
0c7d5dc6c93f497c87a02a06d7b4b614481e795b6afa7bf5c8c8293753b0ea98

SHA512
23e78df58e28fe6a00aa10b768aa2f0e40a4d1d06704a6355d59c205357ddcaacdc437860b6d3779c4c6e0b91f48cf0da197d72d7c18bb30f2c7c72bdf8dc391

Download Submit
C:\Users\Admin\AppData\Local\Temp\T0Gv0Jp6QP.bat

Filesize
211B

MD5
f8b92467a2f47c3d6f9376c6e95568e5

SHA1
039dd6062e94e56ed3f2445364620c1bcd36cc8c

SHA256
add52e3f272010837b0a4128bb1127e3466d212566ee23abf0cf40244f8619bb

SHA512
49e0d3c6592956ad1ee0cc23d7754baf01067d766074234e0dd85154323369a023418fdfb05dbc20429620c3aa98660af09e7cc1282a50f039f89f57c458ddda

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcphCLUtxr.bat

Filesize
259B

MD5
1b00724127cc9078be690fe288620598

SHA1
3ed658b6182b3fed0165a642513bf9bb540ebcf0

SHA256
1e8f07f8c5972a586c996e419c551d4757f7a0788b280b2ffa6fec5257e3b5c9

SHA512
873569f1acdf9fdbe3463550762fd7ca9ed7182dc1e383c56b6f2d895b8a1f7eb34ea3fbae074625979a9b37f8f8c58dc97baf76cb25418c8823c3ceb9c69c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpHYiEZ4vY.bat

Filesize
211B

MD5
aef2ce00d1c4d13ef3415b1f0f238000

SHA1
1832932a016bc70481288c40ae99a382e698fd44

SHA256
9fbca159e96f751a8fd38cbbdf64bcc087917111eb61520f7ff2179eb7896bfe

SHA512
ad2f9bd92f4be2f5b5359121cd40f7c1263ab93ff22af6b97a7ac80e15fd2f942670a1306b8e86a18893c9a9868674b78847f9806f2d65c45b7a3214c7a201a0

Download Submit
\Surrogateruntime\SurrogateRuntime.exe

Filesize
1.8MB

MD5
e7e30c540ff87f97fd3eda5e0ad4a49d

SHA1
7579649340c71f199f2c9b7e67ac92eb0b3c70c1

SHA256
ff5d574ce37eb35e774dc1e6fc20b5856099848112ffd7e81304e120232dfef4

SHA512
69415a16e1a7c6865965207b91f349116f7d000c93eeb87f21421bcc2df18087553f87ef82df86af7f7e3ec7a9877600fbf4bdad5780f5336f0bbb45585c07c4

Download Submit
memory/1112-84-0x00000000003F0000-0x00000000005CA000-memory.dmp

Filesize
1.9MB

Download
memory/1480-61-0x0000000000150000-0x000000000032A000-memory.dmp

Filesize
1.9MB

Download
memory/1804-21-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/1804-19-0x0000000000450000-0x0000000000468000-memory.dmp

Filesize
96KB

Download
memory/1804-17-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/1804-15-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/1804-13-0x0000000001160000-0x000000000133A000-memory.dmp

Filesize
1.9MB

Download
memory/2112-96-0x0000000000970000-0x0000000000B4A000-memory.dmp

Filesize
1.9MB

Download
memory/2204-107-0x0000000001330000-0x000000000150A000-memory.dmp

Filesize
1.9MB

Download
memory/2392-40-0x0000000001380000-0x000000000155A000-memory.dmp

Filesize
1.9MB

Download
memory/2392-130-0x00000000010F0000-0x00000000012CA000-memory.dmp

Filesize
1.9MB

Download
memory/2788-119-0x0000000000280000-0x000000000045A000-memory.dmp

Filesize
1.9MB

Download
memory/3028-73-0x0000000000DF0000-0x0000000000FCA000-memory.dmp

Filesize
1.9MB

Download