Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
06-11-2020 11:44
Static task
static1
Behavioral task
behavioral1
Sample
c96b43f2f82c887e9d0f4ed04f4ab271058a5782956ff6f9ea5490c1552d29d8.exe
Resource
win7v20201028
General
-
Target
c96b43f2f82c887e9d0f4ed04f4ab271058a5782956ff6f9ea5490c1552d29d8.exe
-
Size
1.8MB
-
MD5
ce57e410fccfa5cef7fc8a54596639b1
-
SHA1
86470e960e1615885e2587ac72681d5f304a69bd
-
SHA256
c96b43f2f82c887e9d0f4ed04f4ab271058a5782956ff6f9ea5490c1552d29d8
-
SHA512
ef0d3882fa30eaa1d3327ab3aab94feee8d62f98d7d62f92097a359bc107e150c183772bcbe4c441b6aed249066d0ce3f011d9a823c44c6293bd2e145c40b4e4
Malware Config
Extracted
darkcomet
vbsted
forshared.ddns.net:6722
DC_MUTEX-6UPV0L8
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
kWdnrSvNCdV5
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" RegSvcs.exe -
Executes dropped EXE 5 IoCs
Processes:
kngmpwequb.pifRegSvcs.exemsdcsc.exekngmpwequb.pifRegSvcs.exepid process 2024 kngmpwequb.pif 336 RegSvcs.exe 1496 msdcsc.exe 1172 kngmpwequb.pif 1812 RegSvcs.exe -
Loads dropped DLL 7 IoCs
Processes:
c96b43f2f82c887e9d0f4ed04f4ab271058a5782956ff6f9ea5490c1552d29d8.exekngmpwequb.pifRegSvcs.exekngmpwequb.pifpid process 1756 c96b43f2f82c887e9d0f4ed04f4ab271058a5782956ff6f9ea5490c1552d29d8.exe 1756 c96b43f2f82c887e9d0f4ed04f4ab271058a5782956ff6f9ea5490c1552d29d8.exe 1756 c96b43f2f82c887e9d0f4ed04f4ab271058a5782956ff6f9ea5490c1552d29d8.exe 1756 c96b43f2f82c887e9d0f4ed04f4ab271058a5782956ff6f9ea5490c1552d29d8.exe 2024 kngmpwequb.pif 336 RegSvcs.exe 1172 kngmpwequb.pif -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
kngmpwequb.pifRegSvcs.exekngmpwequb.pifdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vbsted = "c:\\33725277\\KNGMPW~1.PIF c:\\33725277\\XPOMRF~1.RQN" kngmpwequb.pif Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" RegSvcs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run kngmpwequb.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vbsted = "c:\\33725277\\KNGMPW~1.PIF c:\\33725277\\XPOMRF~1.RQN" kngmpwequb.pif Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run kngmpwequb.pif -
Processes:
kngmpwequb.pifkngmpwequb.pifdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kngmpwequb.pif Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kngmpwequb.pif -
Suspicious use of SetThreadContext 2 IoCs
Processes:
kngmpwequb.pifkngmpwequb.pifdescription pid process target process PID 2024 set thread context of 336 2024 kngmpwequb.pif RegSvcs.exe PID 1172 set thread context of 1812 1172 kngmpwequb.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
kngmpwequb.pifkngmpwequb.pifpid process 2024 kngmpwequb.pif 2024 kngmpwequb.pif 2024 kngmpwequb.pif 2024 kngmpwequb.pif 2024 kngmpwequb.pif 2024 kngmpwequb.pif 2024 kngmpwequb.pif 2024 kngmpwequb.pif 2024 kngmpwequb.pif 2024 kngmpwequb.pif 2024 kngmpwequb.pif 2024 kngmpwequb.pif 2024 kngmpwequb.pif 2024 kngmpwequb.pif 2024 kngmpwequb.pif 2024 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif 1172 kngmpwequb.pif -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
RegSvcs.exeRegSvcs.exedescription pid process Token: SeIncreaseQuotaPrivilege 336 RegSvcs.exe Token: SeSecurityPrivilege 336 RegSvcs.exe Token: SeTakeOwnershipPrivilege 336 RegSvcs.exe Token: SeLoadDriverPrivilege 336 RegSvcs.exe Token: SeSystemProfilePrivilege 336 RegSvcs.exe Token: SeSystemtimePrivilege 336 RegSvcs.exe Token: SeProfSingleProcessPrivilege 336 RegSvcs.exe Token: SeIncBasePriorityPrivilege 336 RegSvcs.exe Token: SeCreatePagefilePrivilege 336 RegSvcs.exe Token: SeBackupPrivilege 336 RegSvcs.exe Token: SeRestorePrivilege 336 RegSvcs.exe Token: SeShutdownPrivilege 336 RegSvcs.exe Token: SeDebugPrivilege 336 RegSvcs.exe Token: SeSystemEnvironmentPrivilege 336 RegSvcs.exe Token: SeChangeNotifyPrivilege 336 RegSvcs.exe Token: SeRemoteShutdownPrivilege 336 RegSvcs.exe Token: SeUndockPrivilege 336 RegSvcs.exe Token: SeManageVolumePrivilege 336 RegSvcs.exe Token: SeImpersonatePrivilege 336 RegSvcs.exe Token: SeCreateGlobalPrivilege 336 RegSvcs.exe Token: 33 336 RegSvcs.exe Token: 34 336 RegSvcs.exe Token: 35 336 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 1812 RegSvcs.exe Token: SeSecurityPrivilege 1812 RegSvcs.exe Token: SeTakeOwnershipPrivilege 1812 RegSvcs.exe Token: SeLoadDriverPrivilege 1812 RegSvcs.exe Token: SeSystemProfilePrivilege 1812 RegSvcs.exe Token: SeSystemtimePrivilege 1812 RegSvcs.exe Token: SeProfSingleProcessPrivilege 1812 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1812 RegSvcs.exe Token: SeCreatePagefilePrivilege 1812 RegSvcs.exe Token: SeBackupPrivilege 1812 RegSvcs.exe Token: SeRestorePrivilege 1812 RegSvcs.exe Token: SeShutdownPrivilege 1812 RegSvcs.exe Token: SeDebugPrivilege 1812 RegSvcs.exe Token: SeSystemEnvironmentPrivilege 1812 RegSvcs.exe Token: SeChangeNotifyPrivilege 1812 RegSvcs.exe Token: SeRemoteShutdownPrivilege 1812 RegSvcs.exe Token: SeUndockPrivilege 1812 RegSvcs.exe Token: SeManageVolumePrivilege 1812 RegSvcs.exe Token: SeImpersonatePrivilege 1812 RegSvcs.exe Token: SeCreateGlobalPrivilege 1812 RegSvcs.exe Token: 33 1812 RegSvcs.exe Token: 34 1812 RegSvcs.exe Token: 35 1812 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 1812 RegSvcs.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
c96b43f2f82c887e9d0f4ed04f4ab271058a5782956ff6f9ea5490c1552d29d8.exekngmpwequb.pifRegSvcs.exeWScript.exekngmpwequb.pifdescription pid process target process PID 1756 wrote to memory of 2024 1756 c96b43f2f82c887e9d0f4ed04f4ab271058a5782956ff6f9ea5490c1552d29d8.exe kngmpwequb.pif PID 1756 wrote to memory of 2024 1756 c96b43f2f82c887e9d0f4ed04f4ab271058a5782956ff6f9ea5490c1552d29d8.exe kngmpwequb.pif PID 1756 wrote to memory of 2024 1756 c96b43f2f82c887e9d0f4ed04f4ab271058a5782956ff6f9ea5490c1552d29d8.exe kngmpwequb.pif PID 1756 wrote to memory of 2024 1756 c96b43f2f82c887e9d0f4ed04f4ab271058a5782956ff6f9ea5490c1552d29d8.exe kngmpwequb.pif PID 2024 wrote to memory of 336 2024 kngmpwequb.pif RegSvcs.exe PID 2024 wrote to memory of 336 2024 kngmpwequb.pif RegSvcs.exe PID 2024 wrote to memory of 336 2024 kngmpwequb.pif RegSvcs.exe PID 2024 wrote to memory of 336 2024 kngmpwequb.pif RegSvcs.exe PID 2024 wrote to memory of 336 2024 kngmpwequb.pif RegSvcs.exe PID 2024 wrote to memory of 336 2024 kngmpwequb.pif RegSvcs.exe PID 2024 wrote to memory of 336 2024 kngmpwequb.pif RegSvcs.exe PID 2024 wrote to memory of 336 2024 kngmpwequb.pif RegSvcs.exe PID 2024 wrote to memory of 336 2024 kngmpwequb.pif RegSvcs.exe PID 336 wrote to memory of 1496 336 RegSvcs.exe msdcsc.exe PID 336 wrote to memory of 1496 336 RegSvcs.exe msdcsc.exe PID 336 wrote to memory of 1496 336 RegSvcs.exe msdcsc.exe PID 336 wrote to memory of 1496 336 RegSvcs.exe msdcsc.exe PID 336 wrote to memory of 1496 336 RegSvcs.exe msdcsc.exe PID 336 wrote to memory of 1496 336 RegSvcs.exe msdcsc.exe PID 336 wrote to memory of 1496 336 RegSvcs.exe msdcsc.exe PID 2024 wrote to memory of 1620 2024 kngmpwequb.pif WScript.exe PID 2024 wrote to memory of 1620 2024 kngmpwequb.pif WScript.exe PID 2024 wrote to memory of 1620 2024 kngmpwequb.pif WScript.exe PID 2024 wrote to memory of 1620 2024 kngmpwequb.pif WScript.exe PID 1620 wrote to memory of 1172 1620 WScript.exe kngmpwequb.pif PID 1620 wrote to memory of 1172 1620 WScript.exe kngmpwequb.pif PID 1620 wrote to memory of 1172 1620 WScript.exe kngmpwequb.pif PID 1620 wrote to memory of 1172 1620 WScript.exe kngmpwequb.pif PID 1172 wrote to memory of 1812 1172 kngmpwequb.pif RegSvcs.exe PID 1172 wrote to memory of 1812 1172 kngmpwequb.pif RegSvcs.exe PID 1172 wrote to memory of 1812 1172 kngmpwequb.pif RegSvcs.exe PID 1172 wrote to memory of 1812 1172 kngmpwequb.pif RegSvcs.exe PID 1172 wrote to memory of 1812 1172 kngmpwequb.pif RegSvcs.exe PID 1172 wrote to memory of 1812 1172 kngmpwequb.pif RegSvcs.exe PID 1172 wrote to memory of 1812 1172 kngmpwequb.pif RegSvcs.exe PID 1172 wrote to memory of 1812 1172 kngmpwequb.pif RegSvcs.exe PID 1172 wrote to memory of 1812 1172 kngmpwequb.pif RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c96b43f2f82c887e9d0f4ed04f4ab271058a5782956ff6f9ea5490c1552d29d8.exe"C:\Users\Admin\AppData\Local\Temp\c96b43f2f82c887e9d0f4ed04f4ab271058a5782956ff6f9ea5490c1552d29d8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\33725277\kngmpwequb.pif"C:\33725277\kngmpwequb.pif" xpomrfvel.rqn2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\33725277\run.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\33725277\kngmpwequb.pif"C:\33725277\kngmpwequb.pif" xpomrfvel.rqn4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\33725277\arggi.xlsMD5
823007f5c65d9fe990fc54bf62115e57
SHA14f82f8ecbd22962e5cc3fc0db945f624152395e7
SHA2563c7a08daedb21220704ed349c7653a3e49b832b1f5680511e34c13842ded7674
SHA5121fbe5f6b3d7cc883b1a32d9ddabe30971b3c5e3da246fbef9f34c08da3121cb60a8298be22e60c083c1afc392f259f34d0c5718b22b5ccc168af5473344a53d7
-
C:\33725277\kngmpwequb.pifMD5
43e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
C:\33725277\kngmpwequb.pifMD5
43e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
C:\33725277\kngmpwequb.pifMD5
43e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
C:\33725277\run.vbsMD5
bd16d4520614b3c9d71e2e0c83ca5d13
SHA16e402d7033b0a07c4bcbd1f5a99603b2e9a6e5a9
SHA256a9cf9d1cb3b01df857a63916ca3f930c496be6508f8f5fc1f831c98e65c181f5
SHA512431a0c9f162f4527ffefe3bc41eb872710229b03abf0f3e17840dc6c3e5e4336872af4aec23105b7b3686e5c451b022eb4144998a4f16f7be90409f4b1606b4e
-
C:\33725277\xpomrfvel.rqnMD5
39b173c9805bd7eafa796540be0bc0c3
SHA1c78582ee6526e8c962322a4d66b0f816ed2bdc36
SHA2564b8662365d2085b4aa04273e740ffa1357e3cbac5590cc4b846a174b0e2d6e71
SHA5125eae3743a7b80868d0f64abe51ad4c56ce39a2e10fb0333f23ff4248328270eda9d74463dec3c07cad9cb5a1ebff97090f355663966b1ac9217b6407c97415f7
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
\33725277\kngmpwequb.pifMD5
43e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
\33725277\kngmpwequb.pifMD5
43e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
\33725277\kngmpwequb.pifMD5
43e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
\33725277\kngmpwequb.pifMD5
43e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
memory/336-15-0x0000000000390000-0x000000000091D000-memory.dmpFilesize
5.6MB
-
memory/336-13-0x000000000041F888-mapping.dmp
-
memory/336-12-0x0000000000390000-0x000000000091D000-memory.dmpFilesize
5.6MB
-
memory/1172-28-0x0000000000000000-mapping.dmp
-
memory/1496-21-0x0000000073A80000-0x000000007416E000-memory.dmpFilesize
6.9MB
-
memory/1496-22-0x00000000002F0000-0x00000000002F1000-memory.dmpFilesize
4KB
-
memory/1496-23-0x0000000000300000-0x0000000000301000-memory.dmpFilesize
4KB
-
memory/1496-18-0x0000000000000000-mapping.dmp
-
memory/1620-25-0x0000000000000000-mapping.dmp
-
memory/1620-30-0x00000000028E0000-0x00000000028E4000-memory.dmpFilesize
16KB
-
memory/1812-32-0x0000000000420000-0x0000000000961000-memory.dmpFilesize
5.3MB
-
memory/1812-33-0x00000000004AF888-mapping.dmp
-
memory/1812-35-0x0000000000420000-0x0000000000961000-memory.dmpFilesize
5.3MB
-
memory/2024-9-0x00000000041F0000-0x0000000004295000-memory.dmpFilesize
660KB
-
memory/2024-4-0x0000000000000000-mapping.dmp